This page covers everything a security engineer, CISO, or vendor risk assessor needs to evaluate Nantevo's security posture — authentication architecture, credential design, data handling, supply chain transparency, responsible disclosure, and penetration testing coordination.
Questions not answered here:
[email protected]
Transport-layer credential design and properties
What is logged, what is not, and where data lives
Full stack transparency — no black boxes
How to report a vulnerability and what to expect
Coordinating third-party assessment for enterprise
Framework alignment and certification roadmap
Nantevo's authentication model embeds client identity into the DoH endpoint URL itself — validated at the reverse proxy before the request reaches the DNS resolver. There is no agent, no kernel extension, no certificate to manage on endpoints. The credential pair is the security boundary.
At 25 characters of lowercase alphanumeric (36 symbols), each field carries log₂(36²⁵) ≈ 129 bits of entropy. Both fields must be correct simultaneously. The combined search space exceeds the energy budget of the observable universe for brute force at any foreseeable computing power, including quantum systems running Grover's algorithm.
Unauthenticated or incorrectly authenticated requests receive no response — not a 401, not a timeout, not a connection reset. Silence. This eliminates oracle feedback that would allow an attacker to distinguish between a wrong endpoint and a wrong ClientID, or to confirm that a given endpoint exists at all. Scanning is structurally indistinguishable from sending to a nonexistent host.
Revoking a client means removing their nginx virtual host configuration and reloading nginx. There is no credential store to invalidate, no token to expire — the subdomain simply stops having a matching configuration. Future requests to that endpoint receive a 444 silent drop, indistinguishable from any other unauthenticated probe. No device action required, no MDM push, no agent to remove.
There is no credential store, no authentication service, and no Nantevo binary on any enrolled device. Authentication is the nginx virtual host configuration itself — a request either matches the location block for that ClientID or it doesn't. There is no runtime lookup to intercept, no database to compromise, no authentication middleware to attack. The attack surface that agent-based solutions introduce does not exist here.
secrets module — OS CSPRNG exclusivelyAll credential generation uses Python's secrets module, which draws from the operating system's cryptographically secure pseudorandom number generator. The random module is never used for security-sensitive values. The alphabet is lowercase alphanumeric (a–z, 0–9) — DNS-safe for subdomain use, maximizing entropy per character within the constraint that the DNS backend requires lowercase only for ClientIDs.
DNS telemetry is security-sensitive data. Nantevo's logging policy is designed to give security teams the attribution and forensic data they need while minimizing the data collected and eliminating third-party exposure entirely.
Timestamp, authenticated ClientID, DNS response code, resolution latency, and threat classification. This is the minimum needed for 1:1 device attribution and RoCi behavioral analysis. Retention window is configurable per organization.
Default · configurable retentionThe domain name being resolved is part of standard telemetry. This is what enables blocked domain event lists, RoCi's DGA entropy scoring, per-client behavioral baselines, and incident forensics. Without the domain, the security product cannot perform its core functions. Retention window is configurable per policy.
Standard telemetry · configurable retentionYour DNS telemetry is never sold, shared with, or accessible by any third party for any purpose — including advertising, analytics, or threat intelligence aggregation. It is not used to improve Nantevo's general threat model without explicit consent. It belongs to your organization.
Zero sharing · zero advertisingDNS query content is not inspected beyond the domain string. HTTPS payloads are never examined. The DoH transport encrypts query content end to end.
DNS query patterns are analyzed exclusively for security threat detection. They are never used to infer user interests, demographics, or behavior for any commercial purpose.
Telemetry from one customer is never used to inform threat decisions for another customer without explicit opt-in. Per-client baselines are isolated per account.
On-premise appliance deployments resolve DNS locally. The domains your devices resolve stay within your network boundary. Only anonymized RoCi threat signal metadata streams outbound — no query records, no domain names, no device identifiers.
Nantevo's resolver stack is built entirely on open source components with well-understood licenses. Every piece of software in the critical query path can be audited independently. This is not a marketing claim — it's a consequence of how the system was built.
| Component | Role in stack | License | Notes |
|---|---|---|---|
| FreeBSD | Host operating system for all resolver nodes | BSD 2-Clause | Permissive — no distribution obligations. 20+ years of production use across the founding team's infrastructure history. |
| BastilleBSD | Jail-based container isolation for resolver stack components | BSD 2-Clause | Created by Nantevo's founder. Open source, globally deployed in EU telecoms and hotel infrastructure. |
| Nginx | Reverse proxy — TLS termination and credential validation layer | BSD 2-Clause | Open source version. Permissive license. No proprietary modules in the authentication path. |
| AdGuard Home | DNS resolver and threat intelligence filtering engine | GPL v3 | GPL v3 — not AGPL. Network service use carries no GPL obligations. Nantevo's proprietary layers communicate via API, not code linkage — no derivative work relationship. |
| Python 3 | Management tooling, credential generation, MDM profile generation | PSF License | Permissive. secrets module used exclusively for all credential generation — OS CSPRNG backed. |
| Flask | Dashboard and client portal API layer | BSD 3-Clause | Permissive. No distribution obligations. Well-audited dependency tree. |
| Let's Encrypt / ACME | Automated TLS certificate provisioning and rotation | Mozilla Public License | Certificates rotate automatically on 60-day cycle via cron-managed ACME client. Monitoring alerts 14 days before any expiration. |
| Threat intelligence feeds | Blocklist data ingested by AdGuard Home filtering engine | Varies by feed | Only MIT, BSD, Apache 2.0, CC0, CC-BY, and GPL-licensed feeds are used. All CC-BY-NC feeds are explicitly excluded. Feed license compliance is reviewed before any new feed is added. |
Enterprise customers requiring a formal Software Bill of Materials (SBOM) for vendor assessment can request one via [email protected]. We maintain a current dependency inventory and can provide it in CycloneDX or SPDX format. License compliance documentation is available for the on-premise appliance deployment specifically, where distribution obligations apply to GPL-licensed components.
Security research is a public good. If you've identified a potential vulnerability in the Nantevo platform, resolver infrastructure, authentication architecture, credential system, or any associated service, the process below explains exactly what to do and what to expect from us.
For security researchers and evaluators
Contact us privately at [email protected] with a description of the issue, the affected component, and any reproduction steps or proof-of-concept you have available. PGP encryption is available on request — ask for the public key in your initial email.
Receive acknowledgment within 24 hours. We read every security report personally and will confirm receipt and assign a tracking reference within one business day, typically same day.
Receive a timeline within 72 hours. After initial triage we'll provide an assessment of severity and an estimated timeline for investigation and remediation. We'll keep you updated as the investigation proceeds.
Coordinate public disclosure. We ask that researchers allow us a reasonable remediation window before public disclosure. We'll work with you on timing, credit, and the disclosure format. We do not pursue legal action against good-faith researchers following this process.
Organizations that require independent penetration testing of Nantevo's infrastructure as part of their vendor risk assessment process can coordinate directly with the engineering team. We take these seriously and will work to accommodate assessment requirements without disrupting other customers.
For enterprise design partners and procurement evaluations
Contact [email protected] to initiate a penetration testing coordination conversation. We'll work through scope, timing, rules of engagement, and any specific methodology requirements your security team has.
We ask that assessments be coordinated in advance — primarily to ensure that test traffic is clearly distinguished from real customer traffic, that other customers' service quality is protected, and that our team has context to distinguish legitimate testing from an actual incident during the assessment window.
Assessment reports are treated as confidential security documents. We ask for a copy of the final report to drive remediation and will provide a remediation timeline within a reasonable window after report delivery.
Organizations deploying the on-premise virtual appliance can conduct internal penetration testing of the appliance within their own infrastructure without coordination — it's your network and your appliance. We ask only that you share findings so we can improve the hardening of future releases.
Penetration testing coordination is available to enterprise inquiry contacts and design partner organizations. Contact [email protected] to start the conversation.
Nantevo's architecture was designed to align with the security frameworks that govern enterprise DNS security purchasing decisions. Formal certifications are on the roadmap as the platform scales toward general availability.
Organizations requiring compliance documentation — framework mapping narratives, architecture questionnaires, or vendor assessment forms — should contact [email protected]. We have documentation ready for most standard enterprise security questionnaire formats and will work to complete custom forms within a reasonable turnaround.
Reach us directly at [email protected] — or start with a demo and we'll walk through any security architecture questions live with the engineering team.