Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
September 13, 2021 19:56
November 27, 2021 04:55
November 27, 2021 04:55
November 5, 2021 11:10
November 27, 2021 04:55
June 20, 2021 02:48

DeepDNS ?

DeepDNS is part of cryptostorm's internal DNS infrastructure.
It's a combination of several different DNS related programs that provide our users with direct access to some darknet resources (.onion and .i2p) in a transparent way, so no additional software is required.
It also provides more secure alternatives to traditional DNS via DNSCrypt.
All of our DeepDNS servers also act as regular public DNS servers.
This is mostly so our users can protect their DNS when they're connecting to cryptostorm, but it's also for anyone else who wants to use DNS servers that don't log their activities.

2021 update:
It looks like DNSChain hasn't been updated in several years, so we're dropping support for that (and .bit, .eth, .dns, etc.). The below text has been updated to reflect the current DeepDNS setup. We do still support transparent .onion and .i2p, dropping DNSChain support only means no more .bit/.eth/.dns.

If you're looking for the current DeepDNS IPs, you can find them by resolving "", or by going to

techie explaination

In the rest of this README, two abbreviations are used for the sake of brevity:

For CS clients, DNS over ddns normally happens as such:

  • client connects to CS, OpenVPN pushes the exit node's ddns IP to the client, client then uses that for all DNS requests.

  • client tries to resolve whatever.

  • DNS request hits the internet facing powerdns-recursor process.

    • Our pdns-recursor uses this in it's config:
      • forward-zones=onion.=
      • auth-zones=i2p=/var/zones/i2p
        • That translates to:
          • send DNS requests for whatever.onion to the DNS server at
          • use the zone file /var/zones/i2p for DNS requests for whatever.i2p
  • is tor, or more specifically, a tor instance with "DNSPort" in it's torrc.

  • the /var/zones/i2p zone file contains the single line: *.i2p. IN A

  • so any request for an .i2p domain will resolve to, which is handled by iptables:

    • iptables -t nat -A OUTPUT -d -p tcp --dport 80 -j DNAT --to-destination ddns-ip:4444
    • iptables -t nat -A PREROUTING -d -p tcp --dport 80 -j DNAT --to-destination ddns-ip:4444
  • The server on port 4444 is an http proxy the actual i2pd daemon has built-in

The powerdns-recursor servers mentioned above are internet accessible. That's intentional. Anyone who wants to their system to use our DNS servers before they connect can do so. They are public DNS servers, and we maintain a full list of all the deepDNS public resolver IPs, which can also be enumerated via a DNS lookup of "".
Obviously, you would need to be connected to cryptostorm in order to use the transparent .i2p/.onion feature described above.

For anyone who wants more security than regular DNS offers (which is basically none), DNSCrypt is also supported.
Server-side, we run on TCP port 443 of every DeepDNS IP, and we also supported Anonymized DNSCrypt relays. See for more info on that.


cryptostorm's DeepDNS, a decentralized, crypto-hardened, DNS framework






No releases published


No packages published