nantevodocsarchitecture

Architecture & security reference

A consolidated technical reference for evaluators: how Nantevo authenticates DNS at the transport layer without endpoint software, where your queries travel under each deployment model, exactly what is logged, and how the RoCi analysis engine relates to the query path.

Authentication model

Nantevo authenticates every DNS-over-HTTPS query before it reaches a resolver, using a credential pair embedded in the request itself rather than software installed on the device:

Each credential is drawn from a 25-character lowercase-alphanumeric space — log₂(36²⁵) ≈ 129 bits of entropy per field — and both must match. The reverse proxy validates the pair before routing anything to the resolver. Requests that fail validation receive no response at all: a silent drop, not an error, so probing yields no oracle signal.

Because identity lives in the transport layer, revocation happens at the proxy — a revoked credential stops resolving immediately, with no action required on the device.

The query path

device
  → DoH over TLS 1.3 (RFC 8484)
  → reverse proxy — endpoint + ClientID validated   (pre-resolver)
  → resolver — threat feed consulted, policy applied
  → response returned to device                      (~16ms production average)
  → telemetry log stream → RoCi                      (asynchronous, never in path)

Two properties follow from this design:

Deployment models

The same authentication architecture and RoCi intelligence operate across all three models. What changes is where the resolver runs and where queries travel.

ModelEndpointWhere queries goBest for
Cloud{endpoint}.nantevo.comNantevo-hosted resolver nodes (US, distributed)Distributed teams, cloud-native orgs; fastest rollout
Hybriddns.yourdomain.comInternal domains resolve on a local forwarding layer in your data center; external queries route upstream to NantevoMixed infrastructure with internal DNS zones
On-premiseLocal applianceNowhere — the full resolver stack runs as a virtual appliance (jail, container, or OVA) inside your network. Only anonymized RoCi threat signals go outbound; query content never crosses your boundary.Regulated and high-security environments; air-gap requirements

On-premise deployments resolve locally at sub-10 ms on-network, and upstream CDN outages have no impact on resolution.

Platform coverage

PlatformMechanism
iOS · iPadOS · macOSAuto-generated MDM configuration profile installs OS-level DoH silently via your existing Apple MDM. OS-level configuration overrides browser DoH, covering every app and process.
Windows 11Native DoH configured via Group Policy.
AndroidThe Intra app applies per-client DoH credentials. (Android's built-in Private DNS setting is DoT-only, so it can't carry the DoH credential pair.)
BrowsersChrome, Firefox, Brave, Edge, and Safari support native DoH configuration for unmanaged-device scenarios.
Linux · BSDDoH via stub resolver configuration.
Routers / network-wideRouter-level deployment covers every device on the network, including smart TVs and IoT.
Legacy / plaintext-only devicesnantevo-fwd ingests plaintext DNS and proxies through authenticated DoH with per-device attribution.
NotePer-device setup steps with your actual endpoints and profiles live in the client dashboard — these docs deliberately stay generic. Private ClientIDs and per-client endpoints are never published.

Logging & retention

Enterprise security teams need logs; the policy is designed to give you full telemetry with explicit boundaries.

What is logged, per query

What is not

Retention

DataDefaultConfigurable
DNS query telemetry90 daysYes — per policy, shorter or longer
RoCi incident records12 monthsYes

On-premise deployments keep all query data inside your network boundary. See the privacy policy for the complete data inventory.

RoCi analysis

RoCi never touches a live query. It analyzes the telemetry log stream asynchronously — after responses are already delivered. This is an architectural commitment: DNS resolution latency is a hard constraint, AI inference is not, so inference is kept out of the query path entirely.

What it looks for:

When RoCi confirms a detection, it pushes a block rule to the synchronous threat feed that the resolver consults inline — so the asynchronous engine hardens the synchronous path for every client, without ever sitting in it. Each detection carries the exact device, timestamp, and domain.

Framework alignment