146
submitted 6 months ago by Zotora@programming.dev to c/privacy@lemmy.ml
all 38 comments
sorted by: hot top controversial new old
[-] Vendetta9076@sh.itjust.works 87 points 6 months ago

Guys this is an enterprise feature. I hate windows as much as the next guy but y'all should actually read the article. Its not forced upon anyone.

[-] lud@lemm.ee 14 points 6 months ago* (last edited 6 months ago)

Yeah, this sounds like a pretty interesting feature that will (in theory at least) make enterprise networking more secure.

I highly doubt this will even be possible to use on Windows home or maybe even Pro. It's probably locked behind at least some kind of extra licence as well.

It will also likely require quite a bit of effort to set up properly in enterprises.

People are freaking out over absolutely nothing. Just read the article and use common sense.

[-] reksas@sopuli.xyz 5 points 6 months ago

article should have less loaded heading though. by now it should be expected that most read only that. Heading in general should contain the essence of the article so the general idea can be seen at a glance.

[-] lud@lemm.ee 5 points 6 months ago

Yes, but people obviously shouldn't comment and get mad unless they have at least read some of the article.

[-] possiblylinux127@lemmy.zip 47 points 6 months ago

"protective DNS"

There is no way there isn't a hidden agenda. You already could block malicious websites at the browser level

[-] Passerby6497@lemmy.world 10 points 6 months ago

Doing so at the dns layer is a much better option, as it prevents the end user or malware from bypassing those restrictions with a non-standard browser or modifying the client settings (which shouldn't happen, but can).

In an enterprise environment, which is exactly what this is aimed at, that kind of protection is a boon against the random shit end users click on.

[-] Catsrules@lemmy.ml 6 points 6 months ago

Not all connections are at the browser level.

[-] CaptObvious@literature.cafe 23 points 6 months ago

I couldn’t figure out if this is enterprise-only or if it will be forced into home editions.

[-] purplemonkeymad@programming.dev 28 points 6 months ago

In the how this works section they detail that it comes from MDM solutions. In English this is a feature for it admins of companies who use the intune management software from Microsoft. You probably need pro or better to even use the feature.

At a quick glance, it looks to be a way of whitelisting domains at a DNS level, but with the added feature of having allowed DNS servers.

[-] theit8514@lemmy.world 29 points 6 months ago

The amount of Windows bashing in this thread is hilarious, for what amounts to Enterprise grade DNS-over-TLS with additional whitelisting. Doesn't help the home user, but likely won't break home users internet access either.

[-] xep@fedia.io 8 points 6 months ago

Lemmy in general hates Windows.

[-] BearOfaTime@lemm.ee 4 points 6 months ago

Because they don't understand it. Kinda laughable really.

And I've been cursing MS since Windows 1.0 - what a joke that was. Then MS Bob? You're kidding, right? I so wanted to run Bob just as a joke to fuck with my peers, but I couldn't even tolerate it enough for that.

[-] LunarLoony@lemmy.sdf.org 2 points 6 months ago

As a sysadmin, that actually sounds pretty useful. If they add a blocklist feature, it might be a good system-wide malware / ad blocking solution.

[-] plz1@lemmy.ml 25 points 6 months ago

With the shady path they've been on lately, I wouldn't be surprised if they locked down the home editions to only using their servers, so they can use the data points/telemetry to sell ads, etc.

[-] variants@possumpat.io 25 points 6 months ago

They want to get around people's pi holes

[-] porous_grey_matter@lemmy.ml 12 points 6 months ago

They couldn't give less of a shit about the 7 people in the world that use pi-holes

[-] stoy@lemmy.zip 11 points 6 months ago

Changes like these tend to be pushed out to the home editions first, and the enterprise version will have a setting to turn this on or off.

This is due to companies usually having a more complex network than home users.

[-] lud@lemm.ee 8 points 6 months ago* (last edited 6 months ago)

This is a feature for complex enterprise networks and exclusively so. Enabling it will be very opt in, as you will have to do quite a bit of set-up before it works.

[-] Catsrules@lemmy.ml 3 points 6 months ago

This is totally an enterprise feature. I have read enough enterprise documentation to know that. For example All of the wording talking about who is going to use this is "Admins", "organizations" and "end users". That is business/enterprise 101 talk right there.

If it is even available on the home versions it is going to be off by default as it requires a good bit of setup to turn on.

If Microsoft wanted to track you via DNS they would just do the same thing that Google and Apple are doing with their phones. Have a secure DNS option that is on by default. That uses DoH amd happens to use their DNS servers.

Also Microsoft doesn't need DNS to track anyone in Windows. As they control the OS.

[-] possiblylinux127@lemmy.zip 2 points 6 months ago

Both are scary

[-] Beaver@lemmy.ca 14 points 6 months ago

Linux is open for business.

[-] autotldr@lemmings.world 7 points 6 months ago

This is the best summary I could come up with:


Translating human-readable domain names into numerical IP addresses has long been fraught with gaping security risks.

Microsoft on Friday provided a peek at a comprehensive framework that aims to sort out the Domain Name System (DNS) mess so that it’s better locked down inside Windows networks.

Adding cryptographic authentication and encryption to DNS often obscures the visibility admins need to prevent user devices from connecting to malicious domains or detect anomalous behavior inside a network.

As a result, DNS traffic is either sent in clear text or it's encrypted in a way that allows admins to decrypt it in transit through what is essentially an adversary-in-the-middle attack.

Admins are left to choose between equally unappealing options: (1) route DNS traffic in clear text with no means for the server and client device to authenticate each other so malicious domains can be blocked and network monitoring is possible, or (2) encrypt and authenticate DNS traffic and do away with the domain control and network visibility.

Jake Williams, VP of research and development at consultancy Hunter Strategies, said the union of these previously disparate engines would allow updates to be made to the Windows firewall on a per-domain name basis.


The original article contains 482 words, the summary contains 198 words. Saved 59%. I'm a bot and I'm open source!

[-] fluckx@lemmy.world 4 points 6 months ago

To gain the most security value from ZTDNS, system admins will need to enumerate the expected domains and/or IP ranges they expect their clients to connect to,” Jake Williams wrote. “Failure to do so will result in self-inflicted denial of service.”

Glad I'm on Linux/macos at home/work. Wtf is happening.

[-] agressivelyPassive@feddit.de 4 points 6 months ago

"Self-inflicted". If you don't comply, we'll break your computer, and that's your fault. Why did you make us do that???

[-] lud@lemm.ee 7 points 6 months ago

It's a security feature. Microsoft is not breaking anything. It's the sysadmin that could accidentally break their own stuff if they don't set it up correctly.

They don't even have to set it up if they don't want too.

[-] BearOfaTime@lemm.ee 2 points 6 months ago* (last edited 6 months ago)

These critics have never contended with networks of thousands of workstations/users.

This will be a massive help in the SMB space, where you can't lock down machines as much as you do in Enterprise, and end-users don't have the support of a large help desk.

[-] fizzyvelcro@lemmy.world 4 points 6 months ago

Why does the thumbnail say “Windows” twice? /j

[-] Passerby6497@lemmy.world 4 points 6 months ago

Sounds interesting, and it looks like it covers a lot of what our network VPN does (I can't get any DNS resolution to any DNS servers other than the designated Corp ones, which is annoying as shit when trying to test other reachable servers). My only concern is if this policy would block local DNS resolution prior to the VPN coming up, as it might introduce a catch 22 where I can't resolve my VPN endpoint in order to auth and access the internal resolver

[-] ToxicWaste@lemm.ee 3 points 6 months ago

You want an e2e encrypted public DNS? https://www.quad9.net/

You want to white- / blacklist IPs and domains? Configure your DNS

[-] refalo@programming.dev 3 points 6 months ago* (last edited 6 months ago)

Why can't we have bulk downloads of the main A records for most domains similar to IP block owners? Even if they have to be updated often... I think it could increase privacy.

[-] Andromxda@lemmy.dbzer0.com 1 points 6 months ago

Bruh they just recently introduced easy-to-use DoT and DoH

this post was submitted on 04 May 2024
146 points (100.0% liked)

Privacy

31939 readers
895 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS