Open-source DNS control plane for local networks

Take control of your
network's DNS traffic.

A powerful, self-hosted DNS management & surveillance system that gives you complete visibility and control over every query on your local network.

Get started free View on GitHub

<2ms cached response7-layer query engine100% self-hosted8,050 QPS load tested

live query pipeline● resolving

$ dig google.com @10.0.0.2

L1Redis cachemiss

L3Block listpass

L5DNS recordpass

L7Upstream DNShit

142.250.x.xNOERROR · 1.4ms

⚡ One-command install

Up and running in under a minute

install · bash

$ curl -fsSL https://raw.githubusercontent.com/nexoral/NexoralDNS/main/Scripts/install.sh | bash -

Automatically installs Docker, downloads the latest version, and starts all services.

▶ Start

Start NexoralDNS services if they are stopped.

bash -s start

$ curl -fsSL https://raw.githubusercontent.com/nexoral/NexoralDNS/main/Scripts/install.sh | bash -s start

Starts all services without reinstalling.

■ Stop

Stop all NexoralDNS services gracefully.

bash -s stop

$ curl -fsSL https://raw.githubusercontent.com/nexoral/NexoralDNS/main/Scripts/install.sh | bash -s stop

Stops services without removing the installation.

✕ Remove

Completely uninstall NexoralDNS and all data.

bash -s remove

$ curl -fsSL https://raw.githubusercontent.com/nexoral/NexoralDNS/main/Scripts/install.sh | bash -s remove

Removes all services, containers, images, and data.

WHAT'S NEW · v3.5.44-stable

DNS Protocol Expansion

NexoralDNS now speaks all three major DNS transports — plain UDP, reliable TCP, and encrypted TLS — with zero configuration changes.

📡UDP :53Classic

🔗TCP :53New

🔒TLS :853New

DNS over TCP

NEW

Port 53 TCP · RFC 1035 §4.2.2 · RFC 7766

Full TCP transport for DNS — required for responses over 512 bytes, DNSSEC chains, and zone transfers. Handles 2-byte length-prefix framing automatically.

▸Large response support — DNSSEC, TXT, many-answer records

▸RFC 7766 idle timeout — 30s keepalive, auto-disconnects stale clients

▸Singleton architecture — shared single-flight cache across connections

▸Zero-config startup — starts alongside UDP automatically

test

dig +tcp google.com @10.x.x.x

DNS over TLS

NEW

Port 853 · RFC 7858 · DoT

Encrypted DNS transport using TLS 1.2+ to prevent eavesdropping and spoofing. A self-signed certificate is auto-generated via openssl on first boot.

▸TLS 1.2+ enforced — TLS 1.3 preferred per RFC 7858 §3.1

▸Auto cert generation — self-signed via openssl, saved to /etc/nexoral/cert

▸Shared across restarts — cert persisted on disk

▸Same 7-layer pipeline — identical block, cache & upstream logic

test

kdig -p 853 @10.x.x.x +tls google.com

All three transports share the same 7-layer query processor, Redis cache, block-list engine, and analytics pipeline — consistent behaviour regardless of how a client connects.

Performance

Load test results

Benchmarked on a mid-range consumer laptop — no dedicated server hardware required.

Peak throughput · UDP port 53Node.js DNS Server

8,050

queries / second

Achieved with a pure Node.js DNS server — no C/C++ native bindings, no Rust, no Go.

< 2ms

Avg latency

~98%

Cache hit rate

Dropped queries

💻

Test hardware

AMD Ryzen 5 5500U · 6 cores / 12 threads · 6.6 GB RAM · x86_64

Consumer laptopNo RAID / NVMe tuningCluster mode enabled

Why NexoralDNS

From DNS chaos to total control

✕The problem

✕No visibility into DNS requests

✕Can't create custom internal domains

✕Host file edits on every device

✕No way to block malicious domains

✕Third-party DNS providers track your data

✓The solution

✓Real-time dashboard of all DNS queries

✓Create custom domains with one click

✓Network-wide DNS settings

✓Block ads, trackers & malicious domains

✓100% self-hosted — your data stays yours

Capabilities

Powerful features, simple control

🌐

Custom Domains

Create internal domains like myapp.local without external DNS.

📊

Real-time Analytics

Monitor all DNS queries with detailed logs, charts and patterns.

🛡️

Domain Blocking

Block ads, trackers, malware and set up parental controls.

⚡

Ultra Fast

Sub-5ms response times with Redis caching and optimized architecture.

🖥️

Web Dashboard

Beautiful, intuitive dashboard accessible on your local network.

🔧

Easy Setup

One-command Docker install — up and running in minutes.

👥

Multi-device

Manage DNS for every device on your network from one place.

🔌

REST API

Full API access for automation and integration with other tools.

📱

Responsive UI

Manage from any device — desktop, tablet or mobile.

Perfect for

Built for every network

👨‍💻

Developers & Teams

Local .dev domains, team collaboration, service discovery.

🏢

Small Businesses

Central management, usage monitoring, security filtering.

🏠

Home Networks

Ad blocking, parental controls, IoT management.

🏫

Education

Content filtering, usage analytics, safe browsing.

⚠️LAN use only

NexoralDNS is designed exclusively for Local Area Network use. Never expose it to the public internet.

Do not

✕Host on cloud platforms

✕Expose to the public internet

✕Use as a public DNS resolver

✓Install on a local machine

✓Configure your router to use it

✓Keep it within your private network

Documentation

Explore the docs

🚀Getting Started/docs/getting-started ⚡Installation/docs/installation 🖥️Dashboard/docs/dashboard 🔌API Reference/docs/api ✨Features/docs/features ❓FAQ/docs/faq 🔧Troubleshooting/docs/troubleshooting 🧬Architecture/docs/architecture

Ready to take control?

Join thousands of users who have transformed their network's DNS infrastructure with NexoralDNS.

Start free Contact us

Take control of yournetwork's DNS traffic.