Getty Images
Translating human-readable domain names into numeric IP addresses has long presented numerous security risks. After all, searches are rarely end-to-end encrypted. Servers providing domain name lookups provide translations for virtually any IP address, even when they are known to be malicious. And many end-user devices can easily be configured to stop using authorized search servers and use malicious servers instead.
Microsoft on Friday previewed a comprehensive framework aimed at fixing the Domain Name System (DNS) problem so that it is better locked down within Windows networks. It’s called ZTDNS (Zero Trust DNS). Its two main features are (1) encrypted and cryptographically authenticated connections between end-user clients and DNS servers and (2) the ability for administrators to tightly restrict the domains that these servers will resolve.
Clear the minefield
One of the reasons why DNS is such a security minefield is that these two features can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility administrators need to prevent user devices from connecting to malicious domains or detect anomalous behavior within a network. As a result, DNS traffic is either sent in clear text or encrypted in a way that allows administrators to decrypt it in transit via what is essentially an adversary in the middle attack.
Administrators must choose between equally unattractive options: (1) routing DNS traffic in clear text without any way for the server and client device to authenticate each other so that malicious domains can be blocked and monitoring network is possible, or (2) encrypt and authenticate DNS traffic and remove domain control and network visibility.
ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform (the core component of Windows Firewall) directly into client devices.
Jake Williams, vice president of research and development at Hunter Strategies, said uniting these previously disparate engines would allow Windows Firewall updates to be performed on a per-domain name basis. The result, he said, is a mechanism that allows organizations, in essence, to tell clients to “only use our DNS server, which uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server(s) the “protective DNS server.”
By default, the firewall will deny resolutions to all domains except those listed in the allow lists. A separate allow list will contain the IP address subnets that clients need to run authorized software. This is the key to making it work at scale within an organization with rapidly changing needs. Network security expert Royce Williams (no relation to Jake Williams) called this a “sort of two-way API for the firewall layer, so you can both trigger firewall actions (in entering *into* the firewall) and triggering external firewall-based actions. state (output *from* the firewall). So instead of having to reinvent the firewall wheel if you’re an AV or other provider, all you need to do is connect to PAM.
News Source : arstechnica.com
Gn tech
