Security Policy
At NexoralDNS, we take security seriously. As DNS infrastructure software, we understand the critical role security plays in protecting your network.
Supported Versions
We provide security updates for the following versions:
| Version | Supported | Notes |
|---|---|---|
| Latest | â Yes | Always recommended |
| 1.x.x | â Yes | Current stable branch |
| < 1.0 | â No | Please upgrade |
Recommendation: Always use the latest stable version to ensure you have the latest security patches.
cat VERSIONReporting a Vulnerability
â ī¸ IMPORTANT
PLEASE DO NOT REPORT SECURITY VULNERABILITIES THROUGH PUBLIC GITHUB ISSUES
Public disclosure of security vulnerabilities can put all users at risk. We kindly request that you follow responsible disclosure practices.
How to Report
1. Primary Method: Email
Send a detailed report to our security team:
- Email: security@nexoral.in
- Subject: [SECURITY] Brief description of the vulnerability
- Encryption: PGP key available at nexoral.in/security (optional but recommended)
2. For Premium Customers
- Use your priority support channel
- Mark the ticket as URGENT - SECURITY ISSUE
- We guarantee faster response times for premium customers
3. GitHub Security Advisories
- Use GitHub's Private Vulnerability Reporting
- This creates a private discussion with maintainers
What to Include in Your Report
- Vulnerability Type
- Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
- CWE or CVE reference if applicable
- Affected Components
- Affected version(s)
- Affected component (DNS server, web dashboard, API, etc.)
- Free tier, premium tier, or both
- Impact Assessment
- Potential impact (data breach, DoS, privilege escalation, etc.)
- Attack scenario and prerequisites
- Your assessment of severity (Critical/High/Medium/Low)
- Reproduction Steps
- Detailed step-by-step instructions to reproduce
- Proof of concept code (if applicable)
- Screenshots or videos demonstrating the issue
- Suggested Mitigation
- Any workarounds or temporary fixes
- Suggested patches (if you have them)
Response Timeline
| Stage | Free Tier | Premium Tier |
|---|---|---|
| Initial Response | Within 5 business days | Within 24 hours |
| Status Update | Weekly | Every 2-3 days |
| Triage Complete | Within 14 days | Within 3-5 days |
| Fix Development | Varies by severity | Priority handling |
| Patch Release | Coordinated disclosure | Early access |
Severity Response Targets
| Severity | Initial Response | Fix Target | Public Disclosure |
|---|---|---|---|
| Critical | 24 hours | 7-14 days | After patch release |
| High | 48 hours | 14-30 days | After patch release |
| Medium | 5 days | 30-60 days | After patch release |
| Low | 10 days | Next release | With release notes |
Security Best Practices for Users
For All Users
1. Keep Updated
curl -fsSL https://raw.githubusercontent.com/nexoral/NexoralDNS/main/Scripts/install.sh | bash -s update2. Change Default Credentials
- Change default admin password immediately after installation
- Use strong, unique passwords
3. Network Security
- DO NOT expose to public internet (DNS port 53, Web port 4000)
- Use only within your LAN as intended
- Configure firewall rules appropriately
4. Access Control
- Limit access to the web dashboard
- Use premium tier for multi-user environments
- Regularly review user access
5. Monitor Logs
- Regularly check DNS query logs for suspicious activity
- Enable alerts for unusual patterns (premium feature)
6. Backup Configuration
- Regularly backup your configuration
- Test restore procedures
- Store backups securely
For Premium Users
7. Enable Advanced Security Features
- Configure access control policies
- Set up IP-based restrictions
- Use API keys with limited permissions
8. Audit Trail
- Review audit logs regularly
- Monitor user actions
- Set up automated alerting
Security Updates
Notification Channels
Security updates are announced through:
- GitHub Security Advisories - Watch the repository
- Release Notes - Always check before updating
- Premium Email - Premium customers receive direct notifications
- Website - nexoral.in/security
Applying Security Updates
# For Docker installations
curl -fsSL https://raw.githubusercontent.com/nexoral/NexoralDNS/main/Scripts/install.sh | bash -s update
# Verify update
cat VERSIONAlways review release notes before updating to understand what's changed.
Scope
In Scope
The following are within the scope of our security program:
- â NexoralDNS server application (DNS server, DHCP, Broker)
- â Web dashboard and management interface
- â API endpoints and authentication
- â Access control mechanisms
- â Data storage and encryption
- â Docker containers and configurations
- â Installation scripts
Out of Scope
The following are NOT in scope:
- â Vulnerabilities in third-party dependencies (report to upstream)
- â Social engineering attacks
- â Physical security attacks
- â Denial of Service (DoS) attacks
- â Issues requiring physical access to the server
- â Issues that only affect outdated/unsupported versions
- â Issues in user-modified installations (license violation)
- â Theoretical vulnerabilities without practical exploit
Safe Harbor
We support security research conducted in good faith. We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations, data destruction, and service interruption
- Only interact with accounts they own or with explicit permission
- Do not exploit vulnerabilities beyond what's necessary to demonstrate the issue
- Follow this disclosure policy
- Do not violate any laws
Hall of Fame
We recognize and thank security researchers who have responsibly disclosed vulnerabilities:
No vulnerabilities have been publicly disclosed yet.
Want to see your name here? Help us improve NexoralDNS security!
Contact
- Security Email: security@nexoral.in
- General Contact: nexoral.in
- GitHub: github.com/nexoral/NexoralDNS
For non-security issues, please use our issue tracker or see the Contributing Guide.
Thank you for helping keep NexoralDNS and our users safe! đ