(edit: Damn it, I only read the Microsoft article, but the Ars Technica article already explains all of this better. I'll keep this here in case this helps anyone.)
Sounds basically like an extension of existing encrypted DNS protocols (DNS over HTTPS, DNS over TLS) which integrates with the firewall. Can't think of a reason to be concerned about this. It strikes a balance between encrypting DNS lookups and allowing network admins to see which websites you're using. Think like corporate networks and work-from-home employees. If you don't configure it then you don't have to use it. "Zero Trust" is a marketing buzzword for the idea of authenticating endpoints before sending data, a lot of different things claim this label.
Quick primer on DNS (not a networking expert)
DNS is a protocol for converting names into IP addresses, so that you can type hexbear.net instead of remembering the IP address for hexbear. Classic DNS works by having a DNS server which provides IP addresses to devices which send lookup requests. DNS servers are usually hardcoded on your device somewhere in the system settings. Many free public DNS servers exist (Google has 8.8.8.8, cloudflare 1.1.1.1, etc) and also your ISP usually offers their own.
Company networks often have their own DNS to resolve internal names on the intranet (pointing to private zone IP addresses) before asking up the chain for names on the public internet. In a home setting, people also set up their own private DNS servers to block malicious names, for example to block advertisements by returning "not found" replies for lookups of domains that serve ads. (Pi-hole, Adguard)
Some problems in the classic model:
- Privacy: Record lookups are sent in plaintext, so other devices on the same network can see which names you're looking up.
- Security: No authentication of the DNS server itself or the replies it's serving. You are fully trusting that the server sending the reply is the one which you trusted. (Open to adversary-in-the-middle attacks)
To solve both of these problems, encrypted DNS uses certificates to both authenticate and encrypt DNS lookups. The response can only be decrypted if the server can encrypt the traffic using a key you trust. (Same idea behind HTTPS.) To be clear, encrypted DNS is already a thing, this is not the new thing offered by ZTDNS.
This ZTDNS (Zero Trust DNS) integrates with the firewall. A typical firewall blocks all incoming traffic by default, and allows all outbound traffic. This means you can't receive spontaneous traffic from hexbear.net if you never opened the site. However, if you first send a request to hexbear.net, then the firewall learns to open a hole for hexbear.net to reply back.
ZTDNS modifies this setup by blocking all outgoing traffic by default. Only when an IP address is known to be associated to an allowed domain, then the firewall allows outbound traffic to that IP.
I think the main point is that it forces all DNS lookups to use the system DNS:
- A malicious program can't decide to bypass the system configured DNS server to resolve names some other way. This sort of method is used e.g. by Google products which try to bypass ad blocking DNS.
- Strikes a balance between no encryption (network admins can tag your traffic) and encryption (network admins lose ability to see which sites you're accessing).
Lol yeah I'm not worried about Zero Trust either, just saying it's marketing fluff. And yes in practice this isn't going to fix all the other privacy issues with the internet. Microsoft doesn't care about that, this is about selling enterprise software with the word Zero Trust attached. But otherwise can't think of why this would change the game for normal people, even work from home employees who are already monitored.