secure by design
how we built le_dns to protect your privacy and security.
architecture simplified overview
le_dns is built on a multi-layered architecture where each component has a specific role and limited scope. This separation of concerns minimizes attack surface and ensures that a compromise of one layer doesn't affect others.
YOUR DEVICE
│
┌──────────────────────────┼───────────────────────┐
│ │ │ │ │
:443/https :53/udp :53/tcp :853/tls :8853/quic
│ │ │ │ │
▼ └───────────┴───────────┴───────────┘
┌───────────────────┐ │
│ REVERSE PROXY │ ▼
│ │ ┌─────────────────────────────────┐
│ • tls terminate │ │ Secure DNS PROXY │
│ • http/2 │ │ │
│ • doh routing │ │ • rate limiting │
└─────────┬─────────┘ │ • ddos protection │
│ │ • query validation │
│ /dns-query │ • response caching │
└──────────────────►│ • dot/doq termination │
│ • any query blocking │
└────────────────┬────────────────┘
│
▼
┌─────────────────────────────────┐
│ RECURSIVE RESOLVER │
│ │
│ • dnssec validation │
│ • direct root queries │
│ • no upstream forwarding │
│ • response rate limiting │
└────────────────┬────────────────┘
│
▼
ROOT SERVERS
& AUTHORITATIVE NS
ddos & amplification protection
le_dns implements multi-layer protection against DDoS attacks, amplification abuse, and misuse. These limits are tuned for high-traffic legitimate users (corporate networks, ISP CGN) while blocking attacks.
DNS proxy (front-line):
Query filtering: ANY queries are blocked (primary amplification vector).
Burst limit: 1000 QPS per IP (10s window) - exceeded = DROP
Sustained limit: 500 QPS per IP (60s window) - exceeded = REFUSED
Dynamic blocking: >2000 QPS = 5 min block, NXDOMAIN floods = 1 min block
Resolver Response Rate Limiting (RRL):
Anti-amplification at the resolver level. Attackers spoofing source IPs get rate-limited collectively.
Responses: 50/sec per /24 (IPv4) or /48 (IPv6)
Slip: 1 in 2 dropped queries get TC=1 (forces TCP retry for legitimate clients)
NXDOMAIN limit: 20/sec per prefix (stops enumeration)
Absolute cap: 100/sec per prefix
Response caching:
Large cache reduces backend load and absorbs query spikes.
Max TTL: 24 hours | Min TTL: 30 seconds | Stale serving: 24 hours (if backend fails)
Why these values? A corporate network with hundreds of users behind NAT can query at 500 QPS sustained (~43 million queries/day) without issues. Only attack-level traffic triggers blocking.
traffic filtering
All incoming traffic passes through multiple filtering layers before reaching the resolver:
- Reverse proxy layer: Filters malformed HTTP requests, enforces TLS 1.2+, and handles protocol negotiation for DoH.
- DNS proxy layer: Enforces per-IP rate limits (sustained and burst), connection limits per client, and validates DNS query format.
- Query validation: Malformed or suspicious DNS queries are dropped before reaching the resolver.
- Version hiding: Software version and server ID are hidden to prevent fingerprinting.
- Zone transfer restrictions: AXFR/IXFR limited to authorized nameservers (ACL-based).
encryption everywhere
We support multiple encrypted DNS protocols to ensure your queries can't be intercepted:
- DNS-over-HTTPS (DoH/DoH3): Queries encrypted via HTTPS/HTTP3 on port 443.
- DNS-over-TLS (DoT): Dedicated encrypted channel on port 853.
- DNS-over-QUIC (DoQ): Modern protocol with reduced latency on port 8853.
- DNSCrypt: Fast, secure, and authenticated DNS on port 8443.
- Oblivious DoH (ODoH): Ensures we cannot see both your IP and your query.
- DNSSEC validation: All responses are validated against DNSSEC signatures when available.
All TLS connections use modern cipher suites with TLS 1.2 minimum. Certificates are automatically renewed and monitored.
privacy & gdpr compliance
As a European service, we take GDPR seriously. Here's how we protect your privacy:
IP truncation (pseudonymization) at the edge:
IP addresses are truncated (pseudonymized) before any logging occurs. This is not full anonymization—it's pseudonymization per GDPR Article 4(5), meaning the data is still considered personal data but with significantly reduced identifiability.
What we truncate:
- IPv4:
192.168.123.45→192.168.0.0(/16 prefix) - IPv6: First 48 bits kept, remaining 80 bits zeroed (/48 prefix)
Where truncation happens: At the Traefik reverse proxy (DoH/HTTPS traffic) and dnsdist proxy (DNS/DoT/DoQ traffic), meaning backend services never see your full IP.
Why not full anonymization? /16 and /48 prefixes can still identify organizations or ISPs, so we're legally accurate by calling it pseudonymization. We're honest about what we do—no marketing fluff.
- No query logging: We don't log what domains you resolve. Period.
- No user tracking: No cookies, no fingerprinting, no analytics on DNS queries.
- European hosting: All servers are located in the European Union (France, Germany).
- No third-party data sharing: Your data is never sold, shared, or transferred to third parties.
- Data retention: Operational logs (for abuse prevention) retained for 7 days; aggregated metrics for 31 days.
- Your GDPR rights: For full privacy policy and data subject rights, see Privacy Policy.
no forwarding, true recursion
Unlike many DNS services that forward your queries to upstream providers (Google, Cloudflare, etc.), le_dns performs true recursive resolution:
- We query root DNS servers directly.
- We follow the delegation chain ourselves.
- No queries are ever forwarded to third-party resolvers.
- This means no external party sees your DNS queries.
Why this matters:
When a DNS service forwards queries, the upstream provider sees all your DNS traffic. By performing true recursion, we ensure that only the authoritative servers for each domain see the query for their specific domain - and they only see our server's IP, not yours.
high availability & redundancy
le_dns runs on multiple independent servers across different locations:
- Geographic distribution: Servers in multiple European data centers.
- DNS round-robin: Traffic is distributed across all servers.
- Independent operation: Each server can operate independently if others fail.
- Automatic failover: Unhealthy servers are automatically removed from rotation.
built on open source
We trust what we can verify:
- Our infrastructure is built entirely on open-source software.
- We use industry-standard, battle-tested components.
- No proprietary black boxes.
- No vendor lock-in.
Every component in our stack is open source, audited by the community, and trusted by thousands of organizations worldwide.
what we don't do
For complete transparency, here's what we explicitly don't do:
- We don't log your queries or build browsing profiles.
- We don't inject ads or modify DNS responses.
- We don't sell data to advertisers or data brokers.
- We don't comply with censorship requests (we're not required to by law as a non-ISP).
- We don't use CDN providers that might log your traffic.
- We don't partner with surveillance companies.
contact & reports
If you discover a security vulnerability or have concerns about our practices:
- Security issues: security@ledns.eu
- Privacy concerns: privacy@ledns.eu
- General support: support@ledns.eu