DNS over TLS

You can enable DoT to secure traffic between ​ETP Client​ and ​SIA​ DNS resolvers. Without DoT, DNS queries from the Internet are unencrypted and available in plaintext as they travel from a DNS client to a DNS resolver. DoT secures this information with TLS encryption by adding privacy and preventing threat actors from spoofing traffic or hijacking DNS from the local network.

You enable DoT in a policy configuration with the DNS-over-TLS Mode setting. You can select from these options:

  • Always Attempts. Indicates that ​ETP Client​ always attempts to use DoT. If DoT is not available, ​ETP Client​ falls back to plain DNS. This option is enabled by default.

  • Required. Indicates that DoT is required. If the DoT connection cannot be established, the client shows that the device is not protected.

  • Disabled. Indicates that DoT is not used to secure DNS traffic from ​ETP Client​.

In a policy, you can also define the port that’s used for DoT. By default, ​ETP Client​ uses port 443 as this port is likely allowed in enterprise firewalls. However, you also can select port 853. If you use port 853, make sure this port is available and allowed in your firewall. For more information on how to configure your firewall, see Update enterprise firewall, on-premise proxy, and allowlists.

When DoT is enabled for ​ETP Client​ on a laptop or desktop computer, the client shows a padlock icon to indicate that traffic is private and encrypted with TLS.


If DoT cannot be used, the client falls back to DNS over UDP (DoU). This can occur if DoT is blocked by a firewall or by enterprise middleboxes. It can also occur when DoT is disabled; or the administrator configures the client to Always Attempt a DoT connection and this connection cannot be established.


Many browsers have introduced an option to work with public DoH or DoT servers. These protocols bypass ​SIA​ DNS security controls. As a best practice, you should configure enterprise devices to disable DoH and DoT. This forces your browser to rely on ​ETP Client​ DoT instead. Your organization should also block the Anonymizers and DoH Providers AUP categories in a policy to avoid bypassing ​SIA​ security. For instructions on blocking DoH on enterprise browsers, see Disable DNS over HTTPS on enterprise browsers.