To support Zero Trust deployments trying to lock down devices to only access approved network destinations, we are announcing the development of Zero Trust DNS (ZTDNS) in a future version of Windows. ZTDNS was designed to be interoperable by using network protocols from open standards to satisfy Zero Trust requirements such as those found in OMB M-22-09 and NIST SP 800-207. ZTDNS will be helpful to any administrator trying to use domain names as a strong identifier of network traffic.
ZTDNS integrates the Windows DNS client and the Windows Filtering Platform (WFP) to enable this domain-name-based lockdown. First, Windows is provisioned with a set of DoH or DoT capable Protective DNS servers; these are expected to only resolve allowed domain names. This provisioning may also contain a list of IP address subnets that should always be allowed (for endpoints without domain names), expected Protective DNS server certificate identities to properly validate the connection is to the expected server, or certificates to be used for client authentication.
↫ Tommy Jensen on the Microsoft blog
If you think I know nothing about programming – wait until you hear me talk about networking. I consider it to basically be arcane magic, and my knowledge doesn’t extend much beyond “plug in cable to make light blinky” and “unplug from power to fix light no blinky”. Network administrators are the real heroes in my eyes.
Anyway, what I do get from painfully reading this announcement over and over again until my eyes started bleeding is that ZTDNS will give network administrators more finegrained control over which DNS servers and domains are accessible, and perhaps more importantly, it will encrypt traffic between clients and the DNS server. I have no idea if this is unique, or if it even makes any sense to do so, but it seems like a good idea, especially for corporate and government networks.
I’m struggling here, y’all. Please help me out.
It’s based on DoT (DNS over TLS) or DoH (DNS over HTTPS), so here’s a simple explanation of those technologies from CloudFlare:
https://www.cloudflare.com/learning/dns/dns-over-tls/
Basically, DoT and DoH encrypt DNS queries so that people in between you and the DNS server (eg. your ISP) can’t tell what domains you’re querying.
ZTDNS is a less invasive, less arms-race-y way to achieve things like my brother’s work laptop where it won’t connect to unapproved sites and won’t mount unapproved USB flash drives.
Basically, instead of doing something like installing a special TLS root certificate and then having a border router decrypting and inspecting all the traffic, the IT admins can configure the laptop to use DoH ot DoT to access a DNS server they’ve set up to contain only approved sites, and Windows will take care of refusing to connect to sites or IP addresses not on that whitelist.
ssokolow,
Technically yes, however I think it’s important to cover the fact that ISPs still get the same information via IP & HTTPS SNI
https://www.cloudflare.com/learning/ssl/what-is-sni/
Obviously the internet providers still need to route the packets to the right server. And once it reaches that server it needs to know which SSL certificate to use. So users should not be mislead into believing this increases their real privacy. If you really want to keep things private from your ISP then a VPN is the answer. Of course a VPN merely shifts the circle of trust (do you trust them more than your ISP?). TOR/onion routing might be best, as long as there’s enough nodes that aren’t tracking you, however we don’t really know how many are controlled by government spy agencies and they may be able to perform statistical analysis to show that your traffic correlates to exit point traffic. Of course most people don’t actually have to worry about this because they’re (probably) not the targets of government spying.
I wanted to check the state of “encrypted sni”, since that exists and so does “ECH”. But I’m seeing that most large websites the IP alone identifies the destination and for small websites (those more likely to use shared IPs) are very unlikely to have private SNI.
Just for example opening up osnews produces the following clear text traffic in wireshark:
I did the same test on CNN the results were the same. In CNN’s case they appear to use dedicated servers with static IPs so the information effectively gets leaked by the IP alone.
I tested Netflix, they had the same HTTP & HTTPS name leaks. They are hosted by AWS and apparently use shared IPs. This was unexpected to me, but it means that if HTTP were disabled and HTTPS SNI was encrypted (which is not the case) then the website being accessed over that IP would be ambiguous.
Here, lemme hold that football for you.
No, really, this will work this time. I promise. It will. Cross my heart and hope to die…
More Swiss cheese security promises from the Swiss cheese software maker..
I’d like to announce my own Zero Trust of Microsoft too.
This bootstrap process is absolutely the opposite of a zero trust thing. But eh, zero trust is a nice buzz world, so let’s put it everywhere.
FireWave,
Encrypting DNS is fine for what it is, but obviously a provider has to be able to decrypt it and at that moment “trust” comes back into play. The question shifts from “do you trust your ISP” to “do you trust your new DNS provider”. It’s an interesting question. IMHO more levels of anonymity is better. Your ISP knows why you are, but to a 3rd party you may just be an IP and port, this is personally identifiable information with additional layer of indirection.
In terms of mass government surveillance like the PRISM program, I think the risks are higher with huge centralized providers (including microsoft) than local ISPs. The more local/regional parties involved in surveillance, the less likely they can successfully keep it a secret and the more likely it can be corroborated if a whistleblower comes forward.