Fast DNS cache
TTL-clamped LRU caching returns repeat lookups immediately and restores warm state after restart.
Self-hosted DNS sinkhole · forged in Rust
Burn the ads
out of your
DNS
Ferrite is a privacy-first resolver for home labs and small networks: encrypted upstreams, compiled blocklists, custom records, live stats, and a web UI that feels like an ops panel instead of a chore.
<1mscache-hit response path
14410-minute buckets in the 24h chart
0SQLite reads for live summary polling
1binary: server, API, DNS, and web UI
Network control
Fast under real household traffic
Ferrite keeps the hot path small: cached decisions, compiled blocklists, direct custom DNS answers, and encrypted upstream fallback when the request needs to leave your network.
Smart blocklists
Hosts files, Adblock rules, plain domain lists, wildcards, whitelist, and blacklist controls merge into one fast lookup layer.
Encrypted upstreams
Plain DNS, DNS-over-HTTPS, DNS-over-TLS, and DNS-over-QUIC in one resolver pool with failover.
Custom DNS
Local A, AAAA, and CNAME records support exact and wildcard domains, so internal services get clean names.
Live stats
The dashboard summary is served from memory, safe to poll frequently, and includes counters, recent activity, and timeseries data.
REST-managed runtime
Settings, lists, custom records, auth, client aliases, updates, and query history are managed through the API without restarting the resolver.
Resolver pipeline
The shortest useful path
Ferrite resolves local records first, skips logging for configured noisy domains, blocks known bad traffic, and only then forwards to encrypted upstreams. That keeps the network calm and the UI honest.
PlainUDP/TCP port 53
DoHDNS over HTTPS
DoTDNS over TLS
DoQDNS over QUIC
01
Client asks Ferrite
Phones, laptops, TVs, containers, and
servers point DNS at one local
resolver.
53/udp
02
Cache and local records answer
first
Hot domains and custom internal names
resolve before anything leaves the
LAN.
<1ms
03
Blocklist policy decides
Compiled lists, wildcard rules, whitelist,
and blacklist decide allowed vs
blocked.
FST
04
Upstream pool handles misses
DoH, DoT, DoQ, or plain resolvers are used
with round-robin and failover.
TLS
Web UI
Built for repeated use, not novelty
The UI mirrors the resolver: dense, readable, and live. Watch query volume, blocked traffic, client activity, custom DNS, blocklists, and settings from the same place.
http://fe.te
Total queries14,523
Blocked3,210
Cached6,700
Install
One script, then point your network at it
The installer downloads the server and web UI release assets, prepares system paths, and sets up the service for systemd, OpenRC, or launchd where available. Prefer containers? Pull the image from GHCR instead.
Linux / macOS release install
curl -fsSL https://raw.githubusercontent.com/syntlyx/ferrite-server/refs/heads/main/install.sh | sudo sh
Docker — ghcr.io
docker run -d --name ferrite \
--restart unless-stopped \
-p 53:53/tcp -p 53:53/udp \
-p 80:80/tcp \
-v ferrite-data:/var/lib/ferrite \
ghcr.io/syntlyx/ferrite-server:latest
Build from source
cargo build --release
sudo cp target/release/ferrite /usr/local/bin/ferrite
Set a web UI password
ferrite passwd
Default panel shortcut
Ferrite serves a built-in
fe.te record that points to the
detected local server address, so the panel is
easy to find on the LAN.
Container image on GHCR
A small Alpine image is published to
ghcr.io/syntlyx/ferrite-server.
Mount /var/lib/ferrite so config,
data, and updates survive restarts — an Unraid
Community Apps template is available too.
Config stays small
User config lives at
~/.config/ferrite/config.toml;
system-wide config lives at
/etc/ferrite/config.toml.
UI updates are runtime-managed
The web UI can be updated through
POST /api/update/web once Ferrite
is running.