Teams should ask what DNS observability collects, which decision each field supports, where live and retained data become plaintext, who holds decryption keys, how roles constrain access, and when history disappears. They should also test denied access, removal, rotation, exports, and DNS interpretation limits before accepting an encryption claim.
This is a privacy buyer checklist, not a feature-count contest. Use it to compare a service with your actual security, support, and accountability needs. The desired outcome is observability that answers defined questions while keeping ordinary browsing activity away from unnecessary readers. A vendor should be able to demonstrate every important boundary rather than merely describe it.
Begin the purchase with seven answers
| Question | Acceptable evidence | Warning sign |
|---|---|---|
| What is retained? | Named fields and explicit exclusions | “Everything needed for analytics” |
| Why is it retained? | Decision, owner, and stop condition | Open-ended security purpose |
| Where is plaintext? | Live and retained data-flow diagram | One undifferentiated encryption claim |
| Who holds keys? | Key recipients, storage, recovery, and rotation | Provider access left implicit |
| Who may read detail? | Scoped roles with denied-path tests | Every administrator |
| How long does it remain? | Enforced retention and deletion proof | Indefinite default |
| What can a row prove? | Written interpretation limits | Behavioral certainty from a domain |
Start with a concrete case such as diagnosing a false block for payroll or bounding a reported phishing lookup. Ask which aggregate or detailed fields change the decision. A timestamp, resource identifier, policy outcome, and hostname may be justified for a short case; source addresses, long retention, or every team resource may not be. Data minimization is visible in exclusions, not just in an encryption diagram.
RFC 9076 says DNS transactions and linked sequences can expose sensitive interests and use patterns. It also explains that requests can come from embedded content, applications, and prefetching rather than deliberate navigation.1 A buyer should therefore demand protection against unnecessary reading while rejecting any claim that DNS history is a complete or intention-aware account of browsing.
Trace one query through every trust zone
- Identify the resource and the resolver path it actually uses on each relevant network.
- Mark where encrypted transport begins and ends and where the resolver processes the live hostname.
- List exactly which activity fields, summaries, or policy outcomes become retained data.
- Follow retained ciphertext through queues, databases, backups, diagnostics, and exports.
- Identify where decryption occurs, which private keys are present, and which roles can request access.
- Map expiry, deletion, member removal, key rotation, recovery, and temporary plaintext cleanup.
Do not let DNS-over-HTTPS or another encrypted transport answer the retained-data question. Transport protects a network hop to the chosen resolver. The resolver still receives the DNS question. End-to-end encrypted retained activity addresses later storage and access. Database encryption addresses another layer. A credible design names each endpoint and never turns one protection into a blanket “zero visibility” promise.
DNS filtering itself operates on domain lookups and policy outcomes. It cannot read a page body, full URL path, typed search, form entry, file, in-app chat, voice audio, or full browser history. It also cannot prove which person initiated a background request. Write those exclusions into analyst guidance, incident procedures, employee notices, and vendor acceptance criteria.
Score least privilege as an operating system
Encryption supports least privilege only when the operating model separates powers. Policy editors need not read history. A privacy reviewer may inspect configuration evidence without decrypting a row. An incident responder may need a named Tenant and interval but no membership authority. A key-recovery approver should not automatically become a routine reader. NIST control guidance treats least privilege as limiting access to what assigned tasks require.2
- Use aggregate coverage and policy outcomes as the routine operational surface.
- Require purpose, owner, scope, fields, interval, readers, and expiry before detail opens.
- Make Tenant or Space roles narrower than account membership and general administration.
- Test that removal ends authorization and future key access instead of trusting a directory label.
- Control screenshots, exports, case notes, backups, and recovered keys as part of the plaintext lifecycle.
Ask how a new reader receives key access without borrowing someone else’s credential. Then ask what happens after departure, suspected compromise, or lost key material. Strong initial encryption can be undermined by stale grants or an unreviewed recovery path. The service should explain whether old retained data is deleted, made unavailable, or re-encrypted, and show how remaining authorized users approve the transition.
Run a buyer proof session
Use harmless test domains and synthetic account roles, not real employee browsing. Confirm a known policy outcome appears in aggregate evidence. Authorize one short detailed review, decrypt it through the intended client boundary, and close it. Then repeat with an account member who has no Tenant role, a role that permits policy changes but not history, a member of another Tenant, and a removed reader. Every denied case should remain unreadable.
Inspect service logs, browser storage, downloads, support diagnostics, traces, and error messages during the exercise. No backend artifact should acquire the decrypted row or private key. Exercise recovery and rotation. Verify expiry and deletion behavior. Finally, ask the analyst what the test lookup proves. A correct answer describes the resource, domain request, time, and policy result without inventing page content or human intent.
Reject comforting but empty answers
- “Military-grade encryption” without algorithm, key-holder, endpoint, or recovery details.
- “No one can read it” when privileged backend code can request decryption.
- “Least privilege” when all administrators inherit detailed-history access.
- “Anonymous analytics” without an explanation of linking, resource identifiers, and re-identification risk.
- “Short retention” without a duration, enforcement mechanism, backup behavior, or deletion test.
- “Complete browsing visibility” from DNS data that lacks content, paths, searches, messages, and intent.
Also reject a product demonstration that begins by enabling broad detailed collection on real people. The safer proof starts with aggregates, synthetic roles, and harmless domains. Detailed access is introduced only to validate a named workflow. Managed BYOD support in Veilty is planned for Enterprise use, so a buyer should not interpret this checklist as a current personal-device rollout or setup guide.
Encrypted observability buyer questions
What is the first question to ask an encrypted DNS analytics vendor?
Ask which components and people can turn retained ciphertext into readable activity. “Encrypted” is incomplete without endpoints, key custody, recovery, and authorization. Then ask where the live DNS request is processed, because the resolver must see enough of the question to answer it or apply domain policy.
How does encryption support least-privilege DNS operations?
Encryption can separate backend storage and routine administration from the capability to read retained history. It supports least privilege only when keys and roles are scoped to assigned tasks, aggregates remain the normal view, detailed access has a purpose and expiry, and removed members lose both authorization and future key grants.
Should a team require detailed DNS activity for routine reporting?
Usually not. Coverage, response health, and aggregate allow or block outcomes often answer routine operational questions with less exposure. Require domain-level detail only when a named decision cannot be made from those signals, and constrain the resource set, fields, readers, retention, and time window before anyone decrypts it.
Apply the checklist to one team Tenant
In Veilty, team resources and retained history belong to a Tenant; a household uses a Space, represented as a tenant in the API.3 Reusable baseline and enforced policies can apply across these boundaries. A resource may override its baseline, but it cannot weaken enforced policy. An invitation adds account membership only; after acceptance, a Tenant or Space role grants scoped access. Retained activity is end-to-end encrypted with user-held keys and visible only through permitted roles, while the resolver processes live requests. Review one Tenant against the checklist, remove an unnecessary field or reader, test one denied role, and document the next review date.