DNS over TLS

You can enable DoT to secure traffic between ‚ÄčETP Client‚Äč and ‚ÄčSIA‚Äč DNS resolvers. Without DoT, DNS queries from the Internet are unencrypted and available in plaintext as they travel from a DNS client to a DNS resolver. DoT secures this information with TLS encryption by adding privacy and preventing threat actors from spoofing traffic or hijacking DNS from the local network.

You enable DoT in a policy configuration with the DNS-over-TLS Mode setting. You can select from these options:

  • Always Attempts. Indicates that ‚ÄčETP Client‚Äč always attempts to use DoT. If DoT is not available, ‚ÄčETP Client‚Äč falls back to plain DNS. This option is enabled by default.

  • Required. Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.

  • Disabled. Indicates that DoT is not used to secure DNS traffic from ‚ÄčETP Client‚Äč.

In a policy, you can also define the port that‚Äôs used for DoT. By default, ‚ÄčETP Client‚Äč uses port 443 as this port is likely allowed in enterprise firewalls. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall. For more information on how to configure your firewall, see Update enterprise firewall, on-premise proxy, and allowlists.

When DoT is enabled for ‚ÄčETP Client‚Äč on a laptop or desktop computer, the client shows a padlock icon to indicate that traffic is private and encrypted with TLS.

IMAGE_STUB

If DoT cannot be used, the client falls back to DNS over UDP (DoU). This can occur if DoT is blocked by a firewall or by enterprise middleboxes. It can also occur when DoT is disabled; or the administrator configures the client to Always Attempt a DoT connection and this connection cannot be established.

ūüöß

Many browsers have introduced an option to work with public DoH or DoT servers. These protocols bypass ‚ÄčSIA‚Äč DNS security controls. As a best practice, you should configure enterprise devices to disable DoH and DoT. This forces your browser to rely on ‚ÄčETP Client‚Äč DoT instead. Your organization should also block the Anonymizers and DoH Providers AUP categories in a policy to avoid bypassing ‚ÄčSIA‚Äč security. For instructions on blocking DoH on enterprise browsers, see Disable DNS over HTTPS on enterprise browsers.