Skip to content

Ferrous DNS

**High-performance DNS server with network-wide ad-blocking, written in Rust**

What is Ferrous DNS?

Ferrous DNS is a self-hosted DNS server and network-wide ad-blocker designed as a high-performance alternative to Pi-hole and AdGuard Home. It runs as a single binary combining DNS resolution, REST API, and Web UI — with no external runtime dependencies.

At 482,506 queries/second under identical Docker conditions (16 CPUs, cache enabled, rate limiting disabled), Ferrous DNS is 4.9× faster than AdGuard Home, 4.7× faster than Blocky, and 233× faster than Pi-hole — running a full feature stack in a single process. Unbound (952K QPS) and PowerDNS Recursor (884K QPS) lead as purpose-built pure recursive resolvers with no additional features.

Feature Highlights

  • Two-level cache — fast per-thread L1 cache + shared L2 cache for maximum hit rate
  • Smart eviction — frequency-based eviction keeps popular domains cached
  • In-flight coalescing — deduplicates concurrent queries to a single upstream request
  • Optimistic prefetch — refreshes popular entries before they expire
  • 482K queries/second — 4.9x faster than AdGuard Home, 233x faster than Pi-hole
  • Cache hit P99 < 35µs (actual ~10-20µs)
  • Upstream: plain UDP, DoH, DoT, DoQ, and HTTP/3
  • Server-side: serve DoH and DoT directly to clients (RFC 7858 / RFC 8484)
  • IPv6 upstreams and DNS-name resolvers (e.g. dns.google.com)
  • Blocklists with regex patterns and wildcard domains (*.ads.com)
  • Allowlist support
  • 1-click blockable service categories
  • CNAME cloaking detection
  • Safe Search enforcement (Google, Bing, YouTube)
  • Auto client detection by IP and MAC address
  • Client groups with independent policies (kids, work, IoT)
  • Per-group parental controls with time-based scheduling
  • Conditional forwarding — route specific domains to internal resolvers
  • HTTPS for dashboard and API — single port with automatic HTTP → HTTPS redirect
  • Session-based authentication with login/logout
  • Named API tokens with SHA-256 hashed storage
  • First-run setup wizard for password configuration
  • Self-signed certificate generation from the UI
  • Login rate limiting and session management
  • DNS rate limiting — token bucket per subnet with NXDOMAIN budget, TC=1 slip, and dry-run mode
  • TCP/DoT connection limiting — per-IP limits prevent connection exhaustion
  • DNSSEC validation
  • DNS rebinding protection
  • Malware detection — DNS tunneling detection, DGA detection (Domain Generation Algorithm), NXDomain hijack detection, response IP filtering (C2 blocking)
  • PROXY Protocol v2 support
  • Pi-hole API compatibility

Getting Started