Skip to content
VeraDNSOverview

What is VeraDNS?

VeraDNS is an on-premise, enterprise-grade DNS security platform. Unlike cloud DNS services, it runs entirely on your own infrastructure — giving your organisation complete control over DNS traffic, filtering policy, and audit data, with nothing ever leaving your network.

Network-wide filtering

Block malware, phishing and trackers at the DNS layer for every device — no endpoint agents required.

RBAC, enforced at the API

Owner, Admin and Viewer roles with permissions checked server-side — not hidden in the UI.

Full audit trail

Every config change, login and rule edit is logged with before/after detail, exportable for compliance.

Encrypted DNS

DNS, DoH, DoT, DoQ and DNSSEC validation — enforce encrypted transport for internal clients.

How it works

When a device on your network sends a DNS request, that request is routed to VeraDNS instead of a public resolver. VeraDNS evaluates it against your blocklists and policies, then either resolves it (returning the IP) or blocks it (returning a non-routable answer). This happens before any connection is established — at sub-millisecond speed.

VeraDNS is designed to run alongside your existing network filtering, not replace it. DNS filtering catches what packet filtering misses (and vice versa) — defence in depth.

Data sovereignty by design

VeraDNS runs on any Linux host with Docker. Your DNS queries, configuration and audit logs are never transmitted to external servers. You own your data — guaranteed by architecture, not by policy.

Ready to deploy? Continue to Getting Started

VeraDNSGetting Started

Getting Started

Install VeraDNS, complete the setup wizard, and point your network's DNS at your new resolver — typically live in under 60 minutes.

System requirements

  • Linux server (Ubuntu 20.04+, Debian 11+, RHEL 9+, or equivalent)
  • Docker Engine 20.10+ and Docker Compose v2
  • Minimum: 2 vCPU, 2 GB RAM, 10 GB disk (see sizing guidance)
  • A static IP address on your network
  • Ports 53 (UDP/TCP), 443 (DoH/console) and 853 (DoT) reachable from your clients

Installation

Install with the bootstrap script:

bash
curl -sSL https://install.veradns.io | bash

Or run it manually with Docker Compose:

bash
docker pull veradns/veradns:latest
docker compose up -d
On hosts running systemd-resolved, port 53 may already be in use. Free it first: sudo systemctl stop systemd-resolved and disable its stub listener (see the Linux tab).

First start — setup wizard

Open http://<your-server-ip>:3000 in a browser. The wizard guides you through:

1

Admin interface binding — the interface and port the web console listens on (default: all interfaces, port 3000).

2

DNS service binding — the interface VeraDNS receives queries on (default: all interfaces, port 53).

3

Administrator credentials — create the first Owner account. Store these in your password manager.

4

Finish — click Complete. VeraDNS is now serving DNS and the dashboard is live.

Run as a service & update

Enable automatic start on boot, and update in place when a new release ships (your config persists in a named volume):

bash
sudo systemctl enable --now veradns      # start on boot
docker compose pull && docker compose up -d   # update in place
Blocklists, user rules and user accounts live in a persistent volume outside the container, so they survive updates and re-creates.

Next: point your devices or router

VeraDNSDeployment Topologies

Deployment Topologies

VeraDNS scales from a single branch resolver to a multi-region, high-availability fleet. Choose the topology that matches your network size, uptime requirements and internal-zone needs.

1. Single resolver

One VeraDNS instance serves all clients on a site. Ideal for small offices and single-location teams. Point clients (or the router/DHCP) at the resolver's IP, and set a public fallback (e.g. 1.1.1.1) as secondary so the network degrades gracefully during maintenance.

A public secondary resolver will bypass filtering when used. For enforced filtering, prefer the HA pair below and remove public fallbacks, or block outbound port 53 to anything but VeraDNS at the firewall.

2. High-availability pair

Two (or more) VeraDNS nodes share a virtual IP (VIP) via keepalived (VRRP) or an anycast route. Clients target the VIP; if the active node fails, the standby takes over with no client reconfiguration. Configuration is replicated between nodes so policy stays consistent.

keepalived.conf
vrrp_instance VERA_VIP {
  state MASTER
  interface eth0
  virtual_router_id 53
  priority 200
  virtual_ipaddress { 10.0.0.53/24 }
}

3. Multi-site / distributed

Each location runs a local resolver (or HA pair) for low latency and site survivability, while a central console manages policy and aggregates logs. This mirrors how distributed enterprises run recursive DNS — local resolution, central control. Internal/private zones are handled with conditional forwarding (below).

Conditional forwarding & split-horizon

Forward queries for your internal domains to your authoritative DNS (e.g. Active Directory) while everything else is filtered and resolved upstream. Configure this at Settings → DNS Settings → Conditional forwarding:

  • corp.internal10.0.0.10 (AD / internal authoritative)
  • 10.in-addr.arpa → internal reverse-DNS server
  • everything else → filtered, then your chosen upstream

Sizing guidance

Approximate capacity per node. Real throughput depends on cache hit-rate, blocklist size and encryption overhead — size up for headroom.

NetworkDevicesSustained QPSRecommended node
Small office≤ 100~2,0002 vCPU · 2 GB RAM
Mid-size100–500~10,0004 vCPU · 4 GB RAM
Large / multi-site500–5,000~20,0008 vCPU · 8 GB RAM
Enterprise5,000+20,000+ per nodeHA pair, dedicated hardware
VeraDNSConfiguring Devices

Configuring Devices

Point your devices or router at VeraDNS as their DNS server. Configuring the router is fastest — it automatically covers every device on the network, including those you can't change manually.

Router/DHCP configuration is recommended. It covers smart TVs, IoT devices and game consoles that have no manual DNS setting — with zero per-device setup.

Router — covers all devices

Log into your router's admin interface (usually 192.168.1.1 or 192.168.0.1). Find DNS settings — typically under WAN, Internet, or LAN → DHCP → DNS — and set the primary DNS to your VeraDNS IP.

For enforced filtering, leave the secondary blank or set it to a second VeraDNS node — not a public resolver.

Router interfaces vary by manufacturer. Most consumer routers expose this under Advanced → DHCP → DNS. Consult your router manual if needed.

Windows 11

1

Open Settings → Network & Internet.

2

Click your active connection, then Edit next to DNS server assignment.

3

Switch to Manual, enable IPv4, and set Preferred DNS to your VeraDNS IP.

4

For DoH, choose On (automatic template) and enter your DoH endpoint. Click Save.

macOS

1

Open System Settings → Network.

2

Select your interface, click Details, then the DNS tab.

3

Click +, add your VeraDNS IP, then OK → Apply.

For system-wide DoH/DoT, deploy a signed DNS configuration profile via MDM.

Android 9+

Android's Private DNS (DNS-over-TLS) is the recommended method and applies system-wide:

1

Open Settings → Network & Internet → Private DNS.

2

Select Private DNS provider hostname.

3

Enter your VeraDNS DoT hostname (e.g. dns.yourcompany.internal), then Save.

iOS / iPadOS

The recommended method is a DNS configuration profile (applies system-wide), distributed by your administrator via MDM:

1

Go to Settings → General → VPN & Device Management.

2

Install the VeraDNS DNS profile, tap Install, and follow the prompts.

Wi-Fi only: Settings → Wi-Fi → (i) → Configure DNS → Manual, then add your VeraDNS IP.

Linux

For hosts using systemd-resolved:

/etc/systemd/resolved.conf
[Resolve]
DNS=<your-veradns-ip>
DNSStubListener=no
bash
sudo systemctl restart systemd-resolved
On many distros /etc/resolv.conf is managed by NetworkManager. For a permanent change, configure DNS in the NetworkManager connection rather than editing the file directly.
VeraDNSDNS Filtering

DNS Filtering

DNS filtering intercepts DNS requests and decides whether to resolve or block them based on your policy. VeraDNS sits as a filtering proxy between your devices and the upstream resolver.

Why filter at the DNS layer?

Every connection — web, app, or background service — begins with a DNS lookup. Filtering at this layer is extremely efficient: VeraDNS can block an entire domain before any packet is sent, regardless of device type, app or protocol. Some threats (such as CNAME-cloaked trackers) can only be stopped at the DNS level.

The decision pipeline

  1. Receive the DNS query from a client.
  2. Check the domain against active blocklists, user rules and threat intelligence.
  3. If blocked → return a non-routable answer (0.0.0.0 / NXDOMAIN). The connection never starts.
  4. If allowed → forward to the configured upstream resolver and return the result (cached when possible).

Every decision is recorded in the Query Log with domain, client, status, latency and the matched rule.

Upstream resolvers

Allowed queries are forwarded to your chosen upstream. Configure one or more (for redundancy) at Settings → DNS Settings → Upstream DNS:

  • Standard DNS8.8.8.8, 1.1.1.1
  • DNS-over-HTTPS (DoH)https://dns.cloudflare.com/dns-query
  • DNS-over-TLS (DoT)tls://1.1.1.1
  • DNS-over-QUIC (DoQ) — supported where available

User rule syntax

Beyond managed lists, write your own rules using the widely-adopted adblock-style DNS syntax:

user-rules
||example.com^             # block example.com and all subdomains
@@||allowed.example.com^   # allowlist exception (overrides blocks)
127.0.0.1 ads.example.com  # rewrite to a specific IP
||track.*^$dnstype=A       # block only A-record lookups

Manage these at Filters → User Rules.

VeraDNSBlocklists

Blocklists

Blocklists are curated sets of rules that tell VeraDNS which domains to block. They're maintained by the community and security researchers, and VeraDNS keeps them updated automatically.

Activating a blocklist

1

Open Filters → Blocklists.

2

Browse by category — General, Regional, Security, Other.

3

Click Add next to any list to enable it.

4

VeraDNS downloads and applies the rules immediately; active lists move to the top.

Categories

General

VeraDNS Base Filter

Composite of ad, tracking and social-media filters, optimised for DNS-level blocking.

general

Popup & Popunder Hosts

Blocks domains that open new windows. Compiled from multiple community sources.

general

Regional

AdRules DNS (CN)

Ad and tracker blocking tuned for the Chinese region.

regionalzh-CN

EasyList Thailand

Region-specific ad filtering for Thai sites and services.

regionalth

Security

Phishing Protection (PhishTank / OpenPhish)

Known phishing domains from PhishTank and OpenPhish feeds.

security

Anti-Malware List

DNS-level malware and C2 domain blocking, updated continuously.

security

Custom blocklists

Add any blocklist available as a URL at Filters → Blocklists → Custom → Add custom blocklist — give it a name, the URL, and an optional description.

Each plan caps the total number of filtering rules. If a newly added list pushes you over the limit it is disabled automatically, and a dashboard notification appears.
VeraDNSThreat Protection

Threat Protection

Beyond blocklists, VeraDNS applies continuously-updated threat intelligence to stop phishing, malware, command-and-control and data-exfiltration at the resolver — before any connection is made.

Threat categories

Enable categories at Settings → Security. Each maps to live intelligence feeds and heuristic detection:

CategoryWhat it catchesDefault severity
MalwareDomains hosting or distributing malicious payloads.High
Phishing & scamCredential-harvesting and fraudulent look-alike sites.High
C2 / botnetCommand-and-control callbacks used by infected hosts.High
DNS tunnelling / exfiltrationAbnormal query patterns used to smuggle data out over DNS.High
CryptominingBrowser and host-based coin-mining pools.Medium
Newly-registered / newly-seenDomains created or first observed in the last N days — a strong attack signal.Medium
Typosquatting / look-alikeDomains imitating brands via typos or swapped characters.Medium
Parked / suspiciousDormant domains commonly weaponised later.Low

Newly-registered domain (NRD) filtering

Attackers frequently register a domain hours before launching a campaign. VeraDNS checks the registration/first-seen date of each queried domain and blocks those younger than your configured threshold (default 30 days).

NRD filtering can occasionally flag a legitimate just-launched service. Allowlist it with a user rule: @@||newservice.com^

Typosquatting & DGA detection

VeraDNS scores domains for similarity to known brands (e.g. gooogle.com, paypa1.com) and for algorithmically-generated patterns (high-entropy DGA names used by malware). High-confidence matches are blocked at the DNS level. Tune sensitivity at Settings → Security → Heuristics.

DNS encryption

Encrypt DNS between clients and VeraDNS to prevent interception and tampering on the local network:

  • DNS-over-HTTPS (DoH) — DNS inside HTTPS on 443. Configure at Settings → Encryption.
  • DNS-over-TLS (DoT) — DNS over TLS on 853.
  • DNS-over-QUIC (DoQ) — low-latency encrypted transport.
  • DNSSEC — validates upstream responses cryptographically to stop spoofing and cache poisoning.
VeraDNSQuery Log

Query Log

A real-time view of every DNS request on your network. Filter, search, block or allow domains directly from the log — without leaving the page.

What each entry shows

  • Domain — the queried name
  • Client — device name and source IP (with ASN where available)
  • StatusALLOWED, BLOCKED or CACHED
  • Record type — A, AAAA, CNAME, MX, HTTPS, etc.
  • Latency — round-trip resolution time in milliseconds
  • Matched rule — the blocklist or user rule that caused a block

Block or allow inline

Expand any entry and use Block domain / Unblock domain to update your User Rules instantly. Add user rule lets you write a custom rule (e.g. allow a subdomain while blocking the root).

Filtering & retention

Filter by status, record type, client, time window or domain search. Retention depends on your plan:

PlanQuery & audit log retentionSIEM streaming
Team30 days
Business90 daysREST export
EnterpriseCustomReal-time stream
Disabling query logging (Settings → Log & Statistics) also disables the Statistics dashboard. Only do so if required by your data-retention policy.
VeraDNSRole-Based Access

Role-Based Access Control

Invite team members with scoped permissions. Each member logs in individually — no shared credentials, no shared sessions — and every role is enforced at the API, not just the interface.

RBAC is available on Business and Enterprise plans. Team accounts include a single administrator. Enterprise adds SSO (SAML 2.0) and SCIM provisioning.

Roles

RoleAccess levelTypical use
OwnerFull access including billing and user management. One per account.Account holder.
AdminModify DNS settings, manage blocklists and servers, invite members.IT managers, MSPs.
ViewerRead-only — view settings, query log and statistics; no changes.Compliance, security analysts.

Inviting members

1

Go to Settings → Organisation → Members.

2

Click Add member, enter their work email, and select Admin or Viewer.

3

They receive an email to set up their account; status shows Active once accepted.

Revoking access

Change a role or remove a member at any time. Revocation invalidates their session immediately — they're logged out on their next request. All changes are written to the Audit Log.

VeraDNSAudit Log

Audit Log

A tamper-evident record of every administrative action — configuration changes, logins, rule edits and authentication events — with full before/after traceability.

What is logged

  • Logins, logouts and failed login attempts
  • Configuration changes (DNS settings, upstreams, encryption)
  • Blocklist add / remove / update
  • User-rule add / edit / delete
  • Member invitations, role changes, removals
  • API key generation and revocation

Entry fields

  • Timestamp — exact UTC time
  • Actor — the user who performed the action
  • Event type — Config, Auth, User or Rule
  • Detail — what changed, with before/after values where applicable

Export & compliance

Export as CSV/JSON from Audit Log → Export, or stream to your SIEM via the REST API. The audit log supports ISO 27001, SOC 2 and internal compliance evidence.

Ask your account manager for the compliance export template, which maps audit events to NIST 800-53 and CIS v8 controls.
VeraDNSAPI & Integrations

API & Integrations

Automate VeraDNS and stream its data into your existing stack. The REST API exposes query logs, audit events, blocklists and rules; Business and Enterprise plans add SIEM streaming, SSO and SCIM.

Authentication

Generate an API key at Settings → API. Pass it as a Bearer token. Keys inherit the role of the member who created them and every call is recorded in the audit log.

bash
curl https://veradns.internal/api/v1/query-log?status=blocked&limit=100 \
  -H "Authorization: Bearer $VERA_API_KEY" \
  -H "Accept: application/json"

Core endpoints

EndpointMethodPurpose
/api/v1/query-logGETStream or page query records (filter by status, client, time).
/api/v1/audit-logGETRetrieve administrative audit events.
/api/v1/rulesGET · POST · DELETERead and manage user rules.
/api/v1/blocklistsGET · POSTList and add blocklist subscriptions.
/api/v1/statsGETAggregated counters for dashboards.

SIEM streaming

Export query and audit data in JSON or CSV, compatible with Splunk, Microsoft Sentinel and Elastic. Enterprise plans support a real-time push stream so events arrive in your SIEM within seconds.

Identity (Enterprise)

  • SSO — SAML 2.0 and OIDC for centralised login.
  • SCIM 2.0 — automated user provisioning and de-provisioning from your IdP.
  • LDAP / Active Directory — directory-based authentication and group mapping.
API rate limits apply per key. Responses include X-RateLimit-Remaining and Retry-After headers — back off when throttled.
VeraDNSFAQ

Frequently Asked Questions

Common questions about deployment, capabilities and configuration.

What does "on-premise DNS proxy" mean for my organisation?

VeraDNS runs entirely within your own infrastructure — on-premise, private cloud or your own VMs. No queries, configuration or audit logs are transmitted to external servers. Data sovereignty is guaranteed by architecture, not policy.

How does VeraDNS differ from a cloud DNS service?

Cloud DNS routes your queries through external servers, creating a third-party dependency and potential visibility into your activity. VeraDNS resolves within your perimeter — you retain full control over blocklists, policy and query data, with no dependency on external availability.

Which DNS protocols are supported?

Standard DNS (port 53), DoH, DoT, DoQ and DNSSEC validation. Encrypted protocols can be enforced for internal clients to prevent query interception.

Can VeraDNS integrate with our SIEM or identity provider?

Yes — see API & Integrations. Business and Enterprise plans export logs to Splunk, Sentinel and Elastic; Enterprise adds SSO (SAML 2.0), OIDC, SCIM and LDAP/AD.

A legitimate domain is being blocked. How do I fix it?

Add an allowlist exception at Filters → User Rules:

user-rules
@@||yourdomain.com^

You can also unblock directly from the Query Log entry.

Can I run VeraDNS in high availability?

Yes — see Deployment Topologies. Enterprise plans support multi-site and HA with automatic failover via a shared VIP or anycast.

Who do I contact for support?

Email support@veradns.io, or use the Contact Sales form on the main site. Business and Enterprise plans include priority support with guaranteed response times.