If you’re as old as I am, you may remember this now-classic commercial for Reese’s Peanut Butter Cups. The gist of the ad was that chocolate and peanut butter are “two great tastes that taste great together.” (The ad may cause you youngsters to wonder, “Did people in the 80s really walk around with open jars of peanut butter?” Why yes, yes we did. Much as you kids walk around with those giant Stanley water bottles nowadays.)
Fast-forward on your Walkman 40-odd years and the new chocolate and peanut butter are Encrypted DNS and Protective DNS. Metaphorically, anyway. And maybe only for those of us in the DNS community—you know, the cool kids.
As you probably know, Encrypted DNS addresses that pesky “last-mile” problem that DNS has: the vulnerability of communications between DNS stub resolvers and recursive DNS servers to snooping and spoofing. Now we can encrypt that traffic using one of several mechanisms, shielding it from prying eyes and preventing unauthorized bit twiddling. We can even authenticate the stub resolver and DNS server at either end of the line.
Protective DNS enhances good ol’ DNS resolution to allow administrators to apply policy, preventing the resolution of domain names we know are malicious or suspicious. Because DNS is used to mediate nearly every transaction over the internet, and because nearly every type of device connected to the internet uses DNS, this provides a universal layer of protection.
These two enhancements to traditional DNS are significant enough that they’ve both been added to the latest draft of the National Institute of Standards and Technology’s venerable Special Publication 800-81, the Secure Domain Name System (DNS) Deployment Guide.
But the real Reese’s goodness shows when these two mechanisms are combined. That’s what Microsoft has done with Zero Trust DNS (ZTDNS): integrated Encrypted DNS and Protective DNS to create a powerful Zero Trust security solution.
In a ZTDNS environment, a Windows DNS client is configured to query one or more Protective DNS servers using an Encrypted DNS protocol such as DoT or DoH. The Windows DNS client ensures that the computer can only query those authorized DNS servers. And the Windows TCP/IP stack ensures that the computer can only send traffic to IP addresses that have been resolved by the Protective DNS servers—in effect, destinations that have been vetted by Protective DNS.
With the appropriate policies configured on the Protective DNS servers (possibly via Response Policy Zone feeds), this system can protect users from inadvertently visiting phishing sites or clicking lookalike domain names. It can prevent malware from rendezvousing with command-and-control infrastructure or reconnoitering the local network.
If you’re interested, my colleague Krupa wrote a more technical (albeit less chocolatey) overview of Protective DNS and ZTDNS here. And if you’d like to try ZTDNS out, it’s now in a public preview. I think it’s one of the coolest things since … well, you know.