Roadmap¶

Completed¶

v0.1.0 — Foundation¶

• Clean Architecture workspace with 5 crates
• Axum web server + REST API
• Modern dashboard (HTMX + Alpine.js)
• SQLite persistence
• Full DNS resolver (A, AAAA, CNAME, MX, TXT, PTR, NS, SRV)
• Upstream DNS forwarding (UDP)
• DNS-over-HTTPS (DoH) upstream
• DNS-over-TLS (DoT) upstream
• Load balancing across upstreams
• Query caching with TTL
• Local DNS records
• L1/L2 hierarchical cache
• LFUK eviction (sliding window)
• Bloom filter for negative lookups

v0.2.0 — Blocklist & Allowlist¶

• Auto client detection (IP + MAC)
• Client groups
• Wildcard domain blocking (*.ads.com)
• Allowlist support
• Blocklist URL import
• Regex blocklist support
• Allow/Block buttons in query log
• Conditional forwarding

v0.3.0 — Advanced Features¶

• Analytics and graphs (upstream latency, top sites, blocked sites)
• DNS-over-QUIC (DoQ) upstream
• HTTP/3 upstream
• IPv6 upstreams
• DNS name upstreams (resolved at startup)
• CNAME cloaking detection
• Safe Search enforcement (Google, Bing, YouTube)
• Blockable services (1-click categories)

v0.4.0 — Parental Controls¶

• Per-group blocklist assignment
• Time-based scheduling per group
• Parental Controls UI

v0.5.0 — Server Advanced Features¶

• DoH/DoT server (serve encrypted DNS to clients)
• PROXY Protocol v2 (real client IP behind load balancers)
• Auto PTR generation from local A records
• DNS rebinding protection

v0.6.0 — Performance & Scale¶

• Pi-hole compatible API
• Performance benchmarks vs. competitors (482K QPS)
• Dashboard settings: system status, DNS pool status, cache overview, system info
• In-flight coalescing (cache stampede prevention)
• TSC timer (~1-5ns) for hot path timing
• Separate listening ports for DoH and Admin UI

v0.7.0 — Security & Malware Detection¶

• Login / authentication
• HTTPS for Web UI
• API Key / token system
• Rate limiting DNS (token bucket per-subnet, slip TC=1, dry-run, NXDOMAIN budget)
• DoS protection (TCP/DoT per-IP connection limiting, RAII guards)
• DNS Tunneling Detection (two-phase: hot-path O(1) guard + background statistical analysis)
• DGA Detection (Domain Generation Algorithm — entropy + n-gram + lexical analysis)
• Response IP filtering (block known C2 IPs in DNS responses)
• NXDomain hijack detection (detect ISP/upstream NXDOMAIN redirection)
• Separate DoH and Admin UI ports

In Progress¶

v0.8.0 — Observability¶

• Config export/import (backup and restore)
• Query log export (CSV / JSON)
• Prometheus metrics endpoint
• OpenAPI / Swagger documentation

Planned¶

v1.0.0 — Production Ready¶

• Security audit
• Comprehensive test coverage (> 80%)
• Production deployment guide
• API v1 stable (no breaking changes)
• Full documentation

v1.1.0 — Advanced Features¶

• Time-based blocking (per blocklist and per domain)
• Blocklist dry-run / simulation mode
• Blocklist impact analysis
• Per-blocklist hit stats (24h / 7d / 30d)
• DDNS HTTP endpoint
• ACME DNS-01 challenge endpoint
• Split-horizon DNS (views)
• Per-group upstream DNS
• Webhook / push notifications
• Audit log for configuration changes
• WebSocket dashboard for real-time monitoring
• Query anomaly detection
• DoH bypass detection (detect malware using direct DoH to public resolvers)

RFC Compliance¶

Version Summary¶