v1.17.5 · MIT licensed · Production ready

A fast, safe DNS server. Written in Rust.

Recursive resolver, authoritative server, DNS-over-TLS, DNSSEC validation, and RPZ filtering — in a single static binary.

Install rDNS → See the benchmarks

437,434

queries per second (cached, 50 clients)

32 µs

average cached query latency

14.8×

faster than the v1 baseline

What's inside

Everything a modern DNS server needs.

Recursive resolver

Full iterative resolution from root hints, with CNAME chain following and qname minimization.

Authoritative server

Serve zones from RFC 1035 zone files, or PostgreSQL with LISTEN/NOTIFY hot reload.

DNS-over-TLS

RFC 7858 encrypted DNS on port 853, via rustls. No OpenSSL dependency.

DNSSEC validation

Chain of trust verification from root trust anchors. Validated by default.

RPZ filtering

Block or redirect domains via Response Policy Zones. Ad blocking, malware filtering, parental controls.

Prometheus metrics

Per-listener QPS, cache hit rate, latency histograms — all exposed at /metrics.

See all features →

Performance

1.3× faster than Unbound. In Rust.

rDNS handles 437K cached queries per second on commodity hardware, with average latency under 60 microseconds. The optimization journey from a naïve 29K-QPS baseline is documented step by step.

Read the benchmarks →

rDNS

437,434

Unbound

335,813

QPS, 50 cached clients, dnsperf 2.14

Safety

Memory-safe by construction.

Written in Rust. No buffer overflows, no use-after-free, no double-frees — entire classes of CVEs eliminated at compile time. Privilege dropping after bind. FreeBSD Capsicum capability sandbox.

rustls for TLS — no OpenSSL exposure.

[security]
sandbox = true
rate_limit = 1000

[server]
user = "rdns"
group = "rdns"

Get rDNS running in 60 seconds.

Single static binary. TOML config. MIT licensed. Linux, FreeBSD, and macOS.

Install → View on GitHub