secure by design

how we built le_dns to protect your privacy and security.

architecture highlevel & simplified overview

le_dns is built on a multi-layered architecture where each component has a specific role and limited scope. This separation of concerns minimizes attack surface and ensures that a compromise of one layer doesn't affect others.

                              YOUR DEVICE
                                   │
        ┌──────────────────────────┼───────────────────────┐
        │              │           │           │           │
   :443/https       :53/udp     :53/tcp    :853/tls   :8853/quic
        │              │           │           │           │
        ▼              └───────────┴───────────┴───────────┘
┌───────────────────┐                          │
│ REVERSE PROXY     │                          ▼
│                   │         ┌─────────────────────────────────┐
│  • tls terminate  │         │ Secure DNS PROXY                │
│  • http/2         │         │                                 │
│  • doh routing    │         │  • rate limiting                │
└─────────┬─────────┘         │  • ddos protection              │
          │                   │  • query validation             │
          │  /dns-query       │  • response caching             │
          └──────────────────►│  • dot/doq termination          │
                              │  • any query blocking           │
                              └────────────────┬────────────────┘
                                               │
                                               ▼
                              ┌─────────────────────────────────┐
                              │ RECURSIVE RESOLVER              │
                              │                                 │
                              │  • dnssec validation            │
                              │  • direct root queries          │
                              │  • no upstream forwarding       │
                              │  • response rate limiting       │
                              └────────────────┬────────────────┘
                                               │
                                               ▼
                                        ROOT SERVERS
                                      & AUTHORITATIVE NS

ddos & amplification protection

le_dns implements multi-layer protection against DDoS attacks, amplification abuse, and misuse. These limits are tuned for high-traffic legitimate users (corporate networks, ISP CGN) while blocking attacks.

DNS proxy (front-line):

Query filtering: ANY queries are blocked (primary amplification vector).
Burst limit: 1000 QPS per IP (10s window) - exceeded = DROP
Sustained limit: 500 QPS per IP (60s window) - exceeded = REFUSED
Dynamic blocking: >2000 QPS = 5 min block, NXDOMAIN floods = 1 min block

Resolver Response Rate Limiting (RRL):

Anti-amplification at the resolver level. Attackers spoofing source IPs get rate-limited collectively.
Responses: 50/sec per /24 (IPv4) or /48 (IPv6)
Slip: 1 in 2 dropped queries get TC=1 (forces TCP retry for legitimate clients)
NXDOMAIN limit: 20/sec per prefix (stops enumeration)
Absolute cap: 100/sec per prefix

Response caching (500k entries):

Large cache reduces backend load and absorbs query spikes.
Max TTL: 24 hours | Min TTL: 60 seconds | Stale serving: 24 hours (if backend fails)

Why these values? A corporate network with hundreds of users behind NAT can query at 500 QPS sustained (~43 million queries/day) without issues. Only attack-level traffic triggers blocking.

traffic filtering

All incoming traffic passes through multiple filtering layers before reaching the resolver:

Reverse proxy layer: Filters malformed HTTP requests, enforces TLS 1.2+, and handles protocol negotiation for DoH.
DNS proxy layer: Enforces per-IP rate limits (sustained and burst), connection limits per client, and validates DNS query format.
Query validation: Malformed or suspicious DNS queries are dropped before reaching the resolver.
Version hiding: Software version and server ID are hidden to prevent fingerprinting.
Zone transfer restrictions: AXFR/IXFR limited to authorized nameservers (ACL-based).

encryption everywhere

We support multiple encrypted DNS protocols to ensure your queries can't be intercepted:

DNS-over-HTTPS (DoH): Queries encrypted via HTTPS on port 443, indistinguishable from regular web traffic.
DNS-over-TLS (DoT): Dedicated encrypted channel on port 853.
DNS-over-QUIC (DoQ): Modern protocol with reduced latency on port 8853.
DNSSEC validation: All responses are validated against DNSSEC signatures when available.

All TLS connections use modern cipher suites with TLS 1.2 minimum. Certificates are automatically renewed and monitored.

gdpr compliance

As a European service, we take GDPR seriously. Here's how we comply:

IP anonymization at the edge:

IP addresses are anonymized before any logging occurs. For IPv4, we keep only the first two octets (192.168.x.x becomes 192.168.0.0). For IPv6, we keep only the first 48 bits. This happens at the reverse proxy level, meaning the actual resolver never sees your real IP.

No query logging: We don't log what domains you resolve. Period.
No user tracking: No cookies, no fingerprinting, no analytics on DNS queries.
European hosting: All servers are located in the European Union (France, Germany).
No third-party data sharing: Your data is never sold, shared, or transferred to third parties.
Minimal data retention: Anonymized operational logs (for abuse prevention) are retained for 7 days maximum.

no forwarding, true recursion

Unlike many DNS services that forward your queries to upstream providers (Google, Cloudflare, etc.), le_dns performs true recursive resolution:

We query root DNS servers directly.
We follow the delegation chain ourselves.
No queries are ever forwarded to third-party resolvers.
This means no external party sees your DNS queries.

Why this matters:

When a DNS service forwards queries, the upstream provider sees all your DNS traffic. By performing true recursion, we ensure that only the authoritative servers for each domain see the query for their specific domain - and they only see our server's IP, not yours.

high availability & redundancy

le_dns runs on multiple independent servers across different locations:

Geographic distribution: Servers in multiple European data centers.
DNS round-robin: Traffic is distributed across all healthy servers.
Independent operation: Each server can operate independently if others fail.
Automatic failover: Unhealthy servers are automatically removed from rotation.

built on open source

We trust what we can verify:

Our infrastructure is built entirely on open-source software.
We use industry-standard, battle-tested components.
No proprietary black boxes.
No vendor lock-in.

Every component in our stack is open source, audited by the community, and trusted by thousands of organizations worldwide.

what we don't do

For complete transparency, here's what we explicitly don't do:

We don't log your queries or build browsing profiles.
We don't inject ads or modify DNS responses.
We don't sell data to advertisers or data brokers.
We don't comply with censorship requests (we're not required to by law as a non-ISP).
We don't use CDN providers that might log your traffic.
We don't partner with surveillance companies.

contact & reports

If you discover a security vulnerability or have concerns about our practices:

Security issues: security@ledns.eu
Privacy concerns: privacy@ledns.eu
General support: support@ledns.eu