DNS over TLS

You can enable DNS over TLS (DoT) to secure traffic between ETP Client and ETP DNS resolvers. Without DoT, DNS queries from the Internet are unencrypted and available in plaintext as they travel from a DNS client to a DNS resolver. DoT secures this information with Transport Layer Security (TLS) encryption by adding privacy and preventing threat actors from spoofing traffic or hijacking DNS from the local network.

You enable DoT in a policy configuration with the DNS-over-TLS Mode setting. You can select from these options:
  • Always Attempts. Indicates that ETP Client always attempts to use DoT. If DoT is not available, ETP Client falls back to plain DNS. This option is enabled by default.
  • Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ETP Client to the local DNS resolver. If the local DNS resolver forwards traffic to ETP DNS, ETP client shows that DNS traffic is protected by local network status. Otherwise, the client shows the Your device is not protected status.
  • Disabled. Indicates that DoT is not used to secure DNS traffic from ETP Client.

In a policy, you can also define the port that’s used for DoT. By default, ETP Client uses port 443 as this port is likely allowed in enterprise firewalls. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall. For more information on how to configure your firewall, see Update enterprise firewall, on-premise proxy, and allowlists.

When DoT is enabled for ETP Client, the client shows a padlock icon to indicate that traffic is private and encrypted with TLS.

Important: Many browsers have introduced an option to work with public DNS-over-HTTPs (DoH) or DNS-over-TLS servers. These protocols bypass ETP DNS security controls. As a best practice, you should configure enterprise computers to disable DoH and DoT. This forces your browser to rely on ETP Client DoT instead. Your organization should also block the Anonymizers and DNS-over-HTTPS Providers AUP categories in a policy to avoid bypassing ETP security. For instructions on blocking DoH on enterprise browsers, see Disable DNS over HTTPS on enterprise browsers.