Zero-Trust DNS

Microsoft is working on a promising-looking protocol to lock down DNS.

ZTDNS aims to solve this decades-old problem by integrating the Windows DNS engine with the Windows Filtering Platform—the core component of the Windows Firewall—directly into client devices.

Jake Williams, VP of research and development at consultancy Hunter Strategy, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis. The result, he said, is a mechanism that allows organizations to, in essence, tell clients “only use our DNS server, that uses TLS, and will only resolve certain domains.” Microsoft calls this DNS server or servers the “protective DNS server.”

By default, the firewall will deny resolutions to all domains except those enumerated in allow lists. A separate allow list will contain IP address subnets that clients need to run authorized software. Key to making this work at scale inside an organization with rapidly changing needs. Networking security expert Royce Williams (no relation to Jake Williams) called this a “sort of a bidirectional API for the firewall layer, so you can both trigger firewall actions (by input *to* the firewall), and trigger external actions based on firewall state (output *from* the firewall). So instead of having to reinvent the firewall wheel if you are an AV vendor or whatever, you just hook into WFP.”

Tags: ,

Posted on May 16, 2024 at 7:03 AM58 Comments

Comments

Blerik May 16, 2024 8:03 AM

Does this mean removing or locking down /etc/hosts (or the Windows equivalent)? Which then makes certain use-cases of private dns resolving (like lab machine access, or near-production testing) impossible?

Also I see no mention of ip-address based access being blocked. Is this also in scope? It will make accessing your at home wifi access point difficult. But if it’s not blocked, your firewall is full of holes…

RapidGeek May 16, 2024 8:05 AM

This could be a Trojan Horse. Better security or the opportunity to block any content not approved by the ruling political party or whatever insane ideology comes along.

If you trust someone to provide security for you, then you trust your vulnerability to them as well

echo May 16, 2024 8:11 AM

This is a good idea in theory if viewed in isolation. The problems start happening once you step out of the technical quadrant and begin looking around the technical, human rights, economics, and social model.

Variants of this kind of idea and this general pool of problems have been evolving since around the early 2000’s. Notable examples include online Windows authentication and games (DLC) Downloadable Content, and various wheezes which have pinged the headlines very briefly from time to time.

One question I ask is “Security but security for whom?” Without credible human rights mechanisms in place (and adequate economic and social policy) I really can’t see facilitating locked down DNS as a good idea. Like, if you had locked down DNS, bit level permissions on internet access, and a locked down hardware-OS-application stack? Add in captured/complicit media and banning public protest? A more rounded structural/meta discussion is rarely had in the media until it’s too late, and the tech industry rarely if ever considers it with a “If we don’t do these projects someone else will” argument in some quarters. The work is very context and history free and never asks the what happens in four, fix, or six steps. What is the direction of travel?

Around 15+ years ago Microsoft Research produced a paper which they used to lobby the UK government which proposed an internet model which could give permissions down to the bit level. Again, another idea which is good on paper if viewed in isolation. I’m guilty of it myself as I had without knowing about Microsoft’s push which only became public a few years later had lobbied on this myself. I later came to see this (and a few other bright ideas I subsequently had) as still a good idea on paper but… There’s another story in here about paths crossing involving journalism and human rights and the fact it can be a very small world at times. That one is not for today though.

As for the boss class of corporations not all but too many don’t respect human rights. They don’t respect DEI or unions. They don’t respect fair pay and conditions. (In the US corporations get huge discounts on healthcare insurance which pushed costs up for everyone else and as a system your only value as a human being is how much money you have.) They spend their disproportionate income lobbying and use their resources to keep it that way.

We’re back to the “security but security for whom” question. You create perfect technical security then what? What’s to prevent bad actors in politics walking through the side door with a bad lock and tearing up your democracy and human rights and dignity then using this enhanced security to make sure it stays that way? This security doesn’t look like such a good idea after all.

A Wall is a Wall May 16, 2024 8:52 AM

@ALL

A wall can keep you out or keep you in, and a castle is also a prison.

Security only benefits those who control it. We have seen this with both Google and Apple with their mobile phone OS’s and their forced App Stores.

Microsoft have been desperate for years to get the same level of control over users. Look back to their DRM and Trusted Platform nonsense. Supposedly for protection of first the ‘Entertainment Corps from users’ and then ‘Corporate employers from users’.

But ultimately Microsoft controling the keys to not just the castle but the kingdom. Thus defacto making them King of the Castle and Country, with every one held prisoner to their whim.

Long before we had technology that could be controlled so easily by others beyond our own control, Benjamin Franklin wrote “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety.”

In essence most today have sleepwalked into a guilded cage.

The price of the illusion of safety from unknown attackers is to be not just controlled but bled by those who actually control the technology we have purchased. So at every step we have to do as we are told and pay for that privilege over and over.

I say I would rather ‘pull the plug and take my chances’.

Winter May 16, 2024 9:13 AM

I heard it discussed as a solution to a MS problem: How to get their firewall working in corporate networks.

To me it sounded as a private version of the Chinese Great Firewall.

A Wall is a Wall May 16, 2024 9:23 AM

@ALL

Two things to think about,

Firstly : Who controls the DNS servers DNS resolver and firewall engine?

Secondly : The last paragraph of the article says

“Microsoft published a separate post detailing some of the processes that will be complicated by ZTDNS and others that will bypass it. ZTDNS is entering private preview. Microsoft didn’t say when insiders might be able to review it or when it might become generally available.”

Note the second sentence.

Why would Microsoft having anounced the idea and theory, want to so strongly hide the practical implementation?

After all

“If they have nothing to hide, they should have nothing to fear.”

But flipping the saying we can say Microsoft obviously have something to fear and they want to keep it hidden.

Microsoft have previously tried to gain near absolute control by “embrace and extend” and similar tricks. And likewise judges have taken a very dim view of their behaviours.

Why should we trust Microsoft who have repeatedly proved themselves untrustworthy?

mw May 16, 2024 9:25 AM

I do not understand why this should be promising-looking. It’s a kind of offence to the DNS system. DNS resolvers should generally resolve all domain names in the DNS. Blocking of any
of them is a kind of censorship.

Anyway security and Microsoft are incompatible and Microsoft never knows to implement security right. To do so, cease Internet Explorer, Windows, Office, teams and Azure. In other words get rid of Microsoft.

Working in an corporate environment as an engineer is right now nearly impossible, because the “security” actions, better the security theater, from the IT is driven by fear.

noname May 16, 2024 10:12 AM

with every one held prisoner to their whim.

Curious if you are reading ZTDNS as being mandatory or optional? Will it be free?

More responses on the MS blog:

[…] To your other point, yes, and calling it a hassle is putting it lightly. It is expected that getting ZTDNS fully deployed in enforcement mode will be a long-term journey that starts with testing it out in audit mode (logging, but no enforcement) to discover the real-world name dependencies your network has, and slowly building up allowlists and attempting to reduce the unknown lists (not explicitly allowed but not blocked either). It isn’t a feature for everyone, but for enterprises with high compliance expectations, it will be a unique tool in their Zero Trust toolkit that will be worth the ROI.

echo May 16, 2024 10:23 AM

With regard to the illusion of perfect security Microsoft are trying to peddle it’s important to note in human rights law you are entitled to privacy but not secrecy. The two are very different things.

This is like one of those annoying kinds of things I come out with in school a now embarrassingly long time ago. In chemistry the teacher was discussing what kinds of things materials were and when he mentioned glass I piped up saying it’s neither a solid or a liquid. Of course the boys laughed until the teacher went “Er…” Glass is an amorphous solid.

Oh the joy of reading. You never know what crap you can come up with.

Corporate May 16, 2024 10:40 AM

@noname

Yes, this is clearly an optional feature for enterprise managed devices.

Want to resolve a forbidden domain? Just whip out your personal phone and query your favorite DNS server.

Wannabe Techguy May 16, 2024 10:58 AM

@ A Wall is a Wall

“Why should we trust Microsoft who have repeatedly proved themselves untrustworthy?”

Yes very true and I would also include the US government. But hey, what do I know?

Hedo May 16, 2024 11:05 AM

@echo
“…good idea in theory…”

So is the communism my dear.

@Wannabe Techguy • May 16, 2024 10:58 AM

@ A Wall is a Wall

“Why should we trust Microsoft who have repeatedly proved themselves untrustworthy?”

Yes very true and I would also include the US government. But hey, what do I know?

NOW, that’s MORE LIKE IT! Glad, I’m not the only one!

brendan May 16, 2024 11:21 AM

Does anyone else think it’s weird to call this “zero-trust”? “Only use our DNS server, that … will only resolve certain domains”—why? The obvious reason would be that the server, and the computers at the domains it’s allowed to resolve, are somehow trusted. Otherwise, allowing the system to resolve other domains or use other servers would pose no risk.

Winter May 16, 2024 11:35 AM

@Wannabe Techguy

Yes very true and I would also include the US government. But hey, what do I know?

So you do not trust MS, nor the US government.

Do you trust other companies? Other governments? Anyone but yourself? Do you trust yourself?

Do you trust your tap water? Bottled water? Groceries?

How can you live?

Chelloveck May 16, 2024 11:38 AM

@noname: That explains a lot. This isn’t meant to be a bulletproof system that actually solves a technological problem. This is meant to be a system that works just well enough that MS corporate customers can tick a checkbox on some compliance form to claim “our DNS is secure”.

Corporate May 16, 2024 11:39 AM

@brendan

Maybe zero-trust in the edge devices initiating DNS lookups? If they are infected with malware, they shouldn’t be able to resolve the C&C domains if the trusted side is properly configured.

noname May 16, 2024 12:16 PM

@Corporate

Want to resolve a forbidden domain? Just whip out your personal phone and query your favorite DNS server.

Yes, got to order a pizza, listen to Spotify, and visit a watering hole 🙂

brendan May 16, 2024 12:37 PM

@Corporate,

Maybe zero-trust in the edge devices initiating DNS lookups?

Okay, so the network administrators run strict firewalling, and the edge devices trust the network to block the bad stuff. Isn’t that basically the standard office network of the last 30 years? In that case, I suppose “zero-trust” would just be a meaningless buzzword they added to be trendy.

Matt May 16, 2024 12:38 PM

Oh, well, if Microsoft is doing it, then what could we possibly have to worry about?

A Wall is a Wall May 16, 2024 12:45 PM

@Wannabe Techguy

“Yes very true and I would also include the US government. But hey, what do I know?”

Only what you have observed and reasoned.

As for the USG yup a lot have observed and reasoned, and if impartial as most actually are who can blame them?

@Hedo

“NOW, that’s MORE LIKE IT! Glad, I’m not the only one!”

I suspect there are very many, but few have the confidence to say so…

And again who can blame them.

@Winter

“Do you trust your tap water? Bottled water? Groceries?”

I know enough from ‘observing’ by chemical testing that I do not in any way trust my tap water?

There are some things ‘chalk candles’ and ‘reverse osmosis’ filters will not remove, and why tropical fish can die, unless you use rainwater as the feedstock.

As for Bottled water and Groceries, please don’t make me laugh, have you ever heard of ‘microplastics’ and more recently ‘nanoplastics’?

The World Health Organisation has a not so little booklet on just supposedly potable water and microplastics

https://www.who.int/publications/i/item/9789241516198

Oh and anywhere ‘shrink-wrap’ / ‘cling film’ or what ever you call them where you are and similar plastic packaging is used you will find both ‘nanoplastics’ and ‘microplastics’ so just about all fresh supermarket food is contaminated…

Oh and whilst microplastics are not easy to wash off or in other ways remove, nanoplaatics are even worse but cross the gut barrier and into the haptic portal oh so easily and from there everywhere…

Ever left a photocopy or laser printer page in a plastic wallet for a while? To discover the printed text/image transfers from the paper onto the wallet… Same with many supposedly food safe plastics and fresh foods only the other way.

There is other research one of the latest articles on findings can be read through ‘Nature’ which I believe you have a subscription for through your institution,

https://www.nature.com/articles/d41586-024-00650-3

Titled,

“Landmark study links microplastics to serious health problems”

From the intro,

“Plastics are just about everywhere — food packaging, tyres, clothes, water pipes. And they shed microscopic particles that end up in the environment and can be ingested or inhaled by people.”

“People who had tiny plastic particles lodged in a key blood vessel were more likely to experience heart attack, stroke or death during a three-year study.”

A Wall is a Wall May 16, 2024 1:01 PM

@ALL

The basic idea behind this is not exactly new.

Those NetAdmins setting up corporate “white list” systems back in the days of ‘Bastion Host’ into Demilitarised Zone systems used to do this long before my joints started creaking like a

“Rusty hinged barn door in a storm”

Back before people started doing stupid things with web servers it was not to much of a pain to do.

Now however with the QUIC protocol and similar it’s just way to much work even inside the corporate perimeter let alone for those ‘hot desking in coffee shops’ and the like.

Oh and then there is that idiot online advertising that gets auctioned out on a page by page basis in web pages that won’t load unless you take an advert or twenty.

I can see Google getting ‘up-tight and out of sight’ on Microsoft trying to kill their and others ‘add revenue’.

noname May 16, 2024 1:03 PM

@Chelloveck

Re: ticking a checkbox on some compliance form

For all the organizations that are required to report cyber incidents, here’s hoping they identify the root causes. I guess it’s too early for any of these incidents to be a subset of MS ZTDNS implementation or configuration issues.

Anonymous May 16, 2024 1:09 PM

@A Wall is a Wall
“security only benefits those who control it”

It’s fascinating that I find out about this on a forum about security which is open to everyone.

Winter May 16, 2024 1:45 PM

@A Wall is a Wall

There are some things ‘chalk candles’ and ‘reverse osmosis’ filters will not remove, and why tropical fish can die, unless you use rainwater as the feedstock.

So you distill your own water? (rain water absorbs everything that floats around in the air)

You can shout out to trust nobody as much as you can, but even if you grow your own food and drill your own well, you will not necessarily be better off than buying stuff in a grocery.

There are much worse food borne diseases than microplastics.[1]

Before the invention of plastics, people died in droves from food poisoning and a host of food and water born diseases.

[1] ‘https://en.wikipedia.org/wiki/Foodborne_illness

Corporate May 16, 2024 2:44 PM

@brendan

Yeah, that’s my take as well. It doesn’t seem like anything that can’t already be accomplished. Just Microsoft building in the capability instead of having to rely on third-party or custom solutions.

A Wall is a Wall May 16, 2024 3:52 PM

@Anonymous

“It’s fascinating that I find out about this on a forum about security which is open to everyone.”

Further up you will also find @Rapid Geek saying much the same with

“If you trust someone to provide security for you, then you trust your vulnerability to them as well”

@Winter

“You can shout out to trust nobody as much as you can, but even if you grow your own food and drill your own well, you will not necessarily be better off than buying stuff in a grocery.”

I do not think you understand your own questions

“Do you trust your tap water? Bottled water? Groceries?

How can you live?”

The point is trust and being able to live are two rather different things.

I know the air I breath is not good for me and the Dr has already said as much.

I take it that because I know this, by your argument I should stop breathing.

Why should I?

It’s not as though I have any real choice in the matter. If I stop breathing I die in maybe 3mins. If I stop drinking I die in maybe 3days. If I stop eating I die in maybe 30days.

Interesting little thought for you…

If I get water I know to have pathogens in it I can supposedly boil it to make it safe(r) to drink.

Now you may not know but you can with care boil water in a plastic bag that is hung above a flame.

You can also build a small fire and cut the top of a plastic bottle they sell in shops to hold water or soft drinks near fill it to the top with pathogen loaded water and bring it to the boil. The bottle above the water will melt back but with care the part of the bottle that has water in it won’t melt.

The resulting boiled water will nolonger have bioactive pathogens in it, that would have killed you in a week if you had drunk it. But, instead the boiled water now has carcinogenic chemicals from the melted/burnt plastic that if you drink it might give you cancer that will maybe kill you in a few years or so.

So knowing this you have three basic choices,

  1. Don’t drink, and die in three days.
  2. Drink the unboiled pathogen filled water and die in a week or so.
  3. Drink the the boiled now carcinogen filled water and die in maybe three to thirty years.

Which “do you trust” enough to drink?

Winter May 16, 2024 5:26 PM

@A Wall is a Wall

Now you may not know but you can with care boil water in a plastic bag that is hung above a flame.

I am completely mystified why you would do such a thing. Metal kettles are easy to get.

Which “do you trust” enough to drink?

In this case, I would use either chlorine tablets for disinfecting drinking water or boil in a kettle. Chlorine is safer as it also kills the bacteria that cause cholera, which cooking does not kill.

Tropical fish die in chlorinated water as they “breath” the water. We don’t, so it does not harm us.

My point is you will have to make choices whom you trust more than others. Trust No One is simply ludicrous.

lurker May 16, 2024 6:09 PM

@Chellovek
re: ticking checkboxes

I’m no corporate, no checkboxes, but when the next flaptop I get from Walmart has Windows NN and the DNS locked down in this crummy fudge, that’s just another excuse to wipe it and install some other OS.

Wannabe Techguy May 16, 2024 6:17 PM

@Hedo,etal

It’s interesting when this comes up I get so many smart ass replies,as you can see here, but no actual reason why people trust the US(or whatever country they live in) government.
So M.S. has proven themselves untrustworthy, but governments have proven trustworthy?

As I write this,I’m looking at a link to an essay by our esteemed host entitled:
“How the NSA Threatens National Security”.
So,should I trust NSA?
I’m not looking to convince anyone, I’m curious why they do that’s all.

echo May 16, 2024 7:01 PM

Trust is baked in from the day we are born. The rest of our life is spent learning how the world works and building relationships and learning knowledge passed down or passed around, learning when to be careful and so on. It’s an individual and social thing. As for longer term risks this may be why we have diseases of old age. If you don’t learn from it others or the next generation will.

People are reasoning but also social beings. Good education and good society keeps a check on governance which also keeps security in check. Stuff works. If it falls apart too much someone will squeal and people do. It’s because we have this thing called society.

I’m no corporate, no checkboxes, but when the next flaptop I get from Walmart has Windows NN and the DNS locked down in this crummy fudge, that’s just another excuse to wipe it and install some other OS.

I was weaning myself off MS by switching over to cross-platform apps for a few years. After they pulled their Windows 11 stunt by peddling “security” and “removing legacy code” excuses that was the last straw. When they show you who they are believe them. I’m now free of MS and a few other “rent seeking” vendors and life is a much less stressful experience without them. There’s no reason why I can’t run my laptops until they fall apart. I even bought some spare parts just in case. Hopefully I’ll get another 20+ years out of them.

Corporate May 16, 2024 7:48 PM

Here is the source that arstechnica links to

https: //techcommunity.microsoft.com/t5/networking-blog/announcing-zero-trust-dns-private-preview/ba-p/4110366

ROI Rogers May 16, 2024 9:33 PM

Microsoft has a lot of brand synergy with Zero Trust. When I hear Microsoft, I think Zero Trust! Next they should make a Zero Trust phonebook, and a robotic paperclip to scowl at me when I start dialing a de-emphasized area code.

Winter May 16, 2024 10:29 PM

@All
Re: Zero Trust

The “Trust” in Zero Trust has nothing do do with humans or organizations. It is simply to always verify any interaction using all available information.

It is obviously just marketing speak, but the idea seems to be that it implements security in depth.[1] Instead of focussing only on perimeter security and assuming everything inside the local network is trusted, it now treats all “insiders” as potential enemies.

That is a very expensive strategy so the actual implementation will be very far from “zero”.

[1] ‘https://www.microsoft.com/en-us/security/business/zero-trust

Andrew May 16, 2024 10:33 PM

What hasn’t been acknowledged yet are both that this is filling a technical gap but more importantly, that MS is again addressing their approach to this security control in an ingenuous way.

Microsoft is selling tens or hundreds of millions of dollars-a-year contracts to the largest employers in the US with the justification that these ballooning contracts will not cost the target company any more money, or more often that they will even save money, by displacing existing technologies with their own offerings included in the deal. A lot of these tools have been inferior to what the company uses to defend themselves, but these are C-level executive agreements and the play is to isolate the decision makers from the technologists who understand and have to live with the differences between effective and Good Enough security tools.

Introducing these features now, with apparently no real intention to make them feasibly operational, is right in line with their playbook to sell to executives that they check this box too. So they can convince more companies to buy into their platform, spending the money they could have on controls that work today.

Ultimately for a network defender it’s important to have the underpinning of this change and maybe some day MS will improve enterprise security with it, but for now it’s a Microsoft Is A Leader In Zero Trust! sales play to further pit CIOs against CISOs and get the deal done.

Andrew May 16, 2024 10:35 PM

First sentence above should read, “What hasn’t been acknowledged yet are both that this is filling a technical gap but more importantly, that MS is again addressing their approach to this security control in a[ Dis]ingenuous way.”

cybershow May 17, 2024 5:13 AM

@echo

Nice to see people more widely repeating what believe are the
three most important questions in security which I first raised
in
this paper on “digital self-defence and civic cybersecurity” in
2019.

  • Security for who or what?
  • Security from whom or what?
  • Security to what end?

I believe that corporate security and civil security are now clearly
divergent. In the future we will no longer be able to casually use a
word like “cybersecurity” as if it were a bare noun, and will be
forced to “pick a side”, to more explicitly declare the values of our
security.

Now matter how benevolent Big Tech may appear, anything they offer is
conflicted by a
principal agent problem

Corporate May 17, 2024 6:55 AM

@Winter

The “Trust” in Zero Trust has nothing do do with humans or organizations.

Instead of focussing only on perimeter security and assuming everything inside the local network is trusted, it now treats all “insiders” as potential enemies.

What? The “insiders” are just expensive meat bags, but I thought we still regarded them as humans.

Winter May 17, 2024 8:55 AM

@Corporate

The “insiders” are just expensive meat bags, but I thought we still regarded them as humans.

MS never deals with people, unless they are on their payroll.

The Trust that is talked about is the Trust of the Devices connected to the network. Humans come in only to login/logout. But that is not new.

A Wall is A Wall May 17, 2024 10:24 AM

@Winter

“I am completely mystified why you would do such a thing. Metal kettles are easy to get.”

Not in as much of the world as you might think these days, most kettles are electric and often actually made of significant amounts of plastic. To get a metal kettle to use on an open fire usually means visiting an outdoor sporting/camping store.

Which means they are not as easily available as you think they are.

Plastic bags however most people have one within reach much of the time.

But you are really deliberately avoiding the point of the choices you were given.

Something a look back in the archives suggests you do all to frequently to not answer questions.

Hmm I wonder why that would be?

echo May 17, 2024 11:14 AM

If you’re only focused on the technical aspect of the technical, human rights, economic, social security model then yes the subject is about a purely technical issue. Personally one I get what the technical issue is about I’m much less interested in that and more about the rest of the model.

I laid out some history and there’s the broader context too. It implies a problem fixed with one area (technical) may later cause problems with another (human rights) but this also has a knock on effect with society and economics. It’s impossible for one element of the security model to exist without the others. Things are changing all the time. A change in one area can effect change in another.

On a simple level there’s nothing new here. It’s when you start looking at the details and interactions and knock-on effects things look different. A change here and a slip there and this piece falls into place and another five steps along another falls into place and then you find the gate shut behind you. At that point the “I thought it meant” and “I thought you said” or “it will all blow over” condenses down into having an unpleasant day. For some it may be no more than having to redo a project. Others may feel its time for a job elsewhere. Others too find more time to recite poetry while swinging from a blood encrusted meathook.

Focusing on the purely technical people have pointed out pragmatic issues with it. Then there’s the arrogance of assuming security where there isn’t really or shifting the problem. Then you need approved software from approved people. Then there’s a long list of they need to be approved for this that and the other. Now it’s causing ripple effects for employees and external vendors. This begins a slow squeeze to create authoritarian and xenophobic organisations who move at the pace of change of the “zero trust” environment. It can work for some organisations but not for others. None of these technical changes is necessarily bad but things can look different if you view them over a longer period of time like 50 years.

Ask what’s missing from Microsoft’s sales pitch? Fun? Employee empowerment? Creativity? This technical wheeze doesn’t rule it out on paper. In practice? Then what if this experiment and other experiments Microsoft have pulled begin to roll out on a mass scale by default? They’d had the time to experiment in their Petri dish. It’s given them time to sell it to big business who are often lobbyists. It’s given time to plant ideas in the heads of regulators. In all that time how has human rights or equality progressed? If it hasn’t moved anywhere or gone backwards because of the same lobbyists? Politics can regress and accidents happen and what if a smart and effective authoritarian arrived on the scene? It’s not as if there are no examples of politicians getting handy with security for ideological reasons. Nor is it beyond imagination that an existing dictator would copy the scheme. There’s enough examples of that too.

I personally believe human rights and a decent society being propagated is better security than a merely technical fix. They’re safeguards on anything technical getting out of hand.

Winter May 17, 2024 11:14 AM

@A Wall is A Wall

But you are really deliberately avoiding the point of the choices you were given.

I never have bought kitchenware in the USA. Everywhere else I come, enough people cook on gas to ensure metal kettles are in ample supply. And without a kettle, it is easy to use a metal pan over a fire. If you can cook an egg over a gas or electric furnace, you can cook water.

As for your options, unless I am lost in the woods without drinking water and nothing but a plastic bag, I would use the bag. I would not expect to die as fast from the “carcinogens” from the bag as from the assorted germs you can find in unclean water.

But again, that would only be a last resort when I am lost on a desert island or the middle of the jungle. I would do many crazy things if the alternative is dying.

Something a look back in the archives suggests you do all to frequently to not answer questions.

Stupid loaded question, indeed no. Also, my online time is limited and I live in “another” timezone. By the time I can respond to a question, the issue is often moot.

noname May 17, 2024 12:50 PM

@echo

I personally believe human rights and a decent society being propagated is better security than a merely technical fix.

The Gates Foundation provided $7 billion in charitable support in 2022. (Bill Gates, as I’m sure you’re aware, was a co-founder of Microsoft.)

There’s a chart at this link showing how the funds were distributed (global health, gender equality, etc.)

Have you considered grant proposals to a philanthropic organization?

https://www.gatesfoundation.org/about/how-we-work

Who? May 17, 2024 1:46 PM

Let me show my cynic attitude against big corporations again.

Nothing here is new: we can filter domains using an squid proxy, we can restrict searches using the right access lists in bind/nsd/unbound… we can use authoritative-only DNSs (nsd), recursive-only ones (unbound) or a —somewhat dangerous and prone to misconfiguration— mix of both authoritative and recursive nameservers (bind). I know what I talk about, as I have been doing it for decades.

Some of that software is available since the eighties, most since mid-nineties. It is free, open-source and widely tested in production environments. It runs on reasonable operating systems too.

I fail to see where is innovation here, but these buzzwords sound cool and will surely provide good funds to Microsoft Research.

lurker May 17, 2024 2:20 PM

@Winter
“The “Trust” in Zero Trust has nothing do do with humans or organizations.”

“Trust” means just what MS wants it to mean, same as the Caterpillar Alice met in Wonderland.

@Who?

Amen, brother.

Winter May 17, 2024 3:26 PM

@Who?

I fail to see where is innovation here,

I would have been very surprised if MS had developed and marketed something innovative. MS whole business model is based on repackaging existing technology and driving out those who did the original R&D.

In the late nineties I was at a conference where new technology was presented. The consensus was that the only option to make money was to be bought by MS. If you tried to market it yourself, MS would copy it and bundle it for free.

echo May 17, 2024 11:17 PM

The establishment never like change or anything new unless it’s trying to capture a slice of the action or get down with the kids. “Zero Trust” and a retread of yesterdays work isn’t it.

Government needs to get back to regulating and cutting “rent seeking billionaires” and captured markets free. Decent healthcare and housing and equality allows the next generation to flourish not create a corporate and technical product which only exists because they’re old and scared of becoming obsolete or being irrelevant.

I’m doing new stuff now which I never had the chance to do when I was younger. While I’m up to that all I can do work with the younger ones to solve a few problems and let them know where the dead bodies are buried and dodge some of the traps. The counter culture and working class culture of today is very different to yesterday. The new stuff they’ve done and are doing with DEI and the green economy is amazing. It’s the future.

I’m having to timewarp my brain back an embarrassing number of years and ask myself what got me into tech in the first place. It was new and exciting and I found what I liked working with clicked with my sense of intuition. I’m never going to do that again hence finding something different I can get behind.

That’s how I see things. It’s positive and less cranky than the alternatives.

Corporate May 18, 2024 12:56 AM

Ok, how?

Government needs to get back to regulating and cutting “rent seeking billionaires” and captured markets free.

Good luck

anon May 18, 2024 1:41 AM

@noname
Sorry, but if you are responsible for security on your network, and you don’t already know exactly what external hosts your organisation relies on, or you don’t employ a small team who does, you shouldn’t be managing DNS, proxies and firewalls.

If you’re properly protecting your Windows systems, you already know that you have to manually update the root CA list on a regular basis because Microsoft can’t download updates via proxy. Now, with DNS-over-HTTPS, its becoming more and more critical to actually install and run a MITM proxy to prevent (predominantly) Microsoft and ALphabet/Google from bypassing your corporate DNS infrastructure.

ResearcherZero May 18, 2024 4:07 AM

Rule based logic can be used for determining if a session should be allowed to pass through, or get blocked. You can add your own proxy and determine your own rules if you like. Really it’s up to you to decide what to do. You could also inspect traffic as well.

A Wall is a Wall May 18, 2024 1:51 PM

@Winter

It was a question about trust, and it applies not just in what you think of as dystopian scenarios.

It applies in all sorts of places in the US where there are water supplies to household taps and spigots. Like Flint in Michigan being quite famous for the callousness of how it decided that some people should be poisoned. With one of the latest I’m aware of to hit Lehi in Utah. It is about 30 minutes south of Salt Lake City and made several children critically ill according to US CDC reports.

As well as other media back in Sept 2023

https://www.ksl.com/article/50735070/lehi-e-coli-outbreak-grows-to-13-cases-7-hospitalizations

The underlying reason in both Flint and Lehi is municipal authorities making critical civil engineering choices based not on ‘health and safety’ but on a ‘knock it out on the cheap’ rational that was known before being carried out carried high risk.

Thus in the US a supposedly First World Nation people are getting poisoned by people they should be able to trust but can not.

So it’s not as you say,

“… would only be a last resort when I am lost on a desert island or the middle of the jungle.”

Just living in a First World unrestrained Capitalist ethos nation of over 1/3 of a billion people that consumes around 1/2 of the worlds available resources if published figures are to be believed.

A Wall is a Wall May 18, 2024 2:14 PM

@Winter

I forgot to paste in the link to the very recently (May 9, 2024) released report,

https://www.cdc.gov/mmwr/volumes/73/wr/mm7318a1.htm

Their wording

“Municipal irrigation water systems are underrecognized possible sources of waterborne illnesses.”

Is a mealy mouthed way of avoiding correctly addressing a very clear and obvious and very long known health hazard and danger to the general population, by ‘blame shifting’ it onto children.

noname May 18, 2024 5:18 PM

@anon

Are you saying ZTDNS has the same capabilities that large enterprises already employ? Or more or fewer?

Also from the Ars article:

All three security experts interviewed for this post cautioned that ZTDNS introduces a novel paradigm that could disrupt crucial network operations unless admins make significant changes to their current designs. [emphasis mine]

Wouldn’t it be great to see how the DNS deployments (or network operations) compared pre- and post-ZTDNS? If I was going to risk all the disruption of a ‘novel paradigm’ I’d feel more equipped with knowledgeable analysis on real-world case studies.

A Wall is a Wall May 18, 2024 7:35 PM

@noname
@anon
@ALL

“Are you saying ZTDNS has the same capabilities that large enterprises already employ? Or more or fewer?”

The only people who can actually say are within the team within Microsoft, if they even really exist.

It would not be the first time Microsoft have pushed talk of what became known as ‘vapourware’

As the article notes what ever ZTDNS might or might not be it’s 100% internal to Micro$haft currently.

But what has been described has been done before, the earliest references I’ve got to something that sounds similar go back to the 1970’s. By the 1980’s it was a fairly solid idea in use with unix boxes.

In essence the perimeter firewall would only allow certain types of traffic to certain known IP addresses. One type of traffic not alowed was either TCP or UDP DNS traffic. All the internal systems had to use the internal DNS server.

In effect it was a ‘White List’ system that made life easier for network admins. Because no matter how a user on internal machine tried they could not get anything past the Firewall that was not an approved IP address.

The hard part was getting the internal DNS server set up in such a way that it would fairly rapidly make changes at the Firewall if an external service changed its IP address.

The Micro$haft blurb makes it sound quite complicated by the fact the internal machines have to authenticate to the internal DNS server using PKcerts or similar. In effect this makes a user or their machine “role based” but it is something that could be set up with tools that have been around for decades.

Almost certainly what Micro$haft want ZTDNS to realy do, is give them increased control, as do many Governments.

Look at it as doing a Great Fire Wall of China / Russia where by your computer could never get the IP address etc of an unapproved of service.

Look at it another way one of any number of ‘Entertainment Media’ companies could send a DMCA Takedown to Micro$haft and within maybe an hour no Micro$haft OS based machine could get let alone use the IP address of the server. No legal process required the server would be ‘black holed’ the only way to get it lifted would be to drag Micro$haft executives and lawyers into court for what might take a decade or more to be resolved.

If you think ‘Entertainment Media’ companies would not do this, think again they already have Alphabet / Google / YouTube doing it.

Bit by bit the big US Corps are stripping Internet Freedoms from the rest of the world and there is no way on ‘God’s little green apple’ that the US Government will stop them.

The only way to stop it is if enough people stop using OS’s and Applications that large Corps control or can gain control of in some way.

Have a think of just why Micro$haft acquired control of GitHub etc?

Fun little trick to try.

If you use DuckDuck usually a relevant Wikipedia link comes at the top of the first page displayed.

Try a search of

“github microsoft control”

(Without the double quotes) and see how many pages of links from Micro$haft or Github services you have to scroll through before you get to the Wikipedia link?

I just tried it and it was four pages of Microsoft or Github server links.

Winter May 18, 2024 10:01 PM

@A Wall is a Wall

Municipal irrigation water systems are underrecognized possible sources of waterborne illnesses.

Yes, indeed. Water treatment is not always healthy, not even for tap water. Especially so when poorer communities are involved. Particularly in the USA studies find:[1]

We find that community racial/ethnic composition predicts drinking water quality, but also that SES conditions the effect; specifically, black and Hispanic populations most strongly predict SDWA violations in low-SES communities

In short, blanket “trust no one” policies are counterproductive and unhealthy. Nothing in the above implies that all water is a health risk. Just get informed.

[1] ‘http://davidswitzerphd.com/images/SSQ2018.pdf
‘https://link.springer.com/article/10.1186/s12940-018-0442-6

noname May 19, 2024 3:37 AM

@A Wall is a Wall, All

Thank you for your response. I did the search experiment and also saw what you observed: lots of links on that search term before the wiki page.

The community seems largely uncertain, and more often highly skeptical, of Microsoft’s prioritization of security. And often of Microsoft in general.

Time will tell if there is an actual cultural shift at the company. All the feedback they are receiving sounds like it’s at least being heard, if nothing else.

Kevin Beaumont included a funny meme in his analysis of Microsoft’s ‘revitalized’ commitment to security: MOVE FAST, GET CSRB REPORT.

He also included a few lines from an email that CEO Satya Nadella sent to 200,000+ employees:

https://doublepulsar.com/breaking-down-microsofts-pivot-to-placing-cybersecurity-as-a-top-priority-734467a8db01

If you’re faced with the tradeoff between security and another priority, your answer is clear: Do security. In some cases, this will mean prioritizing security above other things we do, such as releasing new features or providing ongoing support for legacy systems. This is key to advancing both our platform quality and capability such that we can protect the digital estates of our customers and build a safer world for all.

Other initiatives were also released.

https://www.microsoft.com/en-us/security/blog/2024/05/03/security-above-all-else-expanding-microsofts-secure-future-initiative/

We’ll see how this translates into a complex system that has had trouble moving this football in the past.

Do you think tying leadership compensation to security objectives will have much of an impact?

https://www.theverge.com/2024/5/3/24147883/microsoft-security-priority-executive-compensation-goals

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.