A client application manages a resolver configuration and sends DNS requests to a threat protection service when a mobile device operating the client application is operating off-network. The client application detects network conditions and automatically configures an appropriate system-wide DNS resolution setting. DNS requests from the client identify the customer and the device to threat protection (TP) service resolvers without introducing a publicly-visible customer or device identifier. The TP system applies the correct policy to DNS requests coming from off-network clients. In particular, the TP resolver recognizes the customer for requests coming from such clients and applies the customer's policy. The resolver is also configured to log the customer and the device associated with requests from the TP off-net client. Request logs from the TP resolver are provided to a cloud security intelligence platform for threat intelligence analytics and customer visible reporting.