Microsoft just gave us a first look at the future of its DNS services

Zero Trust DNS is coming from Microsoft

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsofthas announced a new, upcoming feature, that aims to solve a decades-old conundrum with DNS security.

The feature is called ZTDNS, orZero TrustDomain Name System, and is currently entering private preview. Microsoft promised a separate announcement once the feature makes it to the Insiders program.

In ablog post, Microsoft explained how virtually since its inception, the process of translating human-readable domain names into IP addresses was, from a security standpoint, a major risk. Due to the way DNS was designed, IT admins were often faced with a choice: to either add cryptographic authentication and encryption to DNS and risk losing visibility over malicious traffic, or route DNS traffic in clear text and leave no option for the server and the client device to authenticate each other, which is as equally risky.

No new protocols

To solve this problem, Microsoft decided to integrate the Windows DNS engine with a core part of Windows Firewall - Windows Filtering Platform - directly into end devices.

Commenting forArs Technica, VP of research and development at Hunter Strategy, Jake Williams, said integrating these engines will allow Windows Firewall to be updated with a per-domain name basis. In other words, organizations will be able to tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”

“For DNS servers to be used as Protective DNS servers for ZTDNS lockdown, the minimum requirement is to support either DNS over HTTPS (DoH) or DNS over TLS (DoT), as ZTDNS will prevent the use of plain-text DNS by Windows,” Microsoft explained in its blog post. “Optionally, use of mTLS on the encrypted DNS connections will allow Protective DNS to apply per-client resolution policies.”

To conclude, Microsoft stressed that ZTDNS doesn’t include new network protocols, which should enable an “interoperable approach” to domain-name-based lockdown.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Lego will let you build Sir Ernest Shackleton’s iconic lost ship, the Endurance, in its next Icons set