NSA & CISA Recommended Protective DNS

Enterprise DNS security.
Zero agents.

Nantevo delivers authenticated Protective DNS through a novel transport-layer architecture — no endpoint software, no enrollment friction, no attack surface on your devices. Per-client 1:1 attribution, MDM-native deployment, and cloud, hybrid, or on-premise infrastructure aligned to NIST SP 800-81r3.

90%

of malware relies on DNS for Command and Control callbacks. DNS is the most consistently exploited attack channel — and the most consistently under-secured. The NSA and CISA have explicitly recommended Protective DNS as a foundational enterprise security control. NSA & CISA, 2021 · NIST SP 800-81r3, 2025

Request a demo See the architecture →

nantevo — live threat monitor // fleet:enterprise-01

nantevo> authenticate client:k7mxr4bqe9yz2pt6w3dh8cf5a

endpoint .... r7mxk4bqe9yzw2nt6p3dh8f5a.nantevo.com

clientID .... ✓ verified · 1:1 attribution

status ...... authenticated · policy: enterprise-strict

roci> monitor queries --live

✓ api.github.com .................. 9ms

✓ prod.datadog.com ................ 12ms

✓ storage.googleapis.com .......... 16ms

! C2 kill chain detected — 14:32 UTC

✗ xk92mf7.cdn-metrics.net ......... BLOCKED

DGA/C2 · incident #4471 · MTTR: immediate

roci>

The DNS security problem

Two gaps incumbent solutions
leave open. One architecture that closes both.

Traditional Protective DNS fails at the deployment model. Browsers independently implementing their own DoH bypass corporate controls entirely. Nantevo's transport-layer authentication architecture eliminates both problems simultaneously.

Agent-based PDNS

✗Agent binary is itself an exploitable attack surface
✗Failed update cycle leaves devices without protection
✗BYOD and unmanaged devices receive no coverage
✗Kernel extensions increasingly restricted on modern macOS
✗Deployment requires direct access to every endpoint
✗Revocation requires pushing a new policy to the device

The Encrypted DNS Gap

!Chrome, Firefox, and Brave implement their own DoH — bypassing corporate resolvers entirely
!SOC loses DNS telemetry visibility for browser traffic — the majority of user queries
!No filtering policy can be enforced on traffic the resolver never sees
!0% of roaming device DNS was encrypted before PDNS deployment
!ISP DNS resolvers have no threat intelligence — unfiltered malicious domains resolve freely

Nantevo — transport-layer auth

✓Zero endpoint software — nothing to install, update, or maintain
✓MDM-enforced OS-level DoH overrides browser DoH — closes the encrypted gap
✓Covers any DoH-capable device, managed or unmanaged
✓1:1 attribution — every query tagged to a specific authenticated device
✓DNS as a Policy Enforcement Point — Zero Trust at the resolution layer
✓Instant revocation at the proxy — no device action required

Measured business impact

Security that pays for itself
before you count the breaches prevented.

These numbers come from 2.5 years of production telemetry. Ad and tracker filtering doesn't just reduce the attack surface — it removes bandwidth and latency overhead from every device on your network. The FBI explicitly recommends DNS-layer ad blocking as a security control, not a convenience feature.

732.5 GB

Enterprise bandwidth saved per month

500-employee hybrid workforce · 25% block rate

34 hrs

Cumulative rendering latency recovered per month

Extrapolated from production blocking telemetry

~25%

Of all DNS queries blocked — ad, tracker, and malvertising networks

Production fleet average · October 2023 – present

100M

Projected monthly queries at 500-employee enterprise scale

Extrapolated from 10-user pilot baseline data

The FBI recommends DNS-layer ad blocking as a security measure — online advertising networks are the primary delivery vehicle for malvertising campaigns. The bandwidth and latency savings are a byproduct of closing that attack surface. At enterprise scale, those savings offset a significant portion of deployment cost. Source: Global Cyber Alliance, 2025 — Measuring the Economic Value of DNS Security.

Platform architecture

Four decisions that define
a fundamentally different platform.

Architectural choices — not feature additions — with consequences that compound across every device in your fleet from day one.

01 — Identity

Authentication at the proxy — before the resolver sees anything

Every DoH request carries a unique high-entropy endpoint subdomain and ClientID. The reverse proxy validates both before routing to the resolver. Unauthenticated requests receive no response — not an error, silence. DNS is treated as a Policy Enforcement Point in the Zero Trust sense: no query proceeds without verified identity. Per NIST SP 800-207, no network is inherently trusted.

endpoint: r7mxk4bqe9yzw2nt6p3dh8f5a.nantevo.com/{clientID}
validation: reverse proxy — pre-resolver
framework: NIST ZTA — Policy Enforcement Point
unauthenticated traffic: silent drop

02 — Enrollment

MDM profile auto-generation — entire fleet in one push

Nantevo generates per-client MDM profiles containing unique high-entropy DoH endpoints pre-bound to unique ClientIDs. Deploy through your existing Apple MDM. OS-level DoH configures silently, system-wide — overriding browser-level DoH, covering every application and process simultaneously. The Encrypted DNS Gap closes the moment the profile installs.

profile generated → MDM push
scope: OS resolver — overrides browser DoH
user interaction: none required
time to protected: under 60 seconds

03 — Visibility

1:1 attribution — not fleet averages

Because every query carries an authenticated client identity, threat telemetry is scoped to the individual device. When RoCi detects a C2 beacon, the SOC gets the exact device, exact timestamp, and exact domain immediately — without needing network access or VPN correlation. This is what eliminates the visibility gap that inflates MTTR on every competitor platform.

attribution: 1:1 per authenticated device
SOC value: exact device on C2 detection
MTTR impact: immediate identification
no VPN or IP correlation required

04 — Intelligence

RoCi — behavioral AI that never touches a live query

RoCi analyzes the telemetry log stream asynchronously — after responses are already delivered. This is an architectural constraint, not a limitation: DNS resolution latency is a hard constraint, AI inference is not. RoCi's detections update the synchronous threat feed, building a defense-in-depth stack that improves with every detection across every client.

roci: async log analysis only
query path: lookup only, never inference
detection → rule push → feed update
architecture: Defense in Depth

Deployment models

Cloud, hybrid, or on-premise.
Your infrastructure requirements drive the choice.

The same authentication architecture and RoCi intelligence operate across all three models. What changes is where the resolver runs and where DNS queries travel.

Model 01 — Cloud

Nantevo-hosted resolvers

Globally distributed resolver nodes across the US with expansion roadmap to 32 locations. MDM profile push for zero-touch Apple fleet enrollment. Fastest path to full fleet protection — operational within hours of decision. All RoCi intelligence and per-client telemetry included.

endpoint: {entropy}.nantevo.com
deployment: MDM profile push
queries: Nantevo cloud infrastructure
best for: distributed teams, cloud-native

Model 02 — Hybrid

Your subdomain, our intelligence

Your DoH endpoint lives on your own subdomain. A local forwarding layer in your data center handles internal domain resolution. External queries route upstream to Nantevo resolvers. RoCi threat intelligence and unified per-client telemetry operate seamlessly across both layers.

endpoint: dns.yourdomain.com
internal DNS: local resolver
external DNS: Nantevo upstream
best for: hybrid DC, mixed infrastructure

Model 03 — On-Premise

Air-gapped resolver

Complete resolver stack deployed as a virtual appliance in your data center. DNS queries never leave your network. Only anonymized RoCi threat signals stream outbound — query content never crosses your boundary. Sub-10ms response times on-network. CDN outages have zero impact on resolution.

appliance: jail · container · OVA
queries: air-gapped in your DC
roci: threat signals only, no query data
best for: regulated, high-security, DC

Platform support

Every device in your environment.
Proven in production across all of them.

Device coverage was proven across 2.5 years of real households using real devices — not claimed on a spec sheet. Every category below has been operational since October 2023.

Apple — zero-touch MDM

Auto-generated MDM profiles deploy OS-level DoH silently across iOS and macOS fleets via your existing MDM. System-wide coverage overrides browser DoH — closing the Encrypted DNS Gap at enrollment. No user interaction, no visible change.

iOSmacOSiPadOS

MDM native · production proven

Windows & Android

Windows 11 supports native DoH configuration via Group Policy. Android devices connect via the Intra app or native Private DNS, applying per-client credentials transparently on any network.

Windows 11Android

Native DoH · production proven

Browsers

All major browsers support native DoH configuration for environments where OS-level MDM configuration is not practical. Closes the Encrypted DNS Gap for unmanaged device scenarios.

ChromeFirefoxBraveEdgeSafari

Application-level · production proven

Linux & BSD

Full DoH support via stub resolver configuration. Native integration pathway for server fleets, developer workstations, and infrastructure hosts across any distribution.

LinuxFreeBSDOpenBSD

Stub resolver · production proven

Home routers & network-wide

Router-level deployment provides network-wide protection for every device on the network — including smart TVs, IoT, and anything else that makes DNS queries. Proven in production across household networks since 2023.

Home routersIoTSmart TVs

Network-wide · production proven

Legacy infrastructure

On-premise forwarder appliance ingests plaintext DNS from legacy devices and proxies queries through authenticated DoH to Nantevo filtering endpoints. No device left without coverage.

PrintersNetwork gearLegacy OS

Legacy forwarder

Deployment lifecycle

Zero to protected fleet.
Three steps. No endpoint access required.

Provision, deploy, and activate protection across your entire fleet without touching a single device directly.

STEP 01

Provision a client profile

Generate a unique MDM configuration profile per client group from the Nantevo dashboard. Each profile contains a unique high-entropy DoH endpoint and bound ClientID — 128-bit entropy per credential, combined authentication required. Per-client filtering policy, content categories, and RoCi sensitivity are configured at this stage.

generate_profile(
  client: "eng-fleet",
  policy: "enterprise-strict",
  roci_sensitivity: "high"
) → eng-fleet.mobileconfig
  entropy: 128-bit per credential

STEP 02

Push via your existing MDM

Deploy through your Apple MDM infrastructure. The profile installs silently at OS level, overriding browser DoH configuration system-wide. No user interaction. No application download. Every application, every process, every DNS query covered simultaneously — including browsers that would otherwise use their own DoH resolver.

MDM push → profile installs
scope: OS resolver — overrides browser DoH
encrypted DNS gap: closed
fleet coverage: immediate

STEP 03

Every query authenticated, monitored, attributed

From the moment the profile installs, every DNS query is encrypted, authenticated at the proxy, filtered against live threat intelligence, and logged with 1:1 device attribution. RoCi monitors behavioral patterns asynchronously — never in the query path — and surfaces threats with the exact device identity needed for immediate MTTR reduction.

device → DoH → proxy: 1:1 auth check
→ resolver → response (avg: 15.52ms)
→ roci: async log analysis
SOC: exact device on any detection

Intelligence layer

RoCi — AI threat intelligence
that breaks the C2 kill chain.

RoCi analyzes per-client DNS query behavior continuously and classifies threats across every authenticated client simultaneously. When she detects a C2 beacon, a DGA pattern, or a tunneling attempt, she pushes a block rule to the synchronous threat feed immediately — cutting the attacker's communication channel before the device can receive a payload.

DGA Detection

High-entropy subdomain entropy scoring identifies domain generation algorithm patterns used in ransomware staging and C2 infrastructure location

C2 Kill Chain

Periodic query timing patterns to novel infrastructure — characteristic of botnet check-ins. Sinkholed before secondary payloads or encryption keys can be delivered

DNS Tunneling

Anomalous TXT record volumes and high-frequency lookups to newly-registered domains indicating active data exfiltration through the DNS channel

MTTR Reduction

1:1 device attribution on every detection — SOC gets exact device, timestamp, and domain. No VPN correlation, no IP guesswork, immediate containment

RoCi never touches a live query. All analysis is asynchronous on the log stream — after responses are already delivered. DNS resolution latency is a hard constraint. AI inference is not. This is an architectural commitment, not a limitation. The 15.52ms production average holds regardless of analysis complexity.

roci — behavioral analysis // k7mxr4bqe9yz2pt6w3dh8cf5a

roci> analyze client:k7mxr4bqe9yz2pt6w3dh8cf5a --deep

baseline ......... 2,400 queries/day

today ............ 2,847 — normal range

✓ latency avg .... 15.52ms

✓ phishing blocked 12 today

✓ malware blocked .. 26 today

! C2 kill chain detected — 14:32 UTC

query: xk92mf7a3n.cdn-analytics.net

entropy: 4.2 · DGA pattern: confirmed

✗ BLOCKED · block rule pushed to feed

incident #4471 · device: k7mxr4bqe9yz2pt6w3dh8cf5a

MTTR: immediate · attribution: 1:1

Data & logging policy

Configurable retention. No surveillance. No third-party sharing.

Enterprise security teams need logs. Nantevo gives you control over exactly what is retained, for how long, and where — without your data ever being used for anything other than your own security operations.

Full query telemetry — logged by default

Timestamp, authenticated client ID, queried domain, response code, resolution latency, and threat classification are logged for every query. The domain is essential — it powers blocked event lists, RoCi's DGA entropy scoring, per-client behavioral baselines, and incident forensics. Retention window is configurable per policy.

Standard telemetry · configurable retention

Source IP — not retained

Client IP addresses are used transiently for routing and rate limiting only. They are not written to telemetry records. On-premise deployments keep all query data within your network boundary — nothing crosses your perimeter to Nantevo servers.

Not retained · on-premise fully local

Third-party sharing — never

Your DNS telemetry is never shared with, sold to, or accessible by any third party for any purpose. Not for advertising, profiling, or threat intelligence aggregation. It belongs to your organization and is used exclusively for delivering and securing the service you've contracted for.

Zero data sharing · zero surveillance

Compliance & framework alignment

Federal guidance

NSA / CISA PDNS

Aligned with NSA and CISA's joint advisory explicitly recommending Protective DNS to mitigate the 90% of malware relying on DNS for C2 callbacks

NIST SP 800-207

Zero Trust Architecture

DNS treated as a distributed Policy Enforcement Point — every request authenticated, no network implicitly trusted. NIST ZTA alignment for enterprise audit requirements

NIST SP 800-81r3 · 2025

Secure DNS Deployment

The 2025 edition of NIST's Secure DNS Deployment Guide establishes encrypted DNS transport as essential for maintaining resolution integrity. Nantevo enforces RFC 8484 DoH across all enrolled devices

Defense in Depth

Layered Security Model

Three independent security layers: TLS transport encryption, identity-aware proxy authentication at the edge, and automated threat intelligence filtering — each independently effective

What security teams say

"We evaluated three PDNS vendors. Nantevo was the only one that didn't require software on every device. For a team of 200 across four continents, that difference in deployment complexity was the decision."

— Director of Security Engineering, global SaaS company

"The 1:1 attribution caught a compromised laptop within hours of enrollment — something our previous solution would have averaged out of fleet-level data. RoCi gave us the exact device immediately. MTTR went from days to minutes."

— VP Engineering, Series C fintech

"The on-premise appliance was the deciding factor. Our DNS doesn't leave our data center, we get full RoCi intelligence, and a CDN outage has zero impact on our resolution path. That's the Zero Trust architecture we needed."

— CISO, regulated financial services firm

Reliability

Production-proven. Not a promise — a record.

Two and a half years of continuous operation across geographically distributed infrastructure. These are live production metrics from the same platform your organization will run on.

99.97%

Resolver uptime — trailing 2.5 years production

VERIFIED · status.nantevo.com

15.52ms

Production average query response — measured over 2.5 years

PRODUCTION TELEMETRY · P50 · GoAccess dashboard

Global

Distributed resolver infrastructure — 32-location expansion roadmap

CLOUD · HYBRID · ON-PREMISE

Resolver availability99.97%

Proxy authentication layer100.0%

RoCi threat intelligence99.94%

Per-client telemetry pipeline99.89%

Enterprise DNS security.Zero agents.

Two gaps incumbent solutionsleave open. One architecture that closes both.