Microsoft has unveiled a preview of a system using which it intends to lock down the Domain Name System, the system that translates IP addresses to human-readable domains, on Windows.
The system, called Zero Trust Domain Name System, uses encryption and cryptographically authenticated connections between end-user clients.
It also gives administrators the ability to place strict limitations on which domains the servers will resolve.
Asked for his opinion on the system, veteran Debian developer and Linux sysadmin Russell Coker was generally positive about what Microsoft had put forward.
{loadposition sam08}"So apps use a trusted DNS server with encryption," he noted. "DNS look-up puts in a firewall entry allowing connection to the IP in question if the DNS name is deemed to be good. Sounds reasonable, especially if the firewall is per application based and you have logs of all the things allowed."
He added: "It would be good if they had system libraries for things like opening a TCP connection to a host with a given name. Then the common case could be done with one library call and no need to do the DNS stuff behind the scenes."
Peter Giorgilli. a Melbourne-based UNIX expert with extensive experience in managing DNS set-ups, was also mostly positive about the ZTDNS, but pointed out some shortcomings.
"ZTDNS is pitched at Microsoft customers [who are] required to comply with ZTA (Zero Trust Architecture) standards," he said.
"It integrates the Windows DNS client with the native firewall, WFP, or Windows Filtering Platform, to effectively only allow connections to domains that are resolvable via ZTDNS protective DNS servers.
"There's provision to whitelist IP address ranges for those applications that do not use DNS or, in other words, use bare IP addresses to access services.
"A ZTDNS protective DNS server is a server supporting existing secure DNS standards such as DoH (DNS over HTTPS) and/or DoT (DNS over TLS). Mutual authentication is used to authenticate DNS look-ups, providing an additional layer of security as required under ZTA."
However, Giorgilli pointed out that Microsoft, in another post had advised customers to consider the potential complications associated with the deployment of ZTDNS.
"The post highlights Microsoft's intentions when it explains that local administrators are able to bypass ZTDNS," he added, quoting: "Enterprise administrators should consider whether their employees need to have administrative privilege on their Windows devices.
"Any administrator can deactivate ZTDNS enforcement as easily as activate it, add ZTDNS exceptions for malicious IP addresses, or even install and run software with administrative privileges which may (unbeknownst to the human user) do these things.
"Therefore, deploying ZTDNS to Windows 11 machines in an enterprise environment which has regular human users with administrator privileges is unsupported.
"The intention is for the device to be fully managed through MDM, with local controls present for debugging purposes only, in line with Zero Trust principles (grant only the absolutely necessary access or permissions)."
He added: "In short, ZTDNS is aimed at organisations implementing ZTA that are already managing large fleets of Windows 11 devices using MDM (Mobile Device Management) platforms such as Microsoft's own Intune."