Microsoft Announces ZTDNS (Zero Trust DNS)

Written By JOSHUA KUO

Cinco de Mayo, Star Wars Day...it was a big weekend, and easy to miss Microsoft's announcement about ZTDNS or Zero Trust DNS. This is a big deal for us DNS geeks, so let's break it down.

What is ZTDNS?

Microsoft's new security feature basically has two parts:

  1. Use Encrypted DNS: DoH or DoT – not shocking, plenty of folks are on board with this already (Microsoft themselves jumped in back in 2019).

  2. Require Protective DNS Services: This one caught me off guard. Think of it like your firewall and DNS having a chat before you're allowed to connect anywhere. If you try going to an IP address without going through DNS – connection blocked! Suddenly, DNS is way more than just finding websites, it is the de facto security policy enforcement engine for the enterprise!

This Isn't Entirely New...

My co-author, Ross, and I talked about something just like this in our book, The Hidden Potential of DNS in Security. We called it D-NAP for DNS and Network Assured Policy (ok, our name wasn't as cool as Zero Trust DNS). Turns out, folks at SIDN Labs and Adam Networks have been thinking along the same lines.

We basically all independently came to the same conclusion: DNS can be the security gate keeper for the enterprise. Looks like Microsoft came to that conclusion as well with this announcement.

Pros and Cons

Major props to Microsoft for this security boost. But yeah, as we pointed out in our book, ZTDNS is no small feat. The backend integration efforts aside, it might make things like printing and streaming, well, complicated – Microsoft even admit that themselves in a followup blog post.

Still, I think this is the right move. Remember how network firewalls started off being kinda inconvenient (and a pain in the neck for many), then suddenly were a non-negotiable? I see DNS security going the same way.

Conclusion

This move raises some interesting questions. How will ZTDNS play with IoT devices? What about network devices such as switches that are traditionally excluded from DNS? Will there be a standardized API or protocol for protective DNS servers to communicate with firewalls? How will the security policy be loaded into the protective DNS servers? So yeah, there'll be growing pains. But get ready folks! ZTDNS is the future of enterprise network security

Interested in testing it out in your network? Share your experiences in the comments, let's learn from each other as we navigate this change.

JOSHUA KUO
Previous

CISA's Encrypted DNS Guideline: A DNS Revolution?
Next

Chasing (Domain) Shadows, a Sisyphean Struggle?