Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?


Failed to load latest commit information.
Latest commit message
Commit time
December 1, 2017 20:04
June 11, 2018 01:26
June 6, 2018 16:52
December 1, 2017 20:04
December 21, 2017 20:31
December 1, 2017 20:04
November 29, 2017 10:53
June 21, 2018 12:12
November 26, 2018 17:09
March 21, 2018 00:06

Tenta DNS

Build Status Go Report Card GoDoc

Tenta Gopher

A full-fledged DNS solution, including DNSSEC and DNS-over-TLS

Tenta DNS provides a DNS server suite comprising an authoritative DNS server, recursive DNS server, and NSnitch, which provides a DNS server capable of recording the IP address of requests made against it and then makes that IP available via a JSON API. Tenta DNS also provides lookups for Tor Node membership, DNS blacklist status and Geo data. Finally, Tenta DNS includes built-in BGP integration, offering single engine convenience for DNS anycasting. We welcome people to use our hosted versions of recursive resolver and NSnitch. Please see Usage, for details on how to set Tenta DNS as your default DNS resolver, or APIs, for NSnitch REST API information.



Just want to use our hosted recursive resolver? We offer two options, using either OpenNIC root servers or the normal ICANN root servers.

Our OpenNIC nameservers are at and

ICANN nameservers are at and

Please consult our how-to page, on setting up your DNS resolver.


  1. Run (or install-deps.bat on windows).
  2. Run or (or build.bat on windows).
  3. Modify etc/config.toml and etc\conf.d\*.toml for your installation.
  4. 🙈🙉🙊


We'd be thrilled for people to use our APIs as part of your app or system. In order to use our hosted API, please provide a link to with the text "Powered by Tenta" or similar. If you need to perform arbitrary lookups (e.g. you want information for an IP different than the requesting IP, like from a server), message us for an API key. If you need CORS whitelisted for the public APIs, please email us with your domain name(s).

All APIs under the path /api/v1.

  • status: Public status checking endpoint for basic liveness monitoring
  • report: Generate a report from a specific DNS lookup. Only works on subdomains, explicity looked up via DNS already.
  • randomizer: Generate (and optionally redirect to) a random subdomain. Set ?api_response=true to get a JSON result instead of a redirect.
  • geolookup: GeoIP info about the requesting IP.
  • geolookup/{IP}: GeoIP info about the specified IP address. Requires auth.
  • blacklist: Perform DNS blacklist lookup for the requesting IP.
  • blacklist/{IP}: DNS blacklist info for the specified IP address. Requires auth.
  • stats: Work in Progress. Server performance information.

Explanation of NSnitch DNS Probe

In addition to the REST APIs, core functionality relies upon DNS lookups. After creating glue records pointing and to the IP(s) of a Tenta DNS server.

  1. From javascript, load, it will redirect to (where abc123 is a big random)
  2. Since the domain name is not cached (since it's totally random), the browser initiates a DNS lookup
  3. Since the intermediate resolver cannot have it cached, it too initiates a DNS lookup
  4. When nsnitch gets the lookup, it returns a valid answer for the domain name, and stores the IP that contacted it along with details
  5. When the browser actually makes the request, the stored data is sent back
  6. Data automatically expires after 5 minutes

External Dependencies

We rely on lots of excellent open source libraries, including miekg/dns and osrg/gobgp, as well as many others. For a complete list of our dependencies and required notification, please take a look at

The words.txt file used for random names in NSnitch is from


Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Please see LICENSE for more. For any questions, please contact


You're welcome to use the hosted version of our JSON APIs free on your site. We kindly ask that in return you show us some link love to We’d love to know how you’re using it, so do let us know!


We welcome contributions, feedback and plain old complaining. Feel free to open an issue or shoot us a message to If you'd like to contribute, please open a pull request and send us an email to sign a contributor agreement.

About Tenta

Tenta DNS is brought to you by Team Tenta. Tenta is your private, encrypted browser that protects your data instead of selling it. We're building a next-generation browser that combines all the privacy tools you need, including built-in OpenVPN. Everything is encrypted by default. That means your bookmarks, saved tabs, web history, web traffic, downloaded files, IP address and DNS. A truly incognito browser that's fast and easy.


Recursive and authoritative DNS server in go, including DNSSEC and DNS-over-TLS







No releases published


No packages published