VeraDNS is a on-premise DNS proxy, enterprise-grade DNS security platform. Unlike cloud-based DNS services, VeraDNS runs entirely on your own infrastructure — giving your organisation full control over DNS traffic, access policies, and audit data without any data leaving your network.
Key capabilities
Network-wide threat blocking — Filter malware, phishing, trackers, and unwanted content at the DNS layer, covering every device on your network without installing client software.
Role-based access control (RBAC) — Grant granular permissions (Owner, Admin, Editor, Viewer) to team members. Permissions are enforced at the API level.
Complete audit trail — Every configuration change, user action, and authentication event is logged with full detail, exportable for compliance and forensics.
Query log analytics — View all DNS queries in real time, filter by status, device, or domain, and block or allow domains directly from the log.
Encrypted DNS protocols — Supports standard DNS (port 53), DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), and DNSSEC validation.
Custom blocklists & user rules — Add third-party filter lists or write your own DNS filtering rules.
How it works
When a device on your network sends a DNS request, that request is routed to VeraDNS instead of a public DNS resolver. VeraDNS evaluates the request against your configured blocklists and policies, then either resolves it (returning the IP address) or blocks it (returning a non-routable address). This happens before any connection is established — at sub-millisecond speed.
💡
VeraDNS is designed to run alongside your existing network filtering, not replace it. DNS filtering catches what network-level filtering misses, and vice versa.
DNS Proxy architecture
VeraDNS runs on any Linux server with Docker installed. Your DNS queries, configuration, and audit logs are never transmitted to external servers. You own your data — guaranteed by design, not policy.
DNS filtering is the process of intercepting DNS requests and deciding whether to resolve or block them based on your configured policies. VeraDNS acts as a filtering proxy between your devices and the upstream DNS resolver.
What is DNS?
DNS (Domain Name System) translates human-readable domain names (like example.com) into IP addresses that browsers and apps can connect to. Every time a device on your network opens a website or connects to a service, it first sends a DNS request to look up the address.
Because all traffic starts with a DNS lookup, filtering at the DNS layer is extremely efficient — VeraDNS can block an entire domain before any connection is ever made, regardless of the device type, app, or protocol being used.
How DNS filtering works in VeraDNS
When a device sends a DNS request, VeraDNS:
1
Receives the DNS query from your device.
2
Checks the queried domain against your active blocklists and user rules.
3
If the domain is blocked: returns a non-routable address (0.0.0.0). The device cannot connect.
4
If the domain is allowed: forwards the query to your configured upstream DNS resolver and returns the result.
All decisions are logged in the Query Log with full detail — domain, device, status, latency, and applied rule.
Upstream DNS servers
VeraDNS forwards allowed queries to your chosen upstream resolver. You can configure any DNS server — including those supporting encrypted protocols:
Standard DNS — e.g. 8.8.8.8, 1.1.1.1
DNS-over-HTTPS (DoH) — e.g. https://dns.cloudflare.com/dns-query
DNS-over-TLS (DoT) — e.g. tls://1.1.1.1
DNS-over-QUIC (DoQ) — supported where available
Go to Settings → DNS Settings → Upstream DNS servers to configure your resolvers. You can add multiple upstreams for redundancy.
DNS filtering vs. network filtering
DNS filtering and network (packet) filtering complement each other. Key differences:
DNS filtering blocks at the domain level — before any connection is made. It works across all devices automatically, with no client software required.
Network filtering can inspect traffic content and apply rules to specific ports, protocols, or IP ranges — but requires more infrastructure.
Some forms of tracking (e.g. CNAME-cloaked tracking) can only be blocked at the DNS level.
💡
Use VeraDNS DNS filtering in addition to your existing network filtering, not instead of it. The two layers catch different threat types.
User rules
Beyond blocklists, you can write your own filtering rules. VeraDNS uses the same rule syntax as standard DNS filter lists:
||example.com^ # Block example.com and all subdomains
@@||allowed.example.com^ # Allowlist exception
127.0.0.1 ads.example.com # Redirect to specific IP
Blocklists are sets of rules that tell VeraDNS which domains to block. They are maintained by the community and security researchers, and VeraDNS keeps them updated automatically.
Why blocklists are useful
Blocklists allow fine-grained customisation of your filtering policy. For example, you may want to block advertising domains in specific regions, remove tracking parameters from requests, or enforce protection against phishing sites globally.
How to activate blocklists
1
Open the VeraDNS dashboard and go to Filters → Blocklists.
2
Browse the available lists by category (General, Regional, Security, Other).
3
Click Add next to any list to enable it.
4
Active lists are shown at the top. VeraDNS will download and apply the rules immediately.
Blocklist types
General
Block ads, trackers, and telemetry across all languages and regions.
VeraDNS Base Filter
Composite of multiple ad, social media, tracking protection and simplified filters. Optimised for DNS-level blocking.
general
VeraDNS Popup Hosts Filter
Blocks domains that open in new windows (popups and popunders). Compiled from multiple sources.
general
Regional
Block domains in specific languages or regions.
CHN: AdRules DNS List
Blocklist for ads in the Chinese region.
regionalzh-CN
HUN: HuFilter
Hungarian adblock list.
regionalhu
Security
Block known malicious, phishing, and fraudulent domains.
Phishing URL Blocklist (PhishTank / OpenPhish)
Blocklist of phishing websites based on PhishTank and OpenPhish data.
security
Anti-Malware List
DNS-level malware domain blocking. Integrates with VeraDNS blocklists, Anti-Malware filters for Windows.
security
Custom blocklists
You can add any blocklist available as a URL. To add a custom blocklist:
1
Go to Filters → Blocklists → Custom.
2
Click Add custom blocklist.
3
Enter the blocklist name, its URL, and an optional description.
4
Click Add. VeraDNS will download and activate the list immediately.
⚠️
Each subscription plan has a limit on the total number of filtering rules. If you exceed this limit, a newly added blocklist will be disabled automatically. You will see a notification in the dashboard.
User rules
In addition to managed blocklists, you can write your own blocking rules. Go to Filters → User Rules. Rules follow the same syntax as DNS filter lists — see DNS Filtering for syntax reference.
VeraDNS includes a set of security configurations designed to protect your organisation from phishing, malware, and fraudulent domains — beyond what standard blocklists cover.
Block malicious, phishing, and scam domains
VeraDNS maintains a continuously updated database of domains known to be used for phishing, malware distribution, and scams. When a device on your network requests one of these domains, VeraDNS blocks the request before any connection is established.
Enable this at Settings → Server Settings → Security → Block malicious and phishing domains.
Block newly registered domains
Attackers frequently register new domains shortly before launching a phishing or malware campaign. VeraDNS can detect the registration date of a queried domain and block it if it was created recently.
ℹ️
This setting may occasionally produce false positives for legitimate newly launched services. If a domain is incorrectly blocked, add it to your User Rules as an exception: @@||domain.com^
Block malicious domains using blocklists
VeraDNS supports third-party security-focused blocking filters. Activate filter lists tagged security in the Blocklists section to add an additional layer of malware and phishing protection. See the Blocklists article.
Protection against typosquatting
Typosquatting domains imitate legitimate websites using common typos, swapped characters, or missing letters (e.g. gooogle.com, paypa1.com). VeraDNS detects and blocks these at the DNS level by analysing domain similarity patterns — before any connection is made.
If a legitimate domain is incorrectly flagged, add it as an allowlist exception at Servers → Server Settings → User Rules → Add new rule.
DNS encryption
VeraDNS supports encrypted DNS protocols for queries between your devices and the VeraDNS server, preventing interception and tampering:
DNS-over-HTTPS (DoH) — Encrypts DNS traffic inside HTTPS. Configure at Settings → Encryption.
DNS-over-TLS (DoT) — Encrypts DNS traffic using TLS on port 853.
DNSSEC — Validates DNS responses using cryptographic signatures to prevent DNS spoofing and cache poisoning.
Encryption between VeraDNS and your upstream resolvers is configured separately at Settings → DNS Settings → Upstream DNS.
The Query Log gives you a real-time view of every DNS request made by devices on your network. You can filter, search, block, or allow domains directly from the log without leaving the page.
What you can see
Each log entry shows:
Domain — The domain that was queried
Device — Which device made the request
Status — ALLOWED, BLOCKED, or CACHED
Record type — A, AAAA, CNAME, MX, etc.
Response time — Round-trip latency in milliseconds
Applied rule — Which blocklist or user rule caused a block
Client IP — Source IP and autonomous system information
Blocking and unblocking domains
You can block or unblock domains directly from a log entry without navigating away. Click any entry to expand it, then use the Block domain or Unblock domain button. This adds the domain to your User Rules immediately.
You can also click Add user rule to add a custom rule for that domain (e.g. redirect to a specific IP, or allow a subdomain while blocking the root).
Filtering the log
Use the filters at the top of the Query Log to narrow results by:
Status (Allowed / Blocked / Cached)
Record type (A, AAAA, CNAME…)
Device or client IP
Time period (Last 30 minutes, 1 hour, 6 hours, 24 hours, All)
Search by domain name
Retention and log settings
Log retention depends on your plan:
Team plan — 30 days
Business plan — 90 days
Enterprise plan — Custom retention policy
To disable query logging entirely, go to Settings → Log and Statistics and uncheck Log DNS requests. Note: disabling logging also disables statistics collection.
⚠️
Disabling query logging will also disable the Statistics dashboard. Only disable logging if required by your organisation's data retention policy.
Exporting log data
Business and Enterprise plans can export query log data via the REST API in JSON or CSV format, compatible with Splunk, Microsoft Sentinel, Elastic SIEM, and other platforms. See Settings → API for your API key and endpoint documentation.
VeraDNS supports role-based access control (RBAC), allowing you to invite team members with specific permissions. Each member logs in individually — no shared credentials, no shared sessions.
ℹ️
RBAC is available on Business and Enterprise plans. Team plan accounts support a single administrator account.
Member roles
Role
Access level
Typical use
Owner
Full access to all settings, billing, and user management
Account holder. One per account. Cannot be changed.
Admin
Can modify DNS settings, manage blocklists, configure servers, and invite other members
System administrators, IT managers, MSPs managing multiple accounts
Viewer
Read-only access. Can view settings, query log, and statistics but cannot make changes
Admins with single login can manage several accounts and switch between them quickly — useful for MSPs or IT teams managing DNS for multiple clients.
How to invite members
1
Go to your dashboard → Settings.
2
In the Organisation section, open Members.
3
Click Add member, enter the colleague's work email address, and select their role — Admin or Viewer.
4
Click Add. The invitee will receive an email with a link to set up their account.
5
Once they accept, their status changes to Active in the Members list.
Changing or revoking access
You can change a member's role or remove them at any time from the Members page. Revoking access immediately invalidates their session — they will be logged out on their next request.
Audit trail for user actions
All member actions (logins, configuration changes, rule additions) are recorded in the Audit Log with timestamp, user identity, and change detail.
The Audit Log records every administrative action taken within VeraDNS — configuration changes, user logins, rule modifications, and authentication events — with full traceability.
What is logged
User logins and logouts (including failed login attempts)
Event type — Category of action (Config, Auth, User, Rule)
Detail — What specifically changed, including before and after values where applicable
Retention
Audit log retention mirrors query log retention by plan: 30 days (Team), 90 days (Business), custom (Enterprise). On Enterprise plans, logs can be streamed to an external SIEM in real time via the REST API.
Exporting audit data
Go to Audit Log → Export to download the log as CSV or JSON. Business and Enterprise plans can also access audit events via the REST API for automated ingestion into compliance systems (Splunk, Sentinel, Elastic, etc.).
💡
For ISO 27001, SOC 2, or internal compliance requirements, the VeraDNS audit log provides a tamper-evident record of all administrative activity. Contact your account manager for a compliance export template.
Once VeraDNS is running, point your devices or router to use it as their DNS server. The fastest method is to configure your router — this automatically covers every device on your network.
💡
Configuring your router is recommended. It covers all devices — including those that cannot have their DNS manually changed (smart TVs, IoT devices, game consoles) — without any per-device setup.
Router (covers all devices)
Log into your router's admin interface (typically at 192.168.1.1 or 192.168.0.1). Find the DNS settings — usually under WAN, Internet, or Network → DNS — and set the primary DNS to your VeraDNS server's IP address.
Set the secondary DNS to a fallback public resolver (e.g. 1.1.1.1) so devices remain functional if VeraDNS is temporarily unavailable during maintenance.
ℹ️
Router interfaces vary by manufacturer. Consult your router's manual if you cannot find the DNS settings. Most consumer routers support this under Advanced → DHCP → DNS.
Windows
1
Open Settings → Network & Internet.
2
Click your active connection (Wi-Fi or Ethernet), then click Edit next to DNS server assignment.
3
Switch to Manual, enable IPv4, and enter your VeraDNS server IP as the Preferred DNS.
4
Click Save.
To use DNS-over-HTTPS on Windows 11, select DNS-over-HTTPS (automatic template) and enter your VeraDNS DoH endpoint.
macOS
1
Open System Settings → Network.
2
Select your active network interface, click Details, then open the DNS tab.
3
Click + and add your VeraDNS server's IP address.
4
Click OK then Apply.
Android
Android 9+ supports Private DNS (DNS-over-TLS), which is the recommended method:
1
Open Settings → Network & Internet → Private DNS.
2
Select Private DNS provider hostname.
3
Enter your VeraDNS DoT hostname (e.g. dns.yourcompany.internal).
4
Tap Save.
For standard DNS, configure the DNS server in your Wi-Fi connection's advanced settings. Note: this applies per network, not system-wide.
iOS / iPadOS
The recommended method on iOS is a DNS configuration profile, which applies system-wide:
1
Go to Settings → General → VPN & Device Management.
2
Install the VeraDNS DNS profile provided by your administrator.
3
Tap Install and follow the prompts.
For Wi-Fi only: go to Settings → Wi-Fi, tap the (i) next to your network, scroll to Configure DNS → Manual, and add your VeraDNS server IP.
Linux
For systems using systemd-resolved:
sudo nano /etc/systemd/resolved.conf
# Add or edit:
[Resolve]
DNS=<your-veradns-ip>
DNSStubListener=no
sudo systemctl restart systemd-resolved
For systems using /etc/resolv.conf directly:
echo "nameserver <your-veradns-ip>" | sudo tee /etc/resolv.conf
⚠️
On many Linux distributions, /etc/resolv.conf is managed automatically by NetworkManager or dhclient. Manual edits may be overwritten. Configure DNS via NetworkManager's connection settings for a permanent change.
Common questions about VeraDNS deployment, capabilities, and configuration.
What does "on-premise DNS proxy" mean for my organisation?
VeraDNS runs entirely within your own infrastructure — on-premise, private cloud, or your own VMs. No DNS queries, no configuration data, and no audit logs are transmitted to external servers. Your data sovereignty is guaranteed by design, not policy.
How does VeraDNS differ from a cloud-based DNS service?
Cloud DNS services route your queries through external servers, creating a third-party dependency and potential visibility into your network activity. VeraDNS resolves DNS entirely within your perimeter. You retain full control over your blocklists, policies, and query data — with no dependency on external availability.
What DNS protocols does VeraDNS support?
VeraDNS supports standard DNS (port 53), DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), DNS-over-QUIC (DoQ), and DNSSEC validation. Encrypted DNS protocols can be enforced for internal clients to prevent query interception.
Can VeraDNS integrate with our SIEM or identity provider?
Business and Enterprise plans include REST API access for exporting audit and query logs in JSON or CSV format, compatible with Splunk, Microsoft Sentinel, Elastic, and other SIEM platforms. Enterprise plans additionally support SSO via SAML 2.0 and LDAP/Active Directory for centralised user management.
What are the infrastructure requirements?
VeraDNS runs on any Linux server with Docker installed. Minimum recommended specification is 2 vCPU and 2 GB RAM. For high-availability deployments or large enterprise networks (10,000+ devices), we recommend dedicated hardware or VM sizing guidance from our solutions team.
A legitimate domain is being blocked. How do I fix this?
Go to Filters → User Rules and add an allowlist exception:
@@||yourdomain.com^
This overrides any blocklist rule for that domain. You can also unblock directly from the Query Log entry.
Does VeraDNS block ads on HTTPS websites?
Yes. DNS filtering operates at the domain level regardless of the protocol used. If an ad or tracker is served from a separate domain (e.g. ads.example.com), VeraDNS can block it. However, ads served from the same domain as the content (e.g. YouTube's own ad server) cannot be blocked via DNS without also blocking the main site.
How do I update my blocklists?
VeraDNS automatically updates active blocklists on a schedule (typically every 12–24 hours). To force an immediate update, go to Filters → Blocklists, select a list, and click Update now.
Can I run VeraDNS in a high-availability configuration?
Yes. Enterprise plans support multi-site and HA deployment with automatic failover. Contact our solutions team for architecture guidance and deployment support specific to your infrastructure.
Who do I contact for support?
Reach our team at support@veradns.io, or use the Contact Sales form on the main website. Business and Enterprise plans include priority support with guaranteed response times.