13 comments

[ 2.5 ms ] story [ 50.1 ms ] thread
So is this a way to lock down a client to shut out VPNs?
I assume it's to prevent reverse shells.
what you describe is already live and adopted in 100% of clients. DNSoverHTTPS.

you cannot disable it on IOS or android. Because it is owned by the APP not the OS.

Even firefox had to disable the setting (and about:config! making firefox on android pretty much garbage unless you install from fdroid) just so google would allow firefox on the play store.

Right, but I think this could be used at like a school to control what IPs are accessed on the network for even an untrusted device. So students couldn't bypass DNS blocks via VPN.
disgusting. with a name like "zero trust" i would expect something in-line with the decentralized web, while this is just a built-in windows web lockdown for office drones.
It is a useful feature for very specific environments; nothing to do with decentralised web.

Your comment is like saying that firewalls are disgusting because they can be used to lockdown machines.

firewalls are used to lock-down machines. this is intended to lock-down people.
The gist seems to be: Windows Firewall will block outbound connections to IPs that haven't been returned in responses from "blessed" DoT or DoH servers.

This would likely be excruciating to use and kinda pointless for general use PCs (given how much stuff will probably break in the short term). Maybe that's an intended use case long-term but it's not there now.

I could see this being useful for task-oriented boxes that have no business connecting to arbitrary destinations. I also like the idea of using this as a method to funnel all DNS traffic into the system resolver and into controlled DNS servers. I like that this also kills the application-layer DNS arms race.

Implementing a 75% solution akin to this on Linux wouldn't be too tremendously hard, either. All the pieces and parts are already there to do it.

(wow, this article got downvoted to 500th position from being on the homepage just a few mins ago)

Schools and certain kind of enterprises will welcome this feature.

Well, if there's one thing microsoft is good at inspiring, it is zero trust.
In principle I hate the idea of overbearing corporate IT restrictions, but I think this is a big improvement over using MITM proxies and intercepting HTTPS connections.

This seems like a good compromise that will enable IT admins to get the control they desire while still giving users access to privacy preserving technologies like HTTPS with ECH.

What stops a country or ISP from using this to censor computers that aren't theirs?