hpshelton
commented
6 months ago Admins are left to choose between equally unappealing options: (1) route DNS traffic in clear text with no means for the server and client device to authenticate each other so malicious domains can be blocked and network monitoring is possible, or (2) encrypt and authenticate DNS traffic and do away with the domain control and network visibility.
ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform—the core component of the Windows Firewall—directly into client devices.
Jake Williams, VP of research and development at consultancy Hunter Strategy, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis. The result, he said, is a mechanism that allows organizations to, in essence, tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”
layout: post type: link date: 2024-08-26 18:00:00 -0700 title: "Announcing Zero Trust DNS Private Preview" link: https://techcommunity.microsoft.com/t5/networking-blog/announcing-zero-trust-dns-private-preview/ba-p/4110366 permalink: /post/2024/05/07/zero-trust-dns categories:
networking
With today's technology, IT administrators must either route DNS traffic in the clear in order to detect and block malicious domains but trust malicious DNS servers or authenticate DNS servers, encrypt DNS traffic, and lose network monitoring. As Ars Technica describes, Windows aims to enable the best of both worlds:
From Microsoft's announcement:
Traffic is forbidden by default, allowed to IPs resolved only by your trusted DNS servers, and end-to-end encrypted without TLS termination.