DNS over TLS
You can enable DNS over TLS (DoT) to secure traffic between ETP Client and ETP DNS resolvers. Without DoT, DNS queries from the Internet are unencrypted and available in plaintext as they travel from a DNS client to a DNS resolver. DoT secures this information with Transport Layer Security (TLS) encryption by adding privacy and preventing threat actors from spoofing traffic or hijacking DNS from the local network.
- Always Attempts. Indicates that ETP Client always attempts to use DoT. If DoT is not available, ETP Client falls back to plain DNS. This option is enabled by default.
- Required. Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.
- Disabled. Indicates that DoT is not used to secure DNS traffic from ETP Client.
In a policy, you can also define the port that’s used for DoT. By default, ETP Client uses port 443 as this port is likely allowed in enterprise firewalls. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall. For more information on how to configure your firewall, see Update enterprise firewall, on-premise proxy, and allowlists.
When DoT is enabled for ETP Client on a laptop or desktop computer, the client shows a padlock icon to indicate that traffic is private and encrypted with TLS.
If DoT cannot be used, the client falls back to DNS over UDP (DoU). This can occur if DoT is blocked by a firewall or by enterprise middleboxes. It can also occur when DoT is disabled; or the administrator configures the client to Always Attempt a DoT connection and this connection cannot be established.