DNS over TLS
You can enable DNS over TLS (DoT) to secure traffic between ETP Client and ETP DNS resolvers. Without DoT, DNS queries from the Internet are unencrypted and available in plaintext as they travel from a DNS client to a DNS resolver. DoT secures this information with Transport Layer Security (TLS) encryption by adding privacy and preventing threat actors from spoofing traffic or hijacking DNS from the local network.
- Always Attempts. Indicates that ETP Client always attempts to use DoT. If DoT is not available, ETP Client falls back to plain DNS. This option is enabled by default.
- Required. Indicates that DoT is required. If DoT is not available, DNS traffic is directed from ETP Client to the local DNS resolver. If the local DNS resolver forwards traffic to ETP DNS, ETP client shows that DNS traffic is protected by local network status. Otherwise, the client shows the Your device is not protected status.
- Disabled. Indicates that DoT is not used to secure DNS traffic from ETP Client.
In a policy, you can also define the port that’s used for DoT. By default, ETP Client uses port 443 as this port is likely allowed in enterprise firewalls. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall. For more information on how to configure your firewall, see Update enterprise firewall, on-premise proxy, and allowlists.
When DoT is enabled for ETP Client, the client shows a padlock icon to indicate that traffic is private and encrypted with TLS.