Documentation
Customer-facing documentation for deploying and operating Nantevo Protective DNS — the on-premise forwarder, the platform architecture, and answers to the questions that come up during rollout.
nantevo-fwd guide
Deploy the on-premise DNS-to-DoH forwarder: FreeBSD, Linux, jails, and single-board hardware. Client mapping, local threat intelligence, fail-closed behavior, and the built-in dashboard — plus a complete configuration reference.
Architecture & security
How authentication works at the transport layer, the three deployment models, what gets logged (and what doesn't), and how RoCi analyzes telemetry without touching a live query.
Troubleshooting & FAQ
Verifying protection is active, browser DoH conflicts, captive portals, unmapped-device SERVFAIL on the forwarder, and frequently asked questions.
Request a demo
Nantevo is onboarding design partners. A live walkthrough is the fastest way to see enrollment, telemetry, and RoCi detection against your own fleet.
Looking for device onboarding?
Per-device onboarding — including your organization's unique DoH endpoints, ClientIDs, and generated MDM profiles — lives in the client dashboard, where each step is shown with your actual credentials. These docs intentionally cover only the generic architecture; private endpoints and ClientIDs are never published here.
If you don't yet have dashboard access, request a demo and we'll set you up.
Conventions used in these docs
{endpoint}— placeholder for your unique per-client DoH endpoint subdomain (25-character, high-entropy). Yours is shown in the dashboard.{clientID}— placeholder for the 25-character client credential bound to that endpoint.- Shell examples use
#for comments; commands are shown for the platform named in the surrounding heading.