"If a worker wants to do his job well, he must first sharpen his tools." - Confucius, "The Analects of Confucius. Lu Linggong"
Front page > Software tutorial > Microsoft\'s ZTDNS Could Boost Windows Network Security

Microsoft\'s ZTDNS Could Boost Windows Network Security

Published on 2024-08-15
Browse:885

Microsoft\'s ZTDNS Could Boost Windows Network Security

Historically, enhancing DNS security has often meant sacrificing administrative visibility into network traffic. This forces admins to choose between unencrypted DNS with monitoring capability but lacking protection, or encrypted DNS that blinds monitoring and control. Microsoft's ZTDNS integrates the Windows DNS engine and Windows Firewall directly into client devices to overcome this problem.

The ZTDNS system blocks client devices from connecting to any IP address except for those of designated "protective DNS servers." When a client device needs to resolve a domain name, it communicates with a protective DNS server, which can optionally use client certificates for fine-grained policy control. Upon resolution, ZTDNS dynamically updates the Windows Firewall to allow connections to the newly resolved IP addresses, while blocking all other traffic by default. This creates a powerful domain-name-based lockdown tool.

You can think of this as a series of processes where the ultimate result is that you can only visit websites that have been specifically approved, creating a super-secure environment. This differs from regular DNS resolving in a few ways—namely, the way your DNS is currently set up means that it can resolve any URL into an IP address, even if it's known to be malicious (with possible consequences ranging from malware downloading to even a potential entry point for a malicious actor).

There are also potential concerns about what might happen when this technology is actually deployed. Although it's a promising thing for your online safety, it will also probably require careful planning and configuration by administrators to avoid accidental disruption of normal network functions. After all, DNS is a core feature needed for Internet access, and the new system could overreach and block actually non-harmful things that you might need to use. The good thing is that this won't be rolled out just yet, so there's still a bit of time to figure out how to properly set up things so that your Internet experience won't be accidentally broken or disrupted in the process.

ZTDNS requires that DNS servers support encryption protocols like DNS over HTTPS (DoH) or DNS over TLS (DoT). Microsoft highlights that ZTDNS does not introduce any new network protocols, which helps in making it broadly compatible. ZTDNS is currently in "private preview," according to Microsoft—it's not immediately clear if it's only being internally tested by the company at the moment or whether a few select users are/will be getting access to it. Microsoft has not given any indication of when ZTDNS might become publicly available, and for now, the company has just said that Windows Insiders will get access to it at their own time, with a separate announcement planned when the time comes.

For now, if you want to read more about ZTDNS and what to take into account when the time for a real-life deployment comes, you can check out Microsoft's blog post with all the details.

Source: Microsoft via Ars Technica

Release Statement This article is reproduced at: https://www.howtogeek.com/microsoft-ztdns-windows-network-security/ If there is any infringement, please contact [email protected] to delete it
Latest tutorial More>

Disclaimer: All resources provided are partly from the Internet. If there is any infringement of your copyright or other rights and interests, please explain the detailed reasons and provide proof of copyright or rights and interests and then send it to the email: [email protected] We will handle it for you as soon as possible.

Copyright© 2022 湘ICP备2022001581号-3