Why We Should Look Beyond Hype: ZTDNS and the Future of DNS Security
Buzzwords or buzz phrases like 'zero trust' are often attached to emerging technologies and can lead to more confusion than clarity. The recent introduction of Microsoft's 'Zero Trust DNS' (ZTDNS) is one example where this might occur. While ZTDNS is gaining traction, it's crucial to understand what it truly represents – and why at Whalebone we have adopted a deliberate approach to Domain Name System (DNS) security.
Microsoft's introduction of ZTDNS is generating significant interest in the cybersecurity community. While the term ‘ZTDNS’ may seem like just another buzzword, it's important to acknowledge the underlying principles behind it that substantially strengthen DNS security.
At the heart of the ZTDNS principle is the idea of restricting IP connections to only those that have been properly resolved via DNS queries. This approach adds a powerful layer of security, effectively enhancing overall system resilience. By ensuring that only legitimate DNS-resolved connections are allowed, this method tightly controls network activity, making it harder for attackers to exploit any vulnerabilities.
In practice, this means that before any device or service can connect to an IP, the system checks if the IP has been resolved through a verified DNS query. This limits the possibility of unauthorized or malicious connections since they bypass DNS entirely. Although strict enforcement may introduce challenges – for example, in handling edge cases where legitimate traffic may not follow standard patterns – the security benefits far outweigh these issues. Essentially, it narrows the scope of potential threats by drastically reducing the attack surface that attackers can target.
Traditional DNS was not designed with security as a primary concern. However, as threats are pervasive and attackers increasingly sophisticated, adding layers of security to DNS is not just advisable, it's now essential. Microsoft’s ZTDNS is an effort to integrate DNS into a Zero Trust framework, emphasizing the importance of verifying every network connection, whether internal or external.
Applying strong identity-based authentication at the DNS level is not only feasible but also an advisable measure that can make life significantly more challenging for attackers. Whalebone has been ahead of this curve, having already implemented strong authentication within our Home Office Security application. Each device is assigned a unique certificate and private key, ensuring that only authenticated devices can establish connections with our resolvers. This approach aligns with the Zero Trust principle of 'never trust, always verify,' ensuring that every DNS request is securely authenticated.
At Whalebone, we recognize the value of these principles. Our approach to DNS security has always been rooted in practicality, focusing on delivering tangible, resilient solutions that protect our clients without compromising on clarity or integrity.
Whalebone focuses on delivering tangible security benefits through established frameworks like Security Service Edge (SSE). SSE provides a more comprehensive approach to securing access to services and data, with DNS security as a core component.
DNS security, when properly implemented, plays a critical role in any SSE strategy. It helps organizations detect and mitigate threats early, protect against data exfiltration, and ensure the integrity of communication within the network. For example, DNS-based threat intelligence, allows organizations to identify and respond to emerging threats faster, minimizing damage and reducing downtime (read about Whalebone’s real-time Threat Intelligence).
NSA Director Anne Neuberger has stated, “Our analysis highlighted that using secure DNS would reduce the ability for 92% of malware attacks both from command and control perspective, deploying malware on a given network.”
IDC's 2023 Global DNS Threat Report highlighted the increasing importance of DNS security. The report revealed that, while 80% of organizations recognized DNS security as critical, only 21% were actively using DNS data for threat intelligence. This gap underscores the need for more organizations to leverage DNS as a critical part of their security strategy, not just as a trendy add-on. Whalebone’s in-house Threat Intelligence benefits from our being a market leader in the telco sector, having around 300 ISP customers globally, and having close cooperation with the DNS4EU Consortium and its Associated Partners, Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs), National CyberSecurity Centers (NCSCs), Malware Information Sharing Platforms (MISPs), and University R&D Centers – all of which enables unparalleled real-time Threat Intel.
With years of experience in delivering secure DNS solutions across global markets, Whalebone is well-positioned to navigate and critically assess emerging trends like ZTDNS.
At Whalebone, we fully embrace the principles of Zero Trust, not just in name but in practical, actionable approaches that enhance DNS security. While we have talked about the potentially misleading aspects of the ‘Zero Trust DNS’ label, we also recognize the value in the underlying principles of Zero Trust, particularly when applied thoughtfully to DNS.
One of the key aspects of our approach is the deployment of local resolvers as close to the client as possible. By ensuring that DNS resolution and verification occur directly within the network, we improve security and reduce latency, embodying the Zero Trust principle of verifying every request as close to the source as possible.
Whalebone also offers DNS over HTTPS (DoH) and DNS over TLS (DoT) for internal networks. These encryption protocols ensure that all DNS communications are secure, protecting against interception or tampering. This aligns with the core Zero Trust tenet of securing every layer of communication.
Visibility is crucial in a Zero Trust framework, and Whalebone provides complete oversight of both internal and external DNS traffic. This allows us to detect anomalies and potential threats in real time, ensuring that any suspicious activity is quickly identified and addressed.
While ‘ZTDNS’ might be the next attention-grabber, the real discussion should revolve around how to effectively implement DNS security as part of a comprehensive Zero-Trust cybersecurity strategy. At Whalebone, we are pioneering robust, resilient, and transparent DNS security solutions that genuinely protect our clients.
Our proven track record among global telcos, recognition from the European Commission in leading its DNS4EU program, and high rankings from Deloitte and the Financial Times, all reflect our deep expertise in DNS security. We are proud to be at the forefront of protecting the digital ecosystem, and we invite you to join us in building a safer, more secure internet.
Whalebone has been a pioneer in the DNS security space. Our suite of products – including Aura for telcos, Peacemaker for regional ISPs, and Immunity for enterprises and public institutions – is designed to protect users against a wide range of threats, including malware, phishing, ransomware, and more. These solutions have been successfully deployed by Tier-1 telcos globally, increasing our Threat Intelligence and helping us to protect millions of users from online threats.
If you’re ready to enhance your organization’s DNS security – or if you have questions about how ZTDNS fits into a broader cybersecurity strategy – Whalebone is here to help. Reach out to our team to learn how our proven solutions can safeguard your network and data with a proactive, comprehensive approach.