Nantevo delivers authenticated Protective DNS through a novel transport-layer authentication architecture — no endpoint software, no enrollment friction, no attack surface on your devices. Per-client telemetry, MDM-native deployment, and flexible cloud, hybrid, or on-premise infrastructure to meet your organization wherever it operates.
Every traditional Protective DNS solution — Cisco Umbrella, Infoblox, and their peers — relies on endpoint agents to establish client identity. That architecture carries costs that accumulate across every device, every update cycle, and every unmanaged endpoint in your organization.
Architectural choices — not feature additions — with consequences that compound across every device in your fleet from day one.
Every DoH request is addressed to a unique high-entropy endpoint subdomain and carries a unique ClientID. The reverse proxy validates both before routing to the resolver. Unauthenticated requests receive no response. No software on the device. No enrollment flow. The endpoint itself is the credential.
Nantevo generates per-client MDM profiles containing unique high-entropy DoH endpoints pre-bound to unique ClientIDs. Deploy through your existing Apple MDM. OS-level DoH configures silently, system-wide — every application, every process, every DNS query covered simultaneously, without touching a single device directly.
Because every query carries an authenticated identity, threat telemetry is scoped to the individual device. Query patterns, response times, blocked domains, and anomaly scores are per-client in real time. When RoCi identifies a threat, you know the exact device immediately — not which subnet it came from.
Nantevo deploys where your DNS belongs. Fully hosted cloud for distributed teams. Hybrid for mixed infrastructure. On-premise virtual appliance for environments where DNS must never leave the network — deployable as a FreeBSD jail, OCI container, or OVA. Custom subdomain endpoints mean the resolver looks like yours.
Three deployment models covering every enterprise architecture. Fully hosted to fully air-gapped — with the same authentication architecture, the same per-client telemetry, and the same RoCi threat intelligence across all three.
Nantevo-managed resolvers, globally distributed across redundant infrastructure. Fastest path to deployment. Ideal for distributed workforces, cloud-native organizations, and teams without on-premise DNS infrastructure. Full RoCi threat intelligence and per-client telemetry included.
Your DoH endpoint lives on your own subdomain. A local forwarding layer in your data center handles internal domain resolution. External queries route upstream to Nantevo resolvers. RoCi threat intelligence and unified telemetry operate seamlessly across both layers.
Complete resolver stack deployed as a virtual appliance in your data center or private cloud. DNS queries never leave your network. Only anonymized RoCi threat signals stream to the intelligence pipeline — not query content. Sub-10ms response times achievable on-network. CDN outages have zero impact.
Nantevo covers your entire device landscape — from managed corporate fleets to BYOD mobile devices to legacy infrastructure that can't speak DoH. No gaps, no blind spots.
Provision, deploy, and activate protection across your entire fleet without touching a single device directly.
Generate a unique MDM configuration profile per client group from the Nantevo dashboard. Each profile contains a unique high-entropy DoH endpoint and bound ClientID. Per-client filtering policy, content categories, and RoCi sensitivity are configured at this stage.
Deploy the generated profile through your Apple MDM infrastructure. The profile installs silently at OS level across your entire fleet simultaneously. No user interaction. No application download. OS-level DoH configures system-wide — every application and every process is covered from the moment of installation.
From the moment the profile installs, every DNS query from that device is encrypted, authenticated at the proxy layer, filtered against live threat intelligence, and logged to your per-client telemetry dashboard. RoCi monitors behavioral patterns continuously and surfaces threats in real time.
RoCi is Nantevo's onboard threat intelligence engine. She analyzes per-client DNS query behavior continuously, identifies anomalies against established baselines, and classifies threats in real time — across every authenticated client simultaneously, without adding latency to the query path.
Enterprise security teams need logs. Nantevo gives you control over exactly what is retained, for how long, and where — without ever using your data for anything other than your own security operations.
Compliance & framework alignment
What security teams say
"We evaluated three PDNS vendors. Nantevo was the only one that didn't require software on every device. For a team of 200 across four continents, that difference in deployment complexity was the decision."
— Director of Security Engineering, global SaaS company
"The per-client telemetry caught a compromised laptop within hours of enrollment — something our previous solution would have averaged out of the fleet-level data. RoCi's behavioral baseline is genuinely different."
— VP Engineering, Series C fintech
"The on-premise appliance was the deciding factor. Our DNS doesn't leave our data center, we get full RoCi intelligence, and a CDN outage has zero impact on our resolution path. That's the architecture we needed."
— CISO, regulated financial services firm
Two years of continuous operation across globally distributed infrastructure. These are live production metrics from the same platform your organization will run on.
Live demo. Your devices. No software installed before, during, or after.