• Passerby6497@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    Sounds interesting, and it looks like it covers a lot of what our network VPN does (I can’t get any DNS resolution to any DNS servers other than the designated Corp ones, which is annoying as shit when trying to test other reachable servers). My only concern is if this policy would block local DNS resolution prior to the VPN coming up, as it might introduce a catch 22 where I can’t resolve my VPN endpoint in order to auth and access the internal resolver

  • fluckx@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    To gain the most security value from ZTDNS, system admins will need to enumerate the expected domains and/or IP ranges they expect their clients to connect to,” Jake Williams wrote. “Failure to do so will result in self-inflicted denial of service.”

    Glad I’m on Linux/macos at home/work. Wtf is happening.

    • AggressivelyPassive@feddit.de
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      “Self-inflicted”. If you don’t comply, we’ll break your computer, and that’s your fault. Why did you make us do that???

      • lud@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        It’s a security feature. Microsoft is not breaking anything. It’s the sysadmin that could accidentally break their own stuff if they don’t set it up correctly.

        They don’t even have to set it up if they don’t want too.

        • BearOfaTime@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          6 months ago

          These critics have never contended with networks of thousands of workstations/users.

          This will be a massive help in the SMB space, where you can’t lock down machines as much as you do in Enterprise, and end-users don’t have the support of a large help desk.

  • Vendetta9076@sh.itjust.works
    link
    fedilink
    arrow-up
    0
    ·
    6 months ago

    Guys this is an enterprise feature. I hate windows as much as the next guy but y’all should actually read the article. Its not forced upon anyone.

    • lud@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      edit-2
      6 months ago

      Yeah, this sounds like a pretty interesting feature that will (in theory at least) make enterprise networking more secure.

      I highly doubt this will even be possible to use on Windows home or maybe even Pro. It’s probably locked behind at least some kind of extra licence as well.

      It will also likely require quite a bit of effort to set up properly in enterprises.

      People are freaking out over absolutely nothing. Just read the article and use common sense.

      • reksas@sopuli.xyz
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        article should have less loaded heading though. by now it should be expected that most read only that. Heading in general should contain the essence of the article so the general idea can be seen at a glance.

        • lud@lemm.ee
          link
          fedilink
          arrow-up
          0
          ·
          6 months ago

          Yes, but people obviously shouldn’t comment and get mad unless they have at least read some of the article.

    • TCB13@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      6 months ago

      Yes, this mostly works as a managed DNS solution for enterprise networks that actually does what people in large organizations need and solves a ton of issues.

    • stoy@lemmy.zip
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Changes like these tend to be pushed out to the home editions first, and the enterprise version will have a setting to turn this on or off.

      This is due to companies usually having a more complex network than home users.

      • lud@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        This is a feature for complex enterprise networks and exclusively so. Enabling it will be very opt in, as you will have to do quite a bit of set-upbefore it works.

    • plz1@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      With the shady path they’ve been on lately, I wouldn’t be surprised if they locked down the home editions to only using their servers, so they can use the data points/telemetry to sell ads, etc.

    • purplemonkeymad@programming.dev
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      In the how this works section they detail that it comes from MDM solutions. In English this is a feature for it admins of companies who use the intune management software from Microsoft. You probably need pro or better to even use the feature.

      At a quick glance, it looks to be a way of whitelisting domains at a DNS level, but with the added feature of having allowed DNS servers.

      • theit8514@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        The amount of Windows bashing in this thread is hilarious, for what amounts to Enterprise grade DNS-over-TLS with additional whitelisting. Doesn’t help the home user, but likely won’t break home users internet access either.

          • BearOfaTime@lemm.ee
            link
            fedilink
            arrow-up
            0
            ·
            6 months ago

            Because they don’t understand it. Kinda laughable really.

            And I’ve been cursing MS since Windows 1.0 - what a joke that was. Then MS Bob? You’re kidding, right? I so wanted to run Bob just as a joke to fuck with my peers, but I couldn’t even tolerate it enough for that.

      • ElectricMachman@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        6 months ago

        As a sysadmin, that actually sounds pretty useful. If they add a blocklist feature, it might be a good system-wide malware / ad blocking solution.

    • Catsrules@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      This is totally an enterprise feature. I have read enough enterprise documentation to know that. For example All of the wording talking about who is going to use this is “Admins”, “organizations” and “end users”. That is business/enterprise 101 talk right there.

      If it is even available on the home versions it is going to be off by default as it requires a good bit of setup to turn on.

      If Microsoft wanted to track you via DNS they would just do the same thing that Google and Apple are doing with their phones. Have a secure DNS option that is on by default. That uses DoH amd happens to use their DNS servers.

      Also Microsoft doesn’t need DNS to track anyone in Windows. As they control the OS.

  • refalo@programming.dev
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 months ago

    Why can’t we have bulk downloads of the main A records for most domains similar to IP block owners? Even if they have to be updated often… I think it could increase privacy.

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      6 months ago

      Yawn.

      I keep having to say this, as much as I like Linux for certain things, as a desktop it’s still no competition to Windows.

      As some background - I had my first UNIX class in about 1990. I wrote my first Fortran program on a Sperry Rand Univac (punched cards) in about 1985. Cobol was immediately after Fortran (wish I’d stuck with Cobol).

      I run a Mint laptop. Power management is a joke. Configured as best as possible, walked in the other day and it was dead - as in battery at zero, won’t even boot. Windows would never do this, unless you went out of your way to config power management to kill the battery (even then, to really kill it you have to boot to BIOS and let it sit, Windows will not let a battery get to zero).

      There no way even possible via the GUI to config power management for things like low/critical battery conditions /actions on Linux.

      There are many reasons why Linux doesn’t compete with Windows on the desktop - this is just one glaring one.

      Now let’s look at Office. Open an Excel spreadsheet with tables in any app other than excel. Tables are something that’s just a given in excel, takes 10 seconds to setup, and you get automatic sorting and filtering, with near-zero effort. No, I’m not setting up a DB in an open-source competitor to Access. That’s just too much effort for simple sorting and filtering tasks, and isn’t realistically shareable with other people.

      Now there’s that print monitor that’s on by default, and can only be shut up by using a command line. Wtf? In the 21st century?

      Networking… Yea, samba works, but how do you clear creds you used one time to connect to a share, even though you didn’t say “save creds”? Oh, yea, command line again or go download an app to clear them for for you. Smh.

      Someone else said it better than me:

      Every time I’ve installed Linux as my main OS (many, many times since I was younger), it gets to an eventual point where every single thing I want to do requires googling around to figure out problems. While it’s gotten much better, I always ended up reinstalling Windows or using my work Mac. Like one day I turn it on and the monitor doesn’t look right. So I installed twenty things, run some arbitrary collection of commands, and it works… only it doesn’t save my preferences.

      So then I need to dig into .bashrc or .bash_profile (is bashrc even running? Hey let me investigate that first for 45 minutes) and get the command to run automatically… but that doesn’t work, so now I can’t boot… so I have to research (on my phone now, since the machine deathscreens me once the OS tries to load) how to fix that… then I am writing config lines for my specific monitor so it can access the native resolution… wait, does the config delimit by spaces, or by tabs?? anyway, it’s been four hours, it’s 3:00am and I’m like Bryan Cranston in that clip from Malcolm in the Middle where he has a car engine up in the air all because he tried to change a lightbulb.

      And then I get a new monitor, and it happens all damn over again. Oh shit, I got a new mouse too, and the drivers aren’t supported - great! I finally made it to Friday night and now that I have 12 minutes away from my insane 16 month old, I can’t wait to search for some drivers so I can get the cursor acceleration disabled. Or enabled. Or configured? What was I even trying to do again? What led me to this?

      I just can’t do it anymore. People who understand it more than I will downvote and call me an idiot, but you can all kiss my ass because I refuse to do the computing equivalent of building a radio out of coconuts on a deserted island of ancient Linux forum posts because I want to have Spotify open on startup EVERY time and not just one time. I have tried to get into Linux as a main dev environment since 1997 and I’ve loved/liked/loathed it, in that order, every single time.

      I respect the shit out of the many people who are far, far smarter than me who a) built this stuff, and 2) spend their free time making Windows/Mac stuff work on a Linux environment, but the part of me who liked to experiment with Linux has been shot and killed and left to rot in a ditch along the interstate.

      Now I love Linux for my services: Proxmox, UnRAID, TrueNAS, containers for Syncthing, PiHole, Owncloud/NextCloud, CasaOS/Yuno, etc, etc. I even run a few Windows VM’s on Linux (Proxmox) because that’s better than running Linux VM’s on a Windows server.

      Linux is brilliant for this stuff. Just not brilliant for a desktop, let alone in a business environment.

      Linux doesn’t even use a common shell (which is a good thing in it’s own way), and that’s a massive barrier for users.

      If it were 40 years ago, maybe Linux would’ve had a chance to beat MS, even then it would’ve required settling on a single GUI (which is arguably half of why Windows became a standard, the other half being a common API), a common build (so the same tools/utilities are always available), and a commitment to put usability for the inexperienced user first.

      These are what MS did in the 1980’s to make Windows attractive to the 3 groups who contend with desktops: developers, business management, end users.

      All this without considering the systems management requirements of even an SMB with perhaps a dozen users (let alone an enterprise with tens of thousands).

      • Icr8tdThis4ccToWarn@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        I totally get what you’re saying, even though I disagree with small details. Also, about the OP, I think DNS and its resolution should obligatory be server in a decentralized manner. If Microsoft takes control over such vital service, and since we agree they own the market (regarding home computers, laptops etc), it raises serious concerns about people’s access to information, which is much more worrisome than (the also included) privacy concerns.

      • AnAnonymous@lemm.ee
        link
        fedilink
        arrow-up
        0
        ·
        6 months ago

        Just use Linux for what it is good, for everything else you can always use VirtualBox…

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    “protective DNS”

    There is no way there isn’t a hidden agenda. You already could block malicious websites at the browser level

    • Passerby6497@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 months ago

      Doing so at the dns layer is a much better option, as it prevents the end user or malware from bypassing those restrictions with a non-standard browser or modifying the client settings (which shouldn’t happen, but can).

      In an enterprise environment, which is exactly what this is aimed at, that kind of protection is a boon against the random shit end users click on.

  • AutoTL;DR@lemmings.worldB
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 months ago

    This is the best summary I could come up with:


    Translating human-readable domain names into numerical IP addresses has long been fraught with gaping security risks.

    Microsoft on Friday provided a peek at a comprehensive framework that aims to sort out the Domain Name System (DNS) mess so that it’s better locked down inside Windows networks.

    Adding cryptographic authentication and encryption to DNS often obscures the visibility admins need to prevent user devices from connecting to malicious domains or detect anomalous behavior inside a network.

    As a result, DNS traffic is either sent in clear text or it’s encrypted in a way that allows admins to decrypt it in transit through what is essentially an adversary-in-the-middle attack.

    Admins are left to choose between equally unappealing options: (1) route DNS traffic in clear text with no means for the server and client device to authenticate each other so malicious domains can be blocked and network monitoring is possible, or (2) encrypt and authenticate DNS traffic and do away with the domain control and network visibility.

    Jake Williams, VP of research and development at consultancy Hunter Strategies, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis.


    The original article contains 482 words, the summary contains 198 words. Saved 59%. I’m a bot and I’m open source!