A lightweight, high-performance DNS server built for Raspberry Pi 3B. Blocks ads, manages authoritative zones, syncs across nodes — all in ~25 MB RAM.
Every existing DNS blocker was either too heavy for a Raspberry Pi 3B, or lacked the features needed for a proper home network.
Great at blocking ads, but dnsmasq underneath uses 80+ MB RAM, has no authoritative zone support, and integrating DHCP DDNS requires complex workarounds.
Polished UI and good blocking, but 120+ MB RAM footprint, no authoritative DNS, no zone transfers, and no native DDNS support.
Feature-complete DNS server, but runs on .NET (150–200+ MB RAM) — too heavy for Raspberry Pi 3B. Requires the .NET runtime as a separate dependency and a considerably more complex initial setup.
Single Go binary, ~25 MB RAM, full authoritative DNS, RFC 2136 DDNS, Split-Horizon, Master/Slave cluster — no database, just JSON files.
How DomU DNS stacks up against the most popular alternatives on Raspberry Pi 3B.
| Feature | DomU DNS | PiHole | AdGuard | Technitium |
|---|---|---|---|---|
| RAM on Pi 3B | ~25 MB | 80–160 MB | 50–130 MB | 200 MB+ |
| Authoritative DNS | ✓ | ✗ | ✗ | ✓ |
| RFC 2136 DDNS | ✓ | ✗ | ✗ | ✓ |
| Split-Horizon DNS | ✓ | ✗ | ✗ | Via App |
| Zone Transfer AXFR | ✓ | ✗ | ✗ | ✓ |
| Master/Slave Cluster | ✓ | ✗ | ✗ | ✓ |
| DoH + DoT | ✓ | Partial | ✓ | ✓ |
| DNS Rebinding Protection | ✓ | ✓ | ✓ | ✓ |
| No database required | ✓ | ✗ | ✓ | ✓ |
| Built-in Dashboard | ✓ | ✓ | ✓ | ✓ |
| Let's Encrypt DNS-01 | ✓ | ✗ | ✗ | Partial |
| Runtime | Go binary | C / FTL + dnsmasq | Go | .NET runtime |
| TSIG Authentication | ✓ | ✗ | ✗ | ✓ |
| DNSSEC Signing | ✓ | ✗ | ✗ | ✓ |
| LRU Cache + Warming | ✓ | ✗ | ✗ | ✗ |
| Zone Import / Export | ✓ | ✗ | ✗ | Partial |
| Client-Group Policies | ✓ | ✗ | Partial | Partial |
Built specifically for resource-constrained hardware without sacrificing functionality.
220k+ domains from curated sources. O(1) hash lookup, wildcard and regex support.
Full support for A, AAAA, MX, CNAME, PTR, TXT, SRV, CAA, NS records. JSON file backend.
ISC dhcpd / Kea DHCP integration via TSIG-authenticated DNS updates. Auto PTR records.
Different answers for internal vs external clients. Perfect for accessing services by name.
File-based sync with HMAC-SHA256 authentication. No database, just atomic JSON writes.
DNS over HTTPS (RFC 8484) and DNS over TLS (RFC 7858) with your own certificates.
Blocks external domains resolving to private IPs. Defends against SSRF attacks.
Real-time statistics, zone management, query log, cluster status — all in one UI.
Built-in ACME DNS-01 provider. Manages _acme-challenge TXT records via REST API. Works with Traefik httpreq, Certbot DNS plugin, and acme.sh/Proxmox. No open port 80 required.
Configurable LRU cache with TTL enforcement. Cache warming resolves your top-N domains from query history at startup — eliminating cold-start latency after every reboot.
Import zones from RFC 1035 zone files or via live AXFR transfer from any DNS server. Export any zone as a standard zone file. Merge semantics preserve unaffected records.
Live cache dashboard: inspect all cached entries with remaining TTLs, delete individual entries by FQDN and type, or flush the entire cache in one click. RFC 1035-compliant TTL decrement — clients always see the correct remaining lifetime.
Assign IP ranges to named client groups and configure per-group blocklist categories (ads, malware, adult, social, gambling, tracking). Synced across the cluster. Default behavior protects all unmatched clients.
Transparent CNAME-like resolution at the zone apex and subdomains. Returns synthesized A/AAAA records with correct TTLs — the ALIAS record is never exposed to clients. Eliminates the CNAME-at-apex limitation.
From network-wide ad blocking to automated TLS certificates — use cases that actually come up in a homelab.
Block ads and trackers for every device on the network — phones, smart TVs, IoT. No agent, no browser extension, no per-device config.
Authoritative DNS for your internal domains like nas.home.lan or media.internal. Split-Horizon serves local IPs internally and public IPs externally — no hairpin NAT.
Automated TLS certificates for internal services — no open port 80 required. DomU DNS handles the _acme-challenge DNS record directly. Works with Traefik, Certbot, and acme.sh.
Every DHCP lease becomes a DNS record automatically via RFC 2136 DDNS. Supports ISC dhcpd, Kea DHCP (OPNsense, pfSense), and Fritz!Box lease files.
Two Raspberry Pi nodes as Master/Slave DNS. The master pushes changes automatically; clients fall back to the slave if the master goes down. Set both IPs in your DHCP server — done.
Auto-register containers and VMs as DNS records via DDNS. Split-Horizon serves internal IPs locally. Integrates natively with Traefik, Nginx Proxy Manager, and Proxmox clusters.
No database setup. No Docker required. Just copy the binary, write a config file, start the service.
Cross-compile for ARMv7 on your local machine.
Copy the binary and a minimal config file.
Install the systemd service and start.
# 1. Clone & build for Pi 3B (ARMv7) git clone https://github.com/mw7101/domudns.git cd domudns && make build-arm # 2. Copy binary to Pi scp build/domudns-arm pi@dns-node-1:/usr/local/bin/domudns ssh pi@dns-node-1 "chmod +x /usr/local/bin/domudns" # 3. Install & start service sudo cp scripts/domudns.service /etc/systemd/system/ sudo systemctl enable --now domudns # 4. Open dashboard http://<pi-ip>/setup # First-time setup wizard
Everything you need to get DomU DNS running.
Everything you need to know about DomU DNS.
/var/lib/domudns/data as a volume to persist zones and config across container restarts. Expose port 53/udp and 53/tcp for DNS, and port 80/tcp for the dashboard and API. A docker-compose example is available in the repository.