Windows 11 DNS Integration Initiative Raises Concerns Among Experts
As is well known, the procedure of translating domain names into IP addresses (DNS resolving) is dangerous by default. Since there is no end-to-end encryption in the process, an outside attacker can gain access to this traffic. Moreover, he can replace responses to requests to legitimate sites with malicious ones. Finally, many end-user devices can be easily configured to use malicious DNS servers instead of legitimate ones.
In May 2024, Microsoft unveiled a rather complex design DNS injection into client deviceswhich may solve some problems.
However, independent security experts are worriedthat Microsoft is thus blocking the DNS system in Windows networks. Accepting a “white list” of allowed IP addresses requires maximum trust in the administrator of this list and threatens potential abuse.
The new system is called Zero Trust DNS (ZTDNS). Its two main features are:
- encrypted and cryptographically authenticated connections between end-user clients and DNS servers;
- the ability for administrators to strictly limit domains for resolving.
Until now, no one has been able to simultaneously solve the problems of E2E encryption and DNS administration, which are partially mutually exclusive. Typically, traffic is either sent in clear text or encrypted in a way that administrators cannot properly monitor and filter it.
ZTDNS solves this long-standing problem by integrating the Windows DNS engine with a filtering platform. Windows Filtering Platform — the main component of Windows Firewall — directly to client devices.
Integrating the DNS engine with Windows Firewall will allow you to change firewall rules for each domain name, with end-to-end encryption. For example, an organization can set up a specific DNS server with TLS for all its employees and allow only certain domains. Microsoft calls such a DNS server a “protective DNS server.”
Potential disadvantages The downsides of this approach are clear. ZTDNS represents a new paradigm that could disrupt critical network operations unless administrators make significant changes to their current designs. Implementation will require extensive testing and some “culture change” within organizations and among administrators, experts say.
By default, the firewall uses a whitelist, which means it denies all domains except those on the allowlist. A separate allowlist will contain the IP subnets that clients need to run authorized software. Network security expert Royce Williams named it's “a kind of bidirectional API for the firewall layer, so you can both trigger actions (on entering *the* firewall) and external actions based on the state of the firewall (on leaving *the* firewall).
The illustration above shows how ZTDNS fits into the Mobile Device Management platform, which helps administrators secure and control remote devices authorized to connect to the network. Outbound connections from the client device to all IPv4 and IPv6 IP addresses are blocked, with the exception of connections to secure DNS, DHCP, DHCPv6, and NDP servers required for network discovery:
DNS responses from one of the security DNS servers will then trigger outbound allow exceptions for these IP addresses. This ensures that applications and services using the system DNS configuration are allowed to connect to the IP addresses after the resolution. The IP address will be approved and unblocked. to before the resolution result is returned to the caller:
In the ZTDNS system, traffic is denied by default, and administrators manage permissions based on policies. Client certificates can be used as an option to provide the server with client credentials that affect policy, rather than relying on client IP addresses, which are not secure signals and are not stable enough for mobile devices.
Thus, ZTDNS allows filtering domain names without intercepting cleartext DNS traffic, without engaging in an arms race to detect and block encrypted DNS traffic from applications or malware, without checking SNI (which will soon be encrypted as well), and without relying on a specific vendor's network protocols.
Comparison of the system with and without ZTDNS:
To implement secure DNS servers and ZTDNS, the minimum requirement is to support either DNS over HTTPS (DoH) or DNS over TLS (DoT), since ZTDNS prevents the use of cleartext DNS on Windows.
Optionally, mTLS in encrypted DNS connections will allow Protective DNS to enforce resolution policies on a per-client basis. In all cases, the ZTDNS system does not introduce any new network protocols, simplifying its future implementation.
Microsoft has published a separate article with a detailed description possible problems in the process of implementing ZTDNS. The technology is currently in private preview. There is no word yet on whether it will be included in the Windows Insiders program or when it will be publicly available.