How does OpenZiti protect against token theft

I noticed this post from Microsoft… and thought it was an interesting point to expand on.

A few things come to mind

use a private DNS instead of a public DNS

ZTNA is even better protection

Are their any other points to add?

A couple more related thoughts:

  • A local, strong identity (in the keychain/local file system), is implicit MFA that can’t be dodged/phished.
  • Using a hardware root of trust and an attacker has practically no chance to steal your key (though this is true without requiring/using OpenZiti).
1 Like

Very excited about the opportunity to host private DNS. Right now we’re looking at using our k8s DNS server as a root DNS, not sure if there’s any examples of other folks doing this?

While I’ve not seen any myself, others in the community may have seen or done something in that realm. I’ll check with some folks and see. If anyone has done anything close, we’ll follow up.

Hi DNS would not be any different than hosting other services over ziti. As far a I know there are no issues with ziti-edge-tunnel(Linux) and ziti-router(linux) as either clients or host of a DNS service. Some end systems OSs can be finicky(i.e. Windows) when it comes to sending out DNS queries over tunnels.