v0.34 · Pre-customer, building in public

DNS security
you configure from code.

olladns is a multi-tenant DNS filtering platform built API-first and MCP-native. Block phishing, malware C2, DGA, and brand typosquats at the resolver. Configure every policy from your terminal, your CI pipeline, or Claude. The dashboard is read-only on purpose.

Read the developer docs Apply to design partner program

57 REST endpoints · 49 MCP tools

DoH · DoT · DoQ at dns.olladns.com

Single US region · EU-West next

terminal · api.olladns.com

# 1. What's actually running in prod right now?

$ curl https://api.olladns.com/version

{"version":"0.2.0","git_sha":"a20b38b…","built_at":"2026-05-28"}

# 2. Block a domain — every change carries an actor in the audit log

$ curl -X PUT api.olladns.com/api/v1/policies/custom-rules \

-H "x-api-key: $K" \

-d '{"block":["evil.example"],"allow":[]}'

# 3. Register a device — get its unique DoH URL back

$ curl -X POST api.olladns.com/api/v1/devices \

-d '{"slug":"bob-mbp","display_name":"Bob - MBP"}'

{"id":7,"doh_url":"https://dns.olladns.com/dns-query/<uuid>--bob-mbp"}

# 4. Or skip curl — ask your AI editor through MCP

> "show every DGA suspect with score ≥ 0.85 and block them"

> Claude calls top_dga → set_custom_rules → done

Every serious DNS filter does ~80% of the same things. The 20% that differs is whether your team configures it through a console, through code, or through an AI agent. olladns is the third one. Every policy, every device, every audit event is a REST endpoint and an MCP tool. The dashboard shows you what's happening; it doesn't let you change anything. Configuration goes through versionable, auditable, scriptable APIs — gated by scoped tokens per workload. The classifier that decides whether to block a domain is ~280 lines of feature-based Rust you can read.

Three things we bet on differently

The product model an AI-native security team would build for itself.

API + MCP for config. Dashboard for reporting.

NextDNS, ControlD, Cisco Umbrella all treat the dashboard as the source of truth. We inverted that at v0.19. The console is read-only by design. Config changes are commits, not clicks. Every change carries an actor (user_id or specific api_key_id) in the audit log. Zero drift, every change attributable.

REST API docs

MCP-native from day one.

mcp.olladns.com exposes 49 Model Context Protocol tools auto-generated from our OpenAPI spec. Connect Claude, Cursor, Cline, Continue, Goose — your AI agent operates olladns under the same scoped tokens your humans use. Every tool call lands in the audit log. Nobody else in DNS-filtering ships this today.

MCP docs

Transparent threat intel, not vendor magic.

Our DGA classifier is ~280 lines of feature-based Rust (entropy + n-gram + vowel ratio). Our typosquat detector is ~230 lines of Damerau-Levenshtein with Cyrillic homoglyph normalization. Both run inline at ingest with zero per-query vendor cost. Stacked on 86 community blocklists across 15 categories.

Threat Intel docs

What's in the box today

Real surface area, v0.34.

Every number below verifiable in git log or by hitting an endpoint. No claims we can't back.

Resolvers	DoH, DoT, DoQ at `dns.olladns.com` · per-tenant routing via path UUID · per-device routing via `<uuid>--<slug>`
REST API	57 endpoints at `api.olladns.com/api/v1` · OpenAPI 3.1 spec at `/openapi.json` · `x-required-scopes` on every secured op · `/version` returns git SHA
MCP server	49 tools at `mcp.olladns.com` · 5 hand-curated workflows · FastMCP-generated from OpenAPI · scope-gated per caller
Auth	JWT for humans (admin / viewer roles) · scoped API keys for agents · 16 scopes (`analytics:read`, `policies:write`, …) · per-key expiry · last-used timestamps
Policies	Custom rules (block / allow with wildcards) · DNS rewrites (A/AAAA/CNAME/NXDOMAIN/REFUSED) · safe-search · parental · blocked-services · NRD blocking · TLD blocking · allowlist-only mode · per-tenant protect-list
Threat intel	Inline DGA classifier (~280 LoC, threshold-tunable) · inline typosquat detector (~230 LoC) · 86-list community blocklist catalog across 15 categories · per-tenant subscriptions reconciled every 5 min
Analytics	summary · top-domains · top-clients · top-devices · top-ai-tools · top-dga · top-typosquat · blocked · by-reason · latency · block-rate · CSV/NDJSON export · 1–365 day retention per tenant
Audit + events	Every mutation writes an audit-log row · HMAC-SHA256 signed outbound webhooks · wildcard event subscriptions (`policy.`, `threat.`, `*`) · timestamp + replay protection
Privacy	Per-tenant client-IP anonymization at ingest · per-tenant retention 1–365 days · bypass-bypass blocklists (Tor + DoH)
Dashboard	Read-only Alpine.js SPA at `login.olladns.com` · 7 screens: Overview, Query Log, Threats, AI Detection, Devices, Policies, Audit Log · CSP-locked (no inline scripts)
Open source	Full stack public on GitHub: Rust API, Postgres + ClickHouse migrations, FastMCP Python sidecar, Caddy config, dashboard, docker-compose

How it fits your stack

Three concrete usage patterns.

Policy-as-code from CI

Keep your custom rules in git. On merge, your CI runs curl -X PUT api.olladns.com/api/v1/policies/custom-rules. Diff between staging and prod. Roll back via revert. Same scoped token per environment.

Agentic triage in Claude / Cursor

Connect once in mcp.json. Ask your editor: "Show me every DGA-flagged domain in the last 24h with score ≥ 0.85 and block them." Three tool calls; one approval; landed in the audit log under your agent token.

Webhook fan-out to your SIEM

Every audit event posts to your endpoint with HMAC-SHA256 signature, timestamp header, and event-name header. Subscribe to policy.* for change-tracking, threat.* for live detection alerts, * for everything.

Honest current state

The thing every other vendor's homepage hides.

Read this before you evaluate us. We'd rather lose the deal at the top of the funnel than waste your procurement team's time at the bottom.

v0.34 shipped May 2026

Public changelog covers every version. api.olladns.com/version returns the git SHA of what's actually running.

Pre-customer · pre-revenue · bootstrapped

No real logo strip on this site. Looking for 3–5 design partners (free Pro tier through 2026 in exchange for aggressive feedback + roadmap influence).

SOC 2 Type II observation in progress

Full Type II report Q3 2026. ISO 27001 not pursued yet. HIPAA BAA not offered today — ask if it's a requirement.

Single US region · no anycast

EU-West region is the next infra workstream. If sub-20ms p99 latency from Singapore is your gate, this is not the product for you today.

No native desktop / mobile / router clients

Roadmap: fork the MIT-licensed ctrld Go agent (3 weeks of work, decision locked). Until then, point any DoH-capable client at your tenant's DoH URL.

Founder's other Rust SaaS

24observe.com (logs observability) and qcrawl.com (scraping). Open to a small pre-seed if you want to be early on the three together.

Self-disqualify gracefully

Who this is for. Who it's not.

Pick olladns if…

Your engineers live in Claude / Cursor / Continue / Cline and would rather ask their editor to change a policy than open another dashboard.
You want to mint a token per workload (CI, SOC tooling, AI agent, partner integration) with explicit scope grants.
You need to explain to your auditor why a given lookup was blocked — and "the vendor said so" isn't acceptable.
You have a brand worth protecting and want typosquat scored against your protect-list, not a generic feed.
You're a small/mid security team that values transparency + control over vendor pedigree.
You're operating in India or APAC and DPDP / data-residency conversations are near-term.

Don't pick us if…

You need a CISO-grade vendor name today. We don't have brand recognition. Wait 12 months or pick NextDNS.
You need anycast from 100+ PoPs. Single US region. Pick NextDNS or Cloudflare Gateway.
Your procurement gate is SOC 2 Type II report. We're in observation; not landing until Q3 2026.
You need a native macOS / Windows / iOS / Android installer today. Manual DoH setup until the ctrld fork ships.
Your only operators are non-technical. The dashboard is read-only; config is API/MCP. If your humans don't write code or use AI editors, our product model is wrong for you.

Design partner program · 3–5 spots

Be early. Get a free Pro tier through 2026 and a real seat at the roadmap table.

No demo theatre. A real evaluation: we set up your tenant, you point a single laptop or router at your DoH URL, and you tell us what's missing. Bring real DNS traffic if you can; the analytics populate within the hour. The first three teams who commit to weekly feedback get unlimited usage through end of 2026 plus quarterly roadmap input.

Apply to the program Read the source on GitHub

Or just try the API yourself: curl https://api.olladns.com/version

DNS securityyou configure from code.