Microsoft plans to lock down Windows DNS like never before

[vtqhtr413]

Content source

https://arstechnica.com/security/2024/05/microsoft-plans-to-lock-down-windows-dns-like-never-before-heres-how/

Translating human-readable domain names into numerical IP addresses has long been fraught with gaping security risks. After all, lookups are rarely end-to-end encrypted. The servers providing domain name lookups provide translations for virtually any IP address—even when they’re known to be malicious. And many end-user devices can easily be configured to stop using authorized lookup servers and instead use malicious ones.

Microsoft on Friday provided a peek at a comprehensive framework that aims to sort out the Domain Name System (DNS) mess so that it’s better locked down inside Windows networks. It’s called ZTDNS (zero trust DNS). Its two main features are (1) encrypted and cryptographically authenticated connections between end-user clients and DNS servers and (2) the ability for administrators to tightly restrict the domains these servers will resolve.

Clearing the minefield​

One of the reasons DNS has been such a security minefield is that these two features can be mutually exclusive. Adding cryptographic authentication and encryption to DNS often obscures the visibility admins need to prevent user devices from connecting to malicious domains or detect anomalous behavior inside a network. As a result, DNS traffic is either sent in clear text or it's encrypted in a way that allows admins to decrypt it in transit through what is essentially an adversary-in-the-middle attack.

Microsoft plans to lock down Windows DNS like never before. Here’s how.

ZTDNS brings the best of both worlds to DNS: encryption and fine-grained control.

arstechnica.com

 

[TairikuOkami]

Maybe MS should start by forcing it's own services to run encrypted DNS only and not ignore it, like Edge does?

 

[SeriousHoax]

Maybe MS should start by forcing it's own services to run encrypted DNS only and not ignore it, like Edge does?

View attachment 283211 View attachment 283214

WoW! Really! I also see Brave using UDP 53. Does Brave also ignore DoH?

 

[blackice]

A DNS query has to be made before establishing a connection. People learn this when they set their router up for DoT. The next time they reboot if they don’t have a plain text DNS set the router won’t be able to start any connections. It’s probably to establish critical connections first.

 

[TairikuOkami]

WoW! Really! I also see Brave using UDP 53. Does Brave also ignore DoH?

Yes, Edge, Brave, Steam browser. I believe it is Chromium based issue or done on purpose. LibreWolf does not suffer from this nor any other app.