Zero-Belief DNS – Schneier on Safety Educated

Zero-Belief DNS

Microsoft is engaged on a promising-looking protocol to lock down DNS.

ZTDNS goals to resolve this decades-old drawback by integrating the Home windows DNS engine with the Home windows Filtering Platform—the core element of the Home windows Firewall—straight into shopper gadgets.

Jake Williams, VP of analysis and improvement at consultancy Hunter Technique, mentioned the union of those beforehand disparate engines would enable updates to be made to the Home windows firewall on a per-domain identify foundation. The outcome, he mentioned, is a mechanism that permits organizations to, in essence, inform purchasers “solely use our DNS server, that makes use of TLS, and can solely resolve sure domains.” Microsoft calls this DNS server or servers the “protecting DNS server.”

By default, the firewall will deny resolutions to all domains besides these enumerated in enable lists. A separate enable record will include IP deal with subnets that purchasers must run licensed software program. Key to creating this work at scale inside a corporation with quickly altering wants. Networking safety professional Royce Williams (no relation to Jake Williams) known as this a “kind of a bidirectional API for the firewall layer, so you may each set off firewall actions (by enter *to* the firewall), and set off exterior actions based mostly on firewall state (output *from* the firewall). So as an alternative of getting to reinvent the firewall wheel in case you are an AV vendor or no matter, you simply hook into WFP.”

Posted on Might 16, 2024 at 7:03 AM •
37 Feedback

Sidebar picture of Bruce Schneier by Joe MacInnis.

Leave a Comment