Security Changelog

Over the past stretch we have been steadily tuning the engine behind your DNS lookups, and the results are in. Everyday lookups are quicker, and the difference is biggest exactly when it matters most, when the servers are under heavy traffic.

The headline improvement is consistency. In the past, a busy moment could occasionally leave a small number of lookups waiting up to a couple of seconds. We reworked the internal parts that caused those stalls, so even during a spike the slowest responses now stay comfortably under a second. In plain terms: fewer pauses, and a smoother experience when the network is busy.

To be sure this holds up, we built our own high speed testing tool and pushed a single server hard. On just four processor cores it comfortably served around 50,000 lookups per second with almost no dropped requests, and stayed healthy past 60,000. That is many times our normal day to day demand, so there is plenty of headroom for busy periods.

We get there by handling far more requests at the same time instead of letting them queue, spreading the work evenly across the processor, and keeping popular answers ready in a fast local cache. We also measure every idea before keeping it: one experimental speed tweak this week showed no real benefit in testing, so we simply dropped it, and we added a couple of small safety checks while we were in there. Everything rolled out live with no downtime, and your lookups stay exactly as private and secure as always.

To support strict engineering transparency and assist the network privacy community, we have published the complete architectural specification and progress logs for our backend infrastructure. While the primary high-performance production codebase for AdGuardHome Edge remains private to safeguard core operations, this public blueprint details every critical modification applied to our engine.

The document outlines the technical solutions driving the dnsdoh.art infrastructure, including zero-allocation network paths, copy-on-write atomic pointer routing, and resource hardening against transport-layer floods. By making this specification public, we are sharing verifiable engineering outcomes—such as complete memory allocation elimination under sustained query loads—providing an absolute proof-of-concept for highly optimized edge resolvers. The repository also directly links to our custom transport fork, establishing a transparent foundation for advanced DNS architecture.

Following extensive stress-testing, we have officially moved the production backend of AdGuardHome-Edge to the latest upstream base. This synchronizes our project with critical fixes deployed by the AdGuardTeam, most notably a critical correctness bug in the DNSSEC caching layer (PR #434). In the stock version, queries with and without the DO-bit (DNSSEC OK) could erroneously share cache slots, leading to stripped security signatures for validating clients. Our edge deployment permanently fixes this.

During the migration, our custom Zero-Alloc UDP network engine was successfully rebased and verified under peak load. To maintain strict engineering hygiene, we have completely refactored our internal git history, pruning legacy upstream branches and establishing a clean, dedicated deployment structure. The server continues to operate with a zero-allocation profile on the hot UDP path, combining absolute data correctness with extreme microsecond-level throughput.

For months, we have been surgically optimizing our DNS processing pipeline. Today, we are officially consolidating these efforts under the AdGuardHome-Edge project. This is not merely a deployment, but a custom-engineered fork of the AdGuard engine, built to operate at the absolute edge of performance.

While our public-facing tools like dns-ultra remain open, AdGuardHome-Edge is a private, hardened branch optimized for our specific hardware (AMD EPYC Zen 2) and latency requirements. We have stripped away non-essential overhead, implemented custom memory-pooling strategies in the dnsproxy layer, and re-architected the internal event loop to eliminate garbage collection bottlenecks. This fork allows us to apply security patches and performance fixes faster than upstream, maintaining a zero-allocation profile that handles traffic spikes with microsecond precision.

Following several weeks of profiling under real-world conditions, we have applied a set of kernel and network configuration improvements to our infrastructure.

Key changes include tuned UDP and QUIC processing to reduce per-packet overhead for our most common traffic types, refined connection tracking parameters to better handle the diversity of clients we serve - including mobile networks, corporate environments, and high-concurrency resolvers - and optimized our packet processing pipeline ordering to minimize CPU cycles on the most frequent code paths.

These changes deliver measurably more consistent DNS response times during peak hours, with particular improvement for users on high-latency or variable-quality connections such as mobile and satellite networks.

We have completed an extensive security hardening cycle focused on two goals: stopping attacks faster and protecting real users better.

Our traffic analysis engine has been upgraded with adaptive statistical models that distinguish between normal usage spikes and genuine threats. A new verified user system ensures that active DNS clients are never disrupted, even during large-scale network events. Users who have recently resolved queries through our service are automatically recognized and prioritized.

We have also deployed real-time infrastructure monitoring with detailed dashboards tracking network pressure, connection patterns, and system health around the clock. This gives us immediate visibility into any anomalies and allows faster response times.

On the network layer, our packet filtering rules have been rebalanced to better handle modern attack patterns while remaining transparent to legitimate traffic. Rate limits and circuit breakers have been fine-tuned based on months of real-world data.

Following extensive testing under real-world attack conditions, we have promoted our nftables firewall engine to full production mode. The ruleset now operates across three layers: a netdev ingress hook at the NIC level for instant bogon and invalid flag drops, a stateless raw prerouting chain for rate-based fuses before conntrack, and a stateful protection table for per-service connection tracking.

Key changes include the introduction of a global SYN circuit breaker as a last-resort flood defense, refined per-IP SYN and packet-rate meters, and improved amplification reflection drop logic. UDP DNS processing has been optimized with selective connection tracking bypass to maximize query throughput during flood conditions.

To support the growing number of users connecting via **5G Standalone (SA)** networks, we have performed a deep-level optimization of our packet filtering engine. By utilizing **nftables flow offloading** and optimizing TCP congestion windows, we have eliminated bufferbloat-ensuring that the low-latency benefits of 5G are not lost when traffic hits our firewalls.

We have also tuned our MTU/MSS clamping rules to prevent fragmentation on mobile carrier networks, ensuring a seamless, jitter-free DNS resolution experience whether you are on fiber or cellular.

To kick off 2026, we have successfully executed a comprehensive infrastructure refresh. We have upgraded our web server core to **Nginx 1.29.4** (Mainline), ensuring robust HTTP/3 and QUIC support with improved congestion control. Simultaneously, we updated our cryptographic backend to **OpenSSL 3.6.0**, enabling the latest Quantum-Safe algorithms and cipher suites.

On the network layer, we applied significant optimizations using **nftables 1.1.6**. These changes streamline packet filtering logic and utilize atomic set operations, reducing processing latency for legitimate traffic while maintaining strict defense against DDoS and botnet threats.

We have deployed a comprehensive security overhaul to protect our DNS infrastructure against volumetric attacks and abuse. The new system operates at the kernel level using nftables with optimized rulesets, providing wire-speed packet filtering before traffic reaches our application layer.

Key Components:
• Kernel-Level Rate Limiting: 50 queries/second per IP with intelligent meter timeouts that auto-expire entries, preventing memory exhaustion during attacks.
• dns-bot-guard v2.1: Our custom threat detection system monitors query patterns in real-time, automatically blocking /24 ranges when botnets are detected.
• Automated Blocklists: Daily updates from FireHOL (Level 1 & 2) and Spamhaus DROP/EDROP, providing 4,600+ pre-emptive IP range blocks.
• Protocol Coverage: Protection applies uniformly to DoH (443), DoT (853), DoQ (853/UDP), and standard DNS (53).

The system successfully mitigated multiple botnet attacks during testing, automatically identifying and blocking malicious /16 ranges within minutes.

We have completely re-engineered the backend of our DNS Leak Test to handle extreme loads. Moving away from Python-based packet sniffing, the new engine uses 'tcpdump' for C-based kernel-level filtering. This stream is piped directly into a lightweight parser and stored in Redis via Unix Sockets. The result is a monitoring system that processes thousands of queries per second with virtually 0% CPU impact.

We are proud to announce the integration of our new Advanced DNS Leak Test. This tool utilizes entropy tracking to analyze your DNS requests in real-time, allowing you to detect configuration leaks and identify transparent DNS proxies that might be intercepting your traffic. Ensure your privacy settings are actually working.

We have updated Unbound to version 1.24.2 to address CVE-2025-11411. This fix mitigates a potential domain hijacking attack involving YXDOMAIN and non-referral nodata answers. We thank TaoFei Guo (Peking University), Yang Luo, and JianJun Chen (Tsinghua University) for reporting this issue.

We have updated dnscrypt-proxy to version 2.1.14. This release introduces support for encrypting client IP addresses in logs using IPCrypt (supporting deterministic and non-deterministic algorithms), further enhancing privacy. It also includes critical fixes for crashes related to nil client addresses.

Consistency is key to privacy. Throughout 2023 and into 2024, we maintained a strict update schedule. This maintenance window saw major version bumps for Unbound to handle higher concurrency and updates to AdGuard Home's blocklist management engine.

Six months after launch, we identified a key area for improvement: upstream privacy. In December 2022, we integrated dnscrypt-proxy into our stack. This crucial addition ensures that even when we fetch data from root servers, the connection is encrypted and authenticated.