All Systems Operational

Transparency Report

We operate an open infrastructure stack. Below is the detailed technical breakdown of how we protect, filter, and secure your DNS queries.

Security & Privacy Pipeline

Flow: Left → Right
01 FIREWALL

nftables

Kernel-level packet filtering. Blocks malicious IPs and rate-limits abusers before they reach our stack.

300 qps Rate Limit
4,600+ Blocked Ranges
Auto Bot Detection
02 FILTERING

AdGuard Home

Stateless content filtering. Acting as a pure DNS firewall to block ads and trackers without local caching.

Adware & Tracking
Malware Blocking
No-Cache (Stateless)
03 CACHE & DNSSEC

Unbound DNS

Validating resolver. Cryptographically verifies DNSSEC signatures and serves hot records from its own prefetching in-memory cache.

DNSSEC Validation
Prefetch Caching
QNAME Minimization
04 UPSTREAM

DNSCrypt-Proxy

Secure upstream transport. Encrypts every outbound query to the upstream resolvers so nothing leaves us in plaintext.

Encrypted Transport
X25519 Encryption
No-Log Servers

Active IP Blocklists (nftables kernel-level)

We strictly block these sources at the network edge. This list reflects our current dns-guard configuration.

Enabled Threat Feeds Active
FireHOL Level 1
The "Gold Standard" of IP blocklists. 100% malicious history.
Essential
Spamhaus DROP + EDROP
Hijacked networks used solely by professional cybercrime gangs.
Essential
BotScout + Blocklist.de
Aggregated list of SSH brute-forcers and web scrapers.
Bots
Feodo Tracker
C2 servers for banking trojans (Dridex, Emotet, Trickbot).
Malware
ET Compromised
Emerging Threats list of hosts known to be infected.
Malware
DShield (SANS ISC)
Top attacking subnets reported by the global sensor network.
Attacks
GreenSnow
Real-time compilation of brute-force and port scan attacks.
Scanners
dns-bot-guard
Local heuristics engine. Auto-bans flooders & DDoS attempts.
Local

DNS Filter Lists (AdGuard Home)

Domain-based blocklists that filter ads, trackers, malware, and phishing at the DNS level. These work after traffic passes the firewall.

Last published counts - reopen the page to recalculate them live from the source lists in your browser.

263,792
rules blocked across all lists
Filter Source Live Sync
AdGuard DNS Filter
The baseline standard for blocking ads & general trackers.
156,744 rules filter_1.txt
OISD Blocklist Small
High-speed, essential blocking for maximum stability.
59,305 rules filter_5.txt
Phishing URL Blocklist
Real-time phishing & fraud domains from PhishTank and OpenPhish.
31,163 rules filter_30.txt
Malicious URL Blocklist
Active malware-distribution URLs tracked by abuse.ch URLHaus.
16,580 rules filter_11.txt

Rate Limiting & Fair Use

300
DoH Queries/Second
Per-IP rate limit. Generous ceiling for CGNAT networks, prefetching, and ad-heavy pages. DoT: 100/s burst. DNS/UDP: 30/s burst. Adjusted per protocol.
800
Burst Allowance
Token-bucket headroom. Our nftables ingress hook absorbs instant page-load spikes without dropping legitimate packets.
1m
First-Strike Probation
Intelligent forgiveness. First violations receive a 60-second timeout - not a permanent ban. Only persistent abuse escalates.
Configuration last verified

Related

Protocols

How DoH, DoT, DoQ and DNSSEC validation work end to end.
No-logs policy

What we don't store, and how the RAM-only design enforces it.
Knowledge base

Answers on DNSSEC, filtering, GeoIP labels and troubleshooting.