Recursive and authoritative DNS server in go, including DNSSEC and DNS-over-TLS
Go Other
Switch branches/tags
Nothing to show
Clone or download
Latest commit 4891610 Jun 21, 2018
Failed to load latest commit information.
anycast gofmt the project Dec 2, 2017
common Centralized TLS configs to ensure that the same cipher suites are sel… Apr 3, 2018
director WIP on DOH Jun 10, 2018
etc Externalized threading degree control to main config Jun 5, 2018
log Added timestamps to logs Jun 6, 2018
monitor Centralized TLS configs to ensure that the same cipher suites are sel… Apr 3, 2018
netinterface gofmt the project Dec 2, 2017
responder Removed leftover faulty logic from another era Jun 13, 2018
runtime Disabled threaded cache eviction Jun 10, 2018
stresser add version back Dec 22, 2017
zones gofmt the project Dec 2, 2017
.gitignore Create Releases using GoReleaser and docker support #9 #5 Dec 18, 2017
.goreleaser.yml Create Releases using GoReleaser and docker support #9 #5 Dec 18, 2017
.travis.yml travis: update go version Nov 29, 2017 Update Jun 21, 2018
Dockerfile Create Releases using GoReleaser and docker support #9 #5 Dec 18, 2017
Gopkg.toml Always use latest master for dns package Jun 5, 2018
LICENSE Import for open source release Jun 14, 2017 Open source full tenta-dns suite. Nov 8, 2017 Updated link to The English Open Word List to fix 404 Feb 17, 2018
build.bat Added monitorization module Mar 20, 2018 Added monitorization module Mar 20, 2018
install-deps.bat Modified install scripts using dep Feb 23, 2018 Modified install scripts using dep Feb 23, 2018
logo.png Open source full tenta-dns suite. Nov 8, 2017 Open source full tenta-dns suite. Nov 8, 2017
tenta-dns.go Finalized DOH responder Jun 12, 2018

Tenta DNS

Build Status Go Report Card GoDoc

Tenta Gopher

A full-fledged DNS solution, including DNSSEC and DNS-over-TLS

Tenta DNS provides a DNS server suite comprising an authoritative DNS server, recursive DNS server, and NSnitch, which provides a DNS server capable of recording the IP address of requests made against it and then makes that IP available via a JSON API. Tenta DNS also provides lookups for Tor Node membership, DNS blacklist status and Geo data. Finally, Tenta DNS includes built-in BGP integration, offering single engine convenience for DNS anycasting. We welcome people to use our hosted versions of recursive resolver and NSnitch. Please see Usage, for details on how to set Tenta DNS as your default DNS resolver, or APIs, for NSnitch REST API information.



Just want to use our hosted recursive resolver? We offer two options, using either OpenNIC root servers or the normal ICANN root servers.

Our OpenNIC nameservers are at and

ICANN nameservers are at and

Please consult our how-to page, on setting up your DNS resolver.


  1. Run (or install-deps.bat on windows).
  2. Run or (or build.bat on windows).
  3. Modify etc/config.toml and etc\conf.d\*.toml for your installation.
  4. 🙈🙉🙊


We'd be thrilled for people to use our APIs as part of your app or system. In order to use our hosted API, please provide a link to with the text "Powered by Tenta" or similar. If you need to perform arbitrary lookups (e.g. you want information for an IP different than the requesting IP, like from a server), message us for an API key. If you need CORS whitelisted for the public APIs, please email us with your domain name(s).

All APIs under the path /api/v1.

  • status: Public status checking endpoint for basic liveness monitoring
  • report: Generate a report from a specific DNS lookup. Only works on subdomains, explicity looked up via DNS already.
  • randomizer: Generate (and optionally redirect to) a random subdomain. Set ?api_response=true to get a JSON result instead of a redirect.
  • geolookup: GeoIP info about the requesting IP.
  • geolookup/{IP}: GeoIP info about the specified IP address. Requires auth.
  • blacklist: Perform DNS blacklist lookup for the requesting IP.
  • blacklist/{IP}: DNS blacklist info for the specified IP address. Requires auth.
  • stats: Work in Progress. Server performance information.

Explanation of NSnitch DNS Probe

In addition to the REST APIs, core functionality relies upon DNS lookups. After creating glue records pointing and to the IP(s) of a Tenta DNS server.

  1. From javascript, load, it will redirect to (where abc123 is a big random)
  2. Since the domain name is not cached (since it's totally random), the browser initiates a DNS lookup
  3. Since the intermediate resolver cannot have it cached, it too initiates a DNS lookup
  4. When nsnitch gets the lookup, it returns a valid answer for the domain name, and stores the IP that contacted it along with details
  5. When the browser actually makes the request, the stored data is sent back
  6. Data automatically expires after 5 minutes

External Dependencies

We rely on lots of excellent open source libraries, including miekg/dns and osrg/gobgp, as well as many others. For a complete list of our dependencies and required notification, please take a look at

The words.txt file used for random names in NSnitch is from


Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Please see LICENSE for more. For any questions, please contact


You're welcome to use the hosted version of our JSON APIs free on your site. We kindly ask that in return you show us some link love to We’d love to know how you’re using it, so do let us know!


We welcome contributions, feedback and plain old complaining. Feel free to open an issue or shoot us a message to If you'd like to contribute, please open a pull request and send us an email to sign a contributor agreement.

About Tenta

Tenta DNS is brought to you by Team Tenta. Tenta is your private, encrypted browser that protects your data instead of selling it. We're building a next-generation browser that combines all the privacy tools you need, including built-in OpenVPN. Everything is encrypted by default. That means your bookmarks, saved tabs, web history, web traffic, downloaded files, IP address and DNS. A truly incognito browser that's fast and easy.