Encrypted DNS and optional CONNECT egress through the 0Trust edge — DBSC device-bound, not open public resolvers. Mesh Access (ZTNA/shell) is separate; public app barges are TunnelTug.
https://dns.0trust.services/dns-queryhttps://1.0trust.services/dns-queryAuthorization: Bearer <session_id># Browser or 0trust CLI — WebAuthn then DBSC bind # After login, session_id cookie is set and DBSC-bound. # Machine / agent clients can pass the session: curl -H "Authorization: Bearer $SESSION_ID" \ --data-binary @query.bin -H "Content-Type: application/dns-message" \ https://dns.0trust.services/dns-query
# Prefer the 0trust agent local DoH that attaches DBSC. # Or register the edge with a client that injects the session: Add-DnsClientDohServerAddress -ServerAddress <services-edge-ip> -DohTemplate "https://dns.0trust.services/dns-query" -AllowFallbackToUdp $true -AutoUpgrade $true # Unauthenticated OS DoH without a session is rejected (401 dbsc_required).
# DBSC session required (Bearer or cookie). Optional egress_token on top. curl -x https://dns.0trust.services:443 \ -H "Proxy-Authorization: Bearer $SESSION_ID" \ https://example.com
JSON status · Sign in + DBSC · Mesh Access ZTNA is on agent {sub}.0trust.services