Zero-Trust DNS

2024-05-16 11:03

ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform-the core component of the Windows Firewall-directly into client devices.

Jake Williams, VP of research and development at consultancy Hunter Strategy, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis.

The result, he said, is a mechanism that allows organizations to, in essence, tell clients "Only use our DNS server, that uses TLS, and will only resolve certain domains." Microsoft calls this DNS server or servers the "Protective DNS server."

By default, the firewall will deny resolutions to all domains except those enumerated in allow lists.

A separate allow list will contain IP address subnets that clients need to run authorized software.

Networking security expert Royce Williams called this a "Sort of a bidirectional API for the firewall layer, so you can both trigger firewall actions, and trigger external actions based on firewall state. So instead of having to reinvent the firewall wheel if you are an AV vendor or whatever, you just hook into WFP.".

News URL

https://www.schneier.com/blog/archives/2024/05/zero-trust-dns.html

#DNS #zerotrust