news Microsoft Announces Zero Trust DNS (ZTDNS)

[News]

In the modern world, useful network destinations are far more likely to be defined by long-lived domain names than long-lived IP addresses. However, enforcement of domain name boundaries (such as blocking traffic associated with a forbidden domain name) has always been problematic since it requires breaking encryption or relying on unreliable plain-text signals such as DNS over port 53 inspection or SNI inspection.

ZTDNS integrates the Windows DNS client and the Windows Filtering Platform (WFP) to enable this domain-name-based lockdown. First, Windows is provisioned with a set of DoH or DoT capable Protective DNS servers; these are expected to only resolve allowed domain names. This provisioning may also contain a list of IP address subnets that should always be allowed (for endpoints without domain names), expected Protective DNS server certificate identities to properly validate the connection is to the expected server, or certificates to be used for client authentication...

Read More