NEW CortexDNS v3.0 — 3-Node Active-Active Production Cluster with Consensus-Based Failover See what's new
Enterprise-grade DNS Security Platform

Enterprise DNS Security
at 20,000 QPS per Node

CortexDNS is a cluster-native DNS security platform built on one purpose-built engine. Filtering, encrypted DNS, rate limiting and replicated failover are delivered in a single binary — measured at 20,000 queries per second with sub-millisecond latency.

Get Started Learn More
20,000 QPS per node, measured
0.5 ms average resolve latency
3-Node Active-Active production cluster, automatic failover
cortexdns.local/dashboard
Total Queries
1,247,832
+12.4%
Blocked
48,291
3.87%
Clients
342
+8
The Challenge

DNS is your network's Achilles heel

Over 90% of malware uses DNS for command and control. Traditional firewalls can't see it. Your security stack has a massive blind spot, and attackers know it.

91%
of malware uses DNS to communicate
$4.2M
average cost of a data breach
287 days
average time to identify a breach
Your Network
💻Phishing
🐛Malware C2
📤Data Exfil
DNS Tunnel
💀Ransomware
Capabilities

One purpose-built engine. Every DNS capability.

A single high-performance engine delivers filtering, encrypted DNS, rate limiting and replicated failover. Optional modules add authoritative DNS, observability and incident response without enlarging the attack surface.

Engine

Nizam — Engine at 20,000 QPS

A single purpose-built engine handles every query path: filtering, allowlists, regex matching, cache, rate limiting, encrypted DNS (DoT & DoH), and replicated failover. Measured at 20,000 queries per second per node with sub-millisecond average latency.

  • 20,000 QPS per node, 0.5 ms average latency (measured)
  • Encrypted DNS — DoT and DoH share the same policy model
  • Per-IP and per-subnet rate limiting with priority rules
  • Hot-reload configuration — no query loss on updates

Threat Filtering Engine

Network-wide ad blocking and threat filtering. Manage blocklists, allowlists, and client groups through a unified dashboard.

  • Custom blocklist and allowlist management
  • Client and group-based filtering
  • Query log with search and export
  • Real-time blocking statistics

Analytics & Reporting

Deep visibility into DNS traffic patterns. Identify anomalies, track trends, and generate compliance reports.

  • Real-time query analytics dashboard
  • Top clients, domains, and query types
  • Trend analysis and anomaly detection
  • Scheduled reports and alerts

Audit Logging

Complete audit trail for compliance and forensics. Track every configuration change with user attribution and timestamps.

  • Comprehensive change logging
  • User action attribution
  • Retention policies and archival
  • SIEM integration support

Multi-tenancy

Isolate environments for different teams, departments, or customers. Role-based access control with granular permissions.

  • Tenant isolation and segregation
  • Custom RBAC policies
  • Delegated administration
  • Per-tenant quotas and limits

REST API & Automation

Every console action is also an API call. Automate zone changes, policy updates, intelligence sync, and audit export — wire CortexDNS into the rest of your platform without compromise.

  • Full OpenAPI 3.0 specification, machine-generated
  • Token and OIDC authentication with role-scoped access
  • Webhook delivery for events and alerts
  • Cluster-aware — calls route to the active leader

Two-Factor Authentication

Secure your DNS management with TOTP-based two-factor authentication. Protect admin accounts from unauthorized access.

  • TOTP authenticator support
  • QR code setup wizard
  • Backup recovery codes
  • Per-user 2FA enforcement

Compliance Reports

Generate detailed compliance and audit reports for regulatory requirements. Export in multiple formats for stakeholders.

  • DNS query audit trails
  • Security compliance reports
  • PDF and CSV export
  • Scheduled report delivery
Optional Module

Authoritative DNS

Activate the optional authority module to run CortexDNS as your primary authoritative DNS. Manage zones and records, automate DNSSEC, and migrate from legacy DNS servers — all through the same console.

  • Zone and record management with bulk operations
  • SOA, NS, A, AAAA, CNAME, MX, TXT, SRV record support
  • Automated migration from legacy DNS deployments
  • Opt-in deployment profile — disabled by default
New in v2.7

Guided Setup & First-Run Wizard

New deployments are walked through a three-step wizard: welcome, intelligence configuration, and confirmation. Existing installs upgrade safely — the wizard auto-marks completed and never reappears.

  • Three-step first-run experience
  • Upgrade-safe — no wizard on existing installs
  • Threat intelligence connection validated in-flight
  • Defaults tuned for production from the first request
New in v1.3

DNSSEC Key Management

Full DNSSEC key lifecycle management through an intuitive UI. Create, rotate, and manage cryptographic keys with ease.

  • KSK, ZSK, CSK key support
  • Key rotation workflow
  • DS record generation for registrar
  • Algorithm selection (ED25519, ECDSA, RSA)
New in v1.3

Zone File Import

Import DNS records from industry-standard zone files with drag-and-drop simplicity. Preview and validate every record before applying changes — no surprises in production.

  • Drag & drop file upload or paste-as-text
  • Record preview with validation and error report
  • RFC-compliant directive support (TTL, ORIGIN, includes)
  • Atomic apply — rollback on validation failure
New in v1.2

CortexDNS Threat Intelligence

Continuously updated domain classification, algorithmically generated domain (DGA) detection, and per-query risk scoring. Every query decision carries category and confidence — surfaced in the dashboard, Query Log and block page.

  • Domain classification with category & confidence
  • Algorithmically generated domain (DGA) detection
  • Per-query risk scoring with policy hooks
  • Offline-resilient — local cache survives upstream outage
New in v1.1

Alerts & Notifications

Stay informed with configurable alerts and notifications. Get notified via email or webhook when threats are detected.

  • Email notifications
  • Webhook integration
  • Custom alert rules
  • Threshold-based triggers
New in v1.1

SIEM Integration

Forward DNS logs to your SIEM platform for centralized security monitoring. Syslog and webhook formats supported.

  • Syslog forwarding
  • JSON webhook format
  • Configurable log levels
  • Real-time event streaming
New in v1.2

Block Page

Custom block pages with category information. Users see why a domain was blocked instead of a generic error.

  • Category-aware block pages
  • Custom branding support
  • Request unblock workflow
  • Multi-language support
New in v2.7

DNSSEC Visibility & Validation

Every resolved query is classified as SECURE, INSECURE or UNKNOWN and surfaced in the dashboard donut and Query Log chip column. Engine-side validation with trust-anchor configuration ships in the same release.

  • Per-query SECURE / INSECURE / UNKNOWN classification
  • Dashboard donut + Query Log chip column, default-on
  • Engine-side validation with configurable trust anchors
  • Strict-mode policy hook for compliance-bound zones
v3.0

3-Node Active-Active Cluster

Every node serves both DNS and management traffic in parallel — no idle standby. Embedded consensus runs in-process for primary election and automatic failover; an upstream load balancer fronts the cluster with SSL offload or own-certificate modes.

  • Built-in consensus for database HA — no external coordination service required
  • Embedded identity provider with cross-node session replication
  • Sub-second DNS failover via load-balancer health monitor
  • Sub-30-second recovery, no operator intervention required
New in v2.6

Minimal Core, Modular Deployment

A lean security-first core boots in minutes. Optional capabilities — DNS authority, observability, incident response, reporting — activate on demand without rebuilding.

  • Single command to start the security core
  • Opt-in modules via deployment profiles
  • Bring-your-own-SIEM friendly
  • Smaller attack surface, faster upgrades
New in v2.3

Offline Threat Protection

Stay protected even when your internet connection drops. CortexDNS syncs threat intelligence locally for uninterrupted DNS security.

  • Local threat intelligence cache
  • Automatic hourly sync
  • Seamless offline/online transition
  • Zero-gap protection guarantee
Changelog

What's New

Latest features and improvements in CortexDNS

v3.0 Latest

3-Node Active-Active Production Cluster

  • Live Multi-Host Cluster - True Active-Active across three hosts; every node serves DNS and management traffic in parallel, no standby idle
  • Embedded Database HA - Built-in consensus (no external coordination service) for primary election, automatic failover and replica catch-up with point-in-time precision
  • Clustered Identity Provider - Session state replicated across all nodes; user logins survive node loss without re-authentication
  • Load Balancer Front-End - First-class SSL offload and own-certificate modes for enterprises with existing load-balancer investments; sticky-session profile ships for the identity flow
  • Sub-Second DNS Failover - Health-monitored DNS pool drops failed members in under a second; resolver clients see zero outage
  • Per-Node Backup Sidecar - Nightly logical backup runs on the current database leader; optional NAS push for off-host retention
  • Cluster Bootstrap Wizard - Single script per node validates peers, opens firewall rules, generates load-balancer config and brings the stack up idempotently
v2.8

Database Engine Upgrade, Branding & Customer Hardening

  • Database Engine Upgrade - Maintenance-window upgrade playbook with verified backup + parity check; DNS plane unaffected during database cutover
  • Cluster-Aware Server Image - All deployment endpoints are environment-driven; multi-host installs need only operator-supplied IPs, never internal defaults
  • Default Blocklist Seeder - First-run pulls a curated bundle (Turkish national, malware, ads, tracker, threat intel) so the engine starts blocking immediately
  • Branding Panel - Operators upload their own logo for the login page and main console — white-label deployments without code changes
  • Universal Blocklist Distribution - Existing DNS-sinkhole estates can subscribe to CortexDNS blocklists in the standard hosts format; token-based short URL keeps API keys out of the client config
  • Setup Wizard Polish - Mail server, time service and branding now part of the guided flow; existing installs preserved on upgrade
  • One-Click Updates - Operators upgrade core components from the dashboard without shell access
  • SSB-Grade Install Hardening - Government-customer install run surfaced six install-time bugs; all six are fixed upstream and ship in this train
v2.7

DNSSEC Visibility, Auto-Failover & Guided Setup

  • DNSSEC Visibility - Per-query SECURE / INSECURE / UNKNOWN classification in the dashboard donut and Query Log chip column, default-on
  • Engine-Side DNSSEC Validation - Configurable trust anchors with strict-mode policy hook for compliance-bound zones
  • Auto-Failover Cluster Profile - Reference virtual-IP profile with sub-30-second recovery, no operator intervention required
  • Distributed Database Tier - Reference profile for consensus-based database replication with split-listener load balancing
  • First-Run Setup Wizard - Three-step guided experience for new deployments; upgrade-safe for existing installs
  • Per-Upstream Query Counters - Forwarder tracks success and failure per upstream resolver, reflected in the dashboard
v2.6

Minimal Core & Modular Deployment

  • Lean Security Core - Default deployment runs only the essential services; everything else opts in
  • Deployment Profiles - Authoritative DNS, observability, incident response and reporting toggled per environment
  • SIEM-Friendly Architecture - No bundled dashboards required; ship logs to your own SIEM
  • Feature Flag API - The web console hides modules that aren't enabled, keeping the UI focused
  • SSL Offload - First-class support for environments where a load balancer terminates TLS
  • Smaller Attack Surface - Fewer running services, fewer ports, faster upgrades
v2.5

Nizam — Consolidated Engine

  • Nizam Engine - DNS filtering, load balancing, rate limiting and conditional forwarding consolidated into one high-performance binary
  • Native Replication - Built-in leader/follower replication with low-latency event log synchronization
  • DoT & DoH - First-class encrypted DNS with the same policy model as plain DNS
  • Lower Footprint - Fewer moving parts, faster start-up, easier debugging
v2.4

Native HA Cluster

  • 3-Node Active-Passive Cluster - Automatic failover under 30 seconds, transparent to clients
  • Engine Leader/Follower Replication - Event-log streaming with read-only queries served from any follower
  • Distributed Database Tier - Consensus-based replication and automatic primary election for the backing database
  • Dual Virtual IP Management - Separate web and DNS VIPs follow the active node automatically
  • Cluster Setup Workflow - Guided three-node bring-up with health verification at each stage
v2.3

Security Hardening

  • Vulnerability Fixes - 13 security hardening improvements across the platform
  • Port Hardening - Closed all non-essential external ports in production
  • Dependency Updates - Resolved 20 dependency vulnerability alerts
v2.2

Agent Daemon & Monitoring

  • Agent Daemon - Automated security scanning and monitoring agent
  • Alert System - Real-time threat alerts with email and webhook delivery
  • Service Health Monitoring - Automatic service health checks with self-healing
v2.1

Enterprise Deployment & Reliability

  • Health Check & Auto-Fix - Automatic diagnostics and self-healing for offline installations
  • SSL Offloading - Full support for HAProxy and load balancer deployments
  • Enhanced Offline Installation - Dynamic configuration with automatic API key synchronization
v2.0

Multi-Platform & Automation

  • Multi-Platform Support - Native support for x86_64 and ARM64 architectures
  • Automated Releases - Streamlined build and deployment pipeline
  • Security Scanning - Automated vulnerability scanning for every release
v1.3

DNSSEC & Import Improvements

  • DNSSEC Key Management - Full key lifecycle management with rotation support
  • BIND Zone Import - Drag & drop zone file import with preview
  • DNS Migration Fixes - Improved Windows DNS migration reliability
v1.2

Security & Intelligence

  • Threat Intelligence - Domain classification and DGA detection
  • Block Page - Category-aware block pages with branding
  • Rate Limiting - Token bucket API protection
  • Security Dashboard - Classification stats and insights
v1.1

Enterprise Features

  • RBAC - Role-based access control (security-admin, filter-admin, dns-admin)
  • Alerts & Notifications - Email and webhook notifications
  • SIEM Integration - Syslog forwarding and event streaming
  • 2FA Support - TOTP-based two-factor authentication
How It Works

Deploy in minutes, protect for years

01

Deploy the platform

Install CortexDNS on-premises or use our cloud offering. Docker, Kubernetes, or bare metal supported.

terminal 
$ docker compose up -d
Creating nizam              ... done
Creating nizam-follower     ... done
Creating cortexdns-api      ... done
Creating cortexdns-console  ... done

✓ CortexDNS ready — 20,000 QPS, sub-ms latency
02

Connect your infrastructure

Point your clients to CortexDNS. Connect to your existing DNS infrastructure or deploy our managed solution.

Clients
CortexDNS
Nizam Engine
Authority
03

Configure policies

Set up blocklists, create zones, define client groups, and configure alerts based on your security requirements.

🚫 malware-domains.txt 124,847 domains
🚫 phishing-hosts.txt 89,234 domains
corporate-allowlist.txt 1,247 domains
04

Monitor and respond

Watch your DNS traffic in real-time. Investigate incidents, tune policies, and generate reports.

14:32:15 BLOCKED malware-c2.evil.com 10.0.1.45
14:32:14 OK api.github.com 10.0.1.23
14:32:14 OK login.microsoft.com 10.0.1.87
Solutions

Built for your industry

Organizations across industries rely on CortexDNS to secure their DNS infrastructure.

🏢

Enterprise IT

Protect corporate networks from phishing, malware, and data exfiltration. Enforce acceptable use policies and gain visibility into shadow IT.

Learn more
🏥

Healthcare

Meet HIPAA compliance requirements with comprehensive audit logging. Protect patient data and medical devices from DNS-based threats.

Learn more
🏛

Financial Services

Defend against financial malware and fraudulent domains. Satisfy regulatory requirements with immutable audit trails.

Learn more
🏫

Education

Content filtering for K-12 and higher education. Protect students while maintaining compliance with CIPA and other regulations.

Learn more
🏭

Manufacturing

Secure OT/IT convergence with DNS-layer protection. Prevent lateral movement and protect industrial control systems.

Learn more
🌐

MSP/MSSP

Multi-tenant architecture designed for service providers. Manage hundreds of customers from a single pane of glass.

Learn more
Pricing

Simple, transparent pricing

No hidden fees. No query limits. Pay for the features you need.

Monthly Annual Save 20%

Community

For small teams and home labs

$0 forever
  • Up to 10 clients
  • Threat filtering
  • Basic DNS management
  • 7-day query log retention
  • Community support
Get Started
Most Popular

Professional

For growing businesses

Custom pricing
  • Unlimited clients
  • Full DNS authority management
  • Advanced threat filtering
  • Extended log retention
  • REST API access
  • Email support
  • Multiple admin users
Contact Sales

Enterprise

For large organizations

Custom pricing
  • Everything in Professional
  • Multi-tenancy
  • Native leader/follower replication
  • Custom retention policies
  • SIEM integration
  • Dedicated support
  • SLA guarantee
  • On-premises deployment
Contact Sales

Ready to secure your DNS?

Get in touch with our team to learn how CortexDNS can protect your network.

Contact Us About E2E Solutions

On-premises deployment available. Enterprise support included.