Zero-Belief DNS
Microsoft is engaged on a promising-looking protocol to lock down DNS.
ZTDNS goals to unravel this decades-old downside by integrating the Home windows DNS engine with the Home windows Filtering Platform—the core part of the Home windows Firewall—straight into consumer units.
Jake Williams, VP of analysis and improvement at consultancy Hunter Technique, mentioned the union of those beforehand disparate engines would permit updates to be made to the Home windows firewall on a per-domain identify foundation. The consequence, he mentioned, is a mechanism that enables organizations to, in essence, inform purchasers “solely use our DNS server, that makes use of TLS, and can solely resolve sure domains.” Microsoft calls this DNS server or servers the “protecting DNS server.”
By default, the firewall will deny resolutions to all domains besides these enumerated in permit lists. A separate permit checklist will include IP deal with subnets that purchasers have to run approved software program. Key to creating this work at scale inside a company with quickly altering wants. Networking safety skilled Royce Williams (no relation to Jake Williams) referred to as this a “kind of a bidirectional API for the firewall layer, so you possibly can each set off firewall actions (by enter *to* the firewall), and set off exterior actions primarily based on firewall state (output *from* the firewall). So as an alternative of getting to reinvent the firewall wheel in case you are an AV vendor or no matter, you simply hook into WFP.”
Posted on Might 16, 2024 at 7:03 AM •
58 Feedback
Sidebar photograph of Bruce Schneier by Joe MacInnis.