Microsoft is building support for DNR and SMB client encryption mandate in Windows 11

Server Message Block (SMB) is a highly important component when it comes to ensuring advanced network security in Windows 11. Microsoft made SMB signing the default behavior in Windows Enterprise build back in May and also had some guidance to share regarding the SMB authentication process back in June. Now, it has announced that it is developing support for SMB client encryption mandates and Network-designated Resolvers (DNR) in Windows 11.

The first implementation of the SMB client encryption mandate is already present in Windows 11 Canary build 25982, which became available just a few hours ago. SMB encryption is leveraged to provide end-to-end security while transferring data over a network. It has been available with SMB 3.0 on Windows 8 and Windows Server 2012, with subsequent iterations adding support for more secure cryptographic suites like AES-GCM and AES-256-GCM.

The latest enhancements to this infrastructure ensures that IT admins can now configure client machines to also mandate the use of SMB encryption from the destination server. This means that if SMB 3.x is not available or encryption is not configured, the client machine would be able to refuse the connection, thereby increasing the overall network security. Microsoft has also shared the steps that IT admins can leverage to configure this capability via Group Policy or PowerShell, you can view them here.

The Redmond tech firm has emphasized that since this feature does place some restrictions on connectivity, there is a certain performance and compatibility balance that you need to be mindful of. You could choose to use just SMB signing for slightly lesser security and improved performance but if you do enable SMB encryption, remember that it’s superior to the former, so the behaviors of SMB signing will be disabled in favor of the encryption on offer.

Another networking improvement present in Windows 11 Canary build 25982 is support for DNR, which is an upcoming standard from the Internet Engineering Task Force (IETF) to allow for more efficient discovery of encrypted DNS servers. Up until now, client machines have been required to find the IP address of the encrypted DNS server they wish to connect to and then make the appropriate configurations. DNR removes the need for this manual endpoint configuration by leveraging encrypted protocols like DNS over HTTPS (DoH) and DNS over TLS (DoT) on the client-side.

DNR is quite sophisticated in its implementation. When a client-side machine with DNR enabled attempts to join a new network, it sends a request to the DHCP server to receive an IP address, along with other arguments specific to DNR like OPTION_V6_DNR and OPTION_V4_DNR. The DHCP server – which is already configured to use DNR – responds to this query by sending over the IP address of the encrypted DNS server, the supported encrypted protocols, ports, and the associated authentication information. The client-side machine then utilizes this information to automatically tunnel to the encrypted DNS server, without any endpoint configuration being done by the end-user.

If you’re interested in leveraging DNR on a Windows 11 Canary machine, check out Microsoft’s guidance regarding enabling the feature here. Do note that DNR is not currently supported for IPv6 RA Encrypted DNS. Also keep in mind that both the SMB client encryption mandates and support for DNR in Windows 11 is still being tested in Insider Preview builds and there is no word yet on when the features will roll out publicly.