queries today

14.5k

blocked

22.1%

24 hour traffic

12:00:01UPSTREAMgithub.com4ms

12:00:02BLOCKEDads.doubleclick.net0ms

12:00:03CACHEDcloudflare-dns.com<1ms

12:00:04BLOCKEDtelemetry.example.net0ms

self-hosted DNS sinkhole - written in Rust

Ferrite

Privacy-first DNS for home labs and small networks: encrypted upstreams, smart blocklists, custom records, live stats, and a web UI that feels like an ops panel instead of a chore.

Install Ferrite Source

DoH / DoT / DoQ SQLite-backed history live in-memory stats single server binary

<1mscache-hit response path

14410-minute buckets in the 24h chart

0SQLite reads for live summary polling

1server, API, DNS, and web runtime

Network control

DNS protection that stays fast under real household traffic.

Ferrite keeps the hot path small: cached decisions, compiled blocklists, direct custom DNS answers, and encrypted upstream fallback when the request needs to leave your network.

Fast DNS cache

TTL-clamped LRU caching returns repeat lookups immediately and restores warm state after restart.

Smart blocklists

Hosts files, Adblock rules, plain domain lists, wildcards, whitelist, and blacklist controls are merged into a fast lookup layer.

Encrypted upstreams

Use plain DNS, DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC in one resolver pool with failover.

Custom DNS

Local A, AAAA, and CNAME records support exact and wildcard domains, so internal services get clean names.

Live stats

The dashboard summary is served from memory, safe to poll frequently, and includes counters, recent activity, and timeseries data.

REST-managed runtime

Settings, lists, custom records, auth, client aliases, updates, and query history are managed through the API without restarting the resolver.

Resolver pipeline

Every request takes the shortest useful path.

Ferrite resolves local records first, skips logging for configured noisy domains, blocks known bad traffic, and only then forwards to encrypted upstreams. That keeps the network calm and the UI honest.

PlainUDP/TCP port 53

DoHDNS over HTTPS

DoTDNS over TLS

DoQDNS over QUIC

Client asks FerritePhones, laptops, TVs, containers, and servers point DNS at one local resolver.

53/udp

Cache and local records answer firstHot domains and custom internal names resolve before anything leaves the LAN.

<1ms

Blocklist policy decidesCompiled lists, wildcard rules, whitelist, and blacklist decide allowed vs blocked.

FST

Upstream pool handles missesDoH, DoT, DoQ, or plain resolvers are used with round-robin and failover.

TLS

Web UI

A dashboard built for repeated use, not novelty.

The UI mirrors the resolver: dense, readable, and live. Watch query volume, blocked traffic, client activity, custom DNS, blocklists, and settings from the same place.

http://fe.te

Total queries14,523

Blocked3,210

Cached6,700

12:00:01upstreamapi.github.com4ms

12:00:02blockedads.doubleclick.net0ms

12:00:03cachedrouter.home.lan<1ms

Install

One script, then point your network at Ferrite.

The installer downloads the server and web UI release assets, prepares system paths, and sets up the service for systemd, OpenRC, or launchd where available.

Linux / macOS release install

curl -fsSL https://raw.githubusercontent.com/syntlyx/ferrite-server/refs/heads/main/install.sh | sudo sh

Build from source

cargo build --release
sudo cp target/release/ferrite /usr/local/bin/ferrite

Set a web UI password

ferrite passwd

Default panel shortcut

Ferrite serves a built-in fe.te record that points to the detected local server address, so the panel is easy to find on the LAN.

Config stays small

User config lives at ~/.config/ferrite/config.toml; system-wide config lives at /etc/ferrite/config.toml.

UI updates are runtime-managed

The web UI can be updated through POST /api/update/web once Ferrite is running.