nantevoProduct
Enterprise Protective DNS

Protect every DNS query.
No agents. No exceptions.

Nantevo authenticates every DNS-over-HTTPS query at the transport layer — using a credential embedded in the endpoint URL itself, not software installed on any device. Per-client threat intelligence, MDM-native deployment, and flexible infrastructure to meet your organization wherever it operates.

90%
of malware uses DNS for C2 callbacks — NSA & CISA
15.52ms
production avg query response — 2.5 years measured
99.97%
resolver availability — 2.5 years production record
Zero
endpoint agents on any device — ever
Request a demo Architecture deep dive →
The threat landscape

DNS is the primary attack channel.
It's the most consistently under-secured one.

The NSA and CISA have published explicit guidance recommending Protective DNS as a foundational enterprise security control — because 90% of malware relies on DNS for Command and Control callbacks. Not endpoint vulnerabilities. Not network intrusions. DNS.

And yet before Nantevo deployment, the production audit baseline showed that 0% of roaming mobile device DNS was encrypted — on the same devices carrying the most sensitive work, connecting to the least trusted networks.

See how Nantevo addresses this →
90%
of malware relies on DNS for
Command and Control callbacks
NSA & CISA · 2021 joint advisory
0%
of roaming device DNS was encrypted pre-deployment
~25%
of queries blocked — ad & malvertising networks
Platform capabilities

Every layer of protection,
explained.

Select a capability to see how it works, what it protects against, and how it's implemented in production.

01 — Authentication
The endpoint URL is the credential.
Every client receives a unique high-entropy DoH endpoint — a 25-character subdomain combined with a 25-character ClientID, each generating ~129 bits of entropy. The reverse proxy validates both on every query before it reaches the resolver. No software on any device. No agent to install, update, or maintain. The credential is in the URL itself.
  • 128-bit entropy per credential — computationally infeasible to brute force
  • Both endpoint subdomain and ClientID required — neither alone is valid
  • Silent drop on failed authentication — no oracle, no error signal
  • Instant revocation — remove the nginx virtual host, the endpoint ceases to exist
Full authentication walkthrough →
Credential structure
Entropy per field
~129 bits
Fields required
Both
Alphabet
a–z · 0–9
Revocation
Instant
# nginx virtual host per endpoint subdomain
vhost: r7mxk...a.nantevo.com
location: ~ ^/q/{clientID}$
match: → proxy_pass to resolver
no match → 444 silent drop
# no runtime lookup · no credential store
02 — MDM Enrollment
Zero-touch fleet deployment. OS-level coverage.
Nantevo generates signed Apple MDM configuration profiles containing the unique DoH endpoint and ClientID, ready to push through your existing MDM infrastructure — Jamf, Kandji, Intune, or any MDM supporting Apple configuration profiles. The profile installs silently at OS level. Every application, every process, every DNS query is covered from the moment it installs — including browsers that would otherwise use their own DoH resolver.
  • Auto-generated .mobileconfig per client group — no manual editing
  • OS-level enforcement overrides browser DoH — closes the Encrypted DNS Gap
  • System-wide, tamper-resistant, invisible to users
  • Windows via Group Policy · Android via Private DNS · routers via forwarder
MDM enrollment walkthrough →
Enrollment lifecycle
Time to protected
<60 seconds
Device access needed
None
User interaction
None
Coverage scope
System-wide
generate_profile(client: "eng-fleet")
→ eng-fleet.mobileconfig (signed)
→ push via MDM
→ profile installs silently
→ all DNS encrypted + authenticated
→ browser DoH: overridden
03 — RoCi AI
Breaks the C2 kill chain. Never slows a query.
RoCi operates exclusively on the telemetry log stream — after query responses are already delivered. She scores every query against the per-client behavioral baseline, detects DGA patterns, C2 beaconing, DNS tunneling, and volume anomalies, then pushes block rules back into the synchronous threat feed. The 15.52ms production average holds regardless of analysis complexity.
  • Asynchronous — zero query path impact, zero added latency
  • Per-client baselines — deviations measured against that device's specific normal
  • 1:1 attribution on every detection — exact device identity in every incident record
  • Detection to rule push in seconds — MTTR limited by reading speed, not data
Full RoCi capability reference →
Detection capabilities
DGA entropy threshold
> 3.5
Query path impact
Zero
Detection → block
Seconds
Attribution
1:1 device
! C2 kill chain — 14:32:07 UTC
domain: xk92mf7a3n.cdn-analytics.net
entropy: 4.2 (threshold: 3.5)
device: h5tz9mc2r7vn4bpk3qxwj8yde · 1:1 attribution
action: block rule pushed to feed
MTTR: immediate
04 — Telemetry
Per-device visibility. Configurable retention.
Because every query carries an authenticated ClientID, telemetry is scoped to the individual device — not averaged across a fleet. Query metadata, threat classifications, latency distributions, block rates, and RoCi anomaly scores are all available per client in real time. The dashboard was built and operated for 2.5 years of production use before it became a product feature.
  • Full query telemetry logged by default — domain, timestamp, ClientID, response code, latency, threat classification
  • Source IP not retained — used transiently for routing only
  • Per-client dashboard — protection stats, bandwidth saved, top threats
  • SIEM integration via API — structured JSON incident records
Query lifecycle walkthrough →
Telemetry defaults
Attribution
1:1 device
Domain logged
Yes — standard
Third-party sharing
Never
Retention
Configurable
logged: timestamp · client_id · domain
logged: response_code · latency_ms
logged: threat_classification · roci_score
not retained: source IP (routing only)
sharing: zero — your data only
05 — On-Premise Appliance
DNS that never leaves your network.
The Nantevo virtual appliance deploys the complete resolver stack inside your data center or private cloud — as a FreeBSD jail, OCI container, or OVA for VMware and Proxmox. DNS queries resolve locally. Only anonymized RoCi threat signals stream outbound. Sub-10ms response times on-network. A CDN outage anywhere in the world has zero impact on your DNS resolution.
  • FreeBSD jail, OCI container, or VMware/Proxmox OVA
  • Query content stays within your network boundary — always
  • RoCi threat signals stream outbound — no query data ever leaves
  • CDN-independent — outages at the infrastructure layer are irrelevant
Deployment models comparison →
Appliance specifications
Query latency
<10ms on-net
Query data egress
Zero
CDN dependency
None
RoCi intelligence
Full
appliance: FreeBSD jail · OCI · OVA
queries: resolved locally — never egress
roci: signals only · no query content
latency: <10ms on-network
available on Business + Enterprise plans
Platform coverage

Every device in your environment.
Proven across all of them.

Device coverage was verified across 2.5 years of production operation across real households before it became a product claim. Every category below has been running continuously since October 2023.

Apple — zero-touch MDM

Auto-generated profiles deploy OS-level DoH silently via your existing MDM. Overrides browser DoH. System-wide, tamper-resistant from the moment of installation.

iOSmacOSiPadOS

Windows & Android

Windows 11 native DoH via Group Policy. Android via Private DNS setting or Intra app. Per-client credentials applied transparently on any network.

Windows 11Android

All major browsers

Chrome, Firefox, Brave, Edge, and Safari all support native DoH. Closes the Encrypted DNS Gap for browser-level queries where MDM OS-level enforcement isn't available.

ChromeFirefoxBraveEdgeSafari

Linux, FreeBSD, servers

Stub resolver configuration on Linux and BSD. Full DoH support across server fleets, developer workstations, and infrastructure hosts on any distribution.

LinuxFreeBSDOpenBSD

Routers & network-wide

Router-level deployment provides network-wide coverage for every connected device — smart TVs, IoT, guest devices, anything making DNS queries. Proven across household networks since 2023.

Home routersIoTGuest devices

Legacy infrastructure

On-premise forwarder ingests plaintext DNS from legacy devices and proxies through authenticated DoH. Printers, network gear, older operating systems — no device left uncovered.

PrintersNetwork gearLegacy OS
Deployment models

Your infrastructure.
Your requirements. Your choice.

The same authentication architecture and RoCi intelligence operate across all three models. The choice is about where queries travel and where they resolve.

Cloud

Nantevo-hosted resolvers

Globally distributed resolver nodes, MDM profile push for zero-touch Apple fleet enrollment. Fastest path to full fleet protection — operational within hours. 15.52ms production average, 99.97% uptime.

best for: distributed teams, cloud-native, fastest deployment
Hybrid

Split resolver path

Your DoH endpoint on your own subdomain. Internal domains resolve locally. External queries route to Nantevo upstream. Unified RoCi telemetry across both resolution paths.

best for: hybrid data centers, mixed on-prem and cloud
On-Premise

Air-gapped resolver

Complete resolver stack as a virtual appliance in your DC. DNS queries never leave your network. CDN-independent. Sub-10ms on-network. Available as FreeBSD jail, OCI container, or OVA.

best for: regulated industries, high-security, data residency requirements
Competitive comparison

What changes when authentication
lives in the transport layer.

The differences are architectural, not incremental. They compound across every device, every update cycle, and every unmanaged endpoint in your organization.

Capability Nantevo Cisco Umbrella Infoblox
Endpoint agent required None — ever Required Required
BYOD & unmanaged device coverage Any DoH-capable devicePartialPartial
Browser DoH override (Encrypted DNS Gap) OS-level MDM profile Gap remains Gap remains
MDM zero-touch Apple fleet enrollment Auto-generated profileManualManual
Per-device (not fleet) threat telemetry 1:1 attributionPartialPartial
Instant credential-layer revocation Keystore removal Policy push needed Policy push needed
On-premise air-gapped appliance Jail · Container · OVALimited Available
AI analysis in query path Never — async only Inline latency Inline latency
Production uptime record 99.97% · 2.5 yrsEnterprise SLAEnterprise SLA
Open source stack — auditable Full transparency Proprietary Proprietary

Compliance & framework alignment

NSA · CISA · 2021
PDNS Guidance
Aligned with joint advisory recommending PDNS to mitigate the 90% of malware using DNS for C2
NIST SP 800-207
Zero Trust Architecture
DNS as a Policy Enforcement Point — every query authenticated, no network implicitly trusted
NIST SP 800-81r3 · 2025
Secure DNS Deployment
The 2025 federal standard for encrypted DNS deployment — DoH enforced on all enrolled devices
CISA PDNS · 2022
Federal PDNS Model
Architecture modeled on the CISA federal PDNS resolver — the same foundational design at enterprise scale
What security teams say

Early adopter perspective.

"The only PDNS vendor that didn't require software on every device. For a 200-person distributed team, that deployment difference was the decision."
— Director of Security Engineering, global SaaS company
"The 1:1 attribution caught a compromised laptop within hours of enrollment. Previous solution averaged it out of fleet-level data. RoCi gave us the exact device immediately."
— VP Engineering, Series C fintech
"On-premise appliance was the deciding factor. DNS doesn't leave our data center, we get full RoCi intelligence, and a CDN outage has zero impact. That's the architecture we needed."
— CISO, regulated financial services firm

See it protecting a fleet
in under 60 minutes.

Live demo — your devices, your environment, your questions answered by the people who built it. No slide decks. No BDR handoff.

Request a demo Architecture deep dive →