2 min

Tags in this article

, , , ,

Microsoft is implementing stricter security policies and is tackling security at the Domain Server Name (DNS) level. The company recently provided insight into how zero-trust DNS (ZTDNS) can better secure networks on Windows.

With the new technology, the tech giant wants to better counter possible connections between devices or clients with malicious IP addresses. It does this by addressing security at the DNS level, checking both IPv4 and IPv6 addresses for maliciousness and then blocking them.

Microsoft calls the now-developed technology ‘zero trust DNS’ or ZTDNS. First, the technology provides encrypted and cryptographically authenticated connections between end users’ devices or clients, and DNS servers. Second, ZTDNS allows administrators to severely restrict (access to) domain names facilitated by these servers.

All this is done to minimize the possible attack vectors that DNS servers are vulnerable to.

Diagram dat een Windows 11-apparaat toont dat verbinding maakt met een mdm-service via een wifi-netwerk voor thuiswerken, waarbij componenten zoals de dns-serverlijst en de clientcertificaatlijst worden benadrukt.

Integration of Windows DNS engine and Filtering Platform

Under the hood, ZTDNS integrates the Windows DNS engine with the Windows Filtering Platform. This is the main component of the Windows Firewall. This integration, in turn, is integrated directly into end users’ devices.

The integrations of the previously separate engines implemented in ZTDNS allow updates to the Windows Firewall to be made based on separate domain names. This enables companies to tell their employees’ clients to use only their own DNS server with TLS that allows access only to specific domain addresses. Microsoft calls this DNS server(s) the ‘protective DNS server’.

In this way, the firewall will block requests to all domain addresses by default except those specified in lists of allowed addresses. A separate list allows IP address subnets belonging to authorized software employees use.

Not without risks

Using ZTDNS is not entirely without risks. Experts tell Ars Technica that implementing ZTDNS can disrupt important network operations. Administrators should first make important changes to network designs to avoid these disruptions.

Tightening security measures

With the introduction of ZTDNS, Microsoft appears to be taking the first steps in tightening its security measures. These measures, or the lack thereof, have received much criticism in recent months.

Meanwhile, with its Secure Future Initiative, the company has embarked on a comprehensive path for improvements at multiple levels. In addition, the tech giant has appointed several new executives to significantly improve communication about security with customers, among other things.

Also read: Windows security updates lead to VPN problems