0trust.services · Shield

Privacy DNS & secure egress

Encrypted DNS and optional CONNECT egress through the 0Trust edge — DBSC device-bound, not open public resolvers. Mesh Access (ZTNA/shell) is separate; public app barges are TunnelTug.

DoH endpointhttps://dns.0trust.services/dns-query
Short facehttps://1.0trust.services/dns-query
DBSCrequired (device-bound session)
Query loggingoff (privacy mode)
Secure egressenabled
Queries served0
DBSC denials8

What you get

1. Bind the device

# Browser or 0trust CLI — WebAuthn then DBSC bind
# After login, session_id cookie is set and DBSC-bound.

# Machine / agent clients can pass the session:
curl -H "Authorization: Bearer $SESSION_ID" \
  --data-binary @query.bin -H "Content-Type: application/dns-message" \
  https://dns.0trust.services/dns-query

2. Windows DoH (via agent session)

# Prefer the 0trust agent local DoH that attaches DBSC.
# Or register the edge with a client that injects the session:

Add-DnsClientDohServerAddress -ServerAddress <services-edge-ip> -DohTemplate "https://dns.0trust.services/dns-query" -AllowFallbackToUdp $true -AutoUpgrade $true

# Unauthenticated OS DoH without a session is rejected (401 dbsc_required).

3. CONNECT egress

# DBSC session required (Bearer or cookie). Optional egress_token on top.
curl -x https://dns.0trust.services:443 \
  -H "Proxy-Authorization: Bearer $SESSION_ID" \
  https://example.com

JSON status · Sign in + DBSC · Mesh Access ZTNA is on agent {sub}.0trust.services