nantevodocstroubleshooting

Troubleshooting & FAQ

The issues that actually come up during rollout, in the order you're likely to hit them — plus the questions evaluators ask most.

Verifying protection is active

  1. Check the dashboard. A device appears in your client list with live query telemetry as soon as it makes its first authenticated query. If it's listed and the query count is moving, the device is protected.
  2. Check the profile (Apple fleets). On the device, confirm the Nantevo configuration profile is installed under Settings → General → VPN & Device Management. An installed profile configures DoH at the OS level, silently.
  3. Check filtering. Blocked domains answer NXDOMAIN. Attempting to resolve a domain your policy blocks (an ad or tracker domain under default policy) should fail to resolve, and the block event appears in the dashboard's blocked-events list with the device attributed.

Device enrolled but not appearing in the dashboard

Browser DoH conflicts

Chrome, Firefox, Brave, and Edge each ship their own DoH ("secure DNS") implementations that can bypass the system resolver — this is the Encrypted DNS Gap.

Captive portals (hotels, airports, cafés)

Captive portals intercept DNS to redirect you to a login page — which encrypted DNS is specifically designed to prevent. Symptoms: the portal page never loads on a freshly joined network.

Forwarder (nantevo-fwd) issues

Frequently asked questions

Does Nantevo see or store our source IPs?

Client IPs are used transiently for routing and rate limiting and are not written to telemetry records. On-premise deployments never send query data to Nantevo at all — only anonymized RoCi threat signals leave your network.

What exactly is in the logs?

Timestamp, authenticated client ID, queried domain, response code, latency, and threat classification, with configurable retention (90-day default for query telemetry, 12 months for RoCi incident records). Details in Logging & retention and the privacy policy.

Can RoCi slow down our DNS?

No — architecturally, not just operationally. RoCi analyzes the log stream after responses are delivered and is never in the query path. Its detections update the synchronous threat feed that the resolver consults inline.

How do we revoke a lost or compromised device?

Revoke the credential in the dashboard. Enforcement happens at the proxy immediately — the device's endpoint + ClientID pair simply stops resolving. No device access, MDM push, or user action is required.

What happens during an upstream CDN incident?

Cloud deployments depend on upstream infrastructure, and incidents are disclosed transparently on the status page (including upstream events). On-premise deployments resolve locally and are unaffected by CDN outages. If that failure mode matters to your environment, the on-premise model exists for exactly this reason.

Is there an SLA?

Business-tier agreements carry a 99.9% uptime SLA; enterprise terms are negotiated per contract. See pricing.

Something else?

Email [email protected] — technical questions get answered by the engineer who built the platform, typically same business day.