VeraDNS inspects every DNS query on your network and blocks malware, phishing, ransomware and C2 the instant it's requested — entirely on your own infrastructure.
Almost every connection starts with a DNS lookup — a device resolves a domain name before it opens a single socket. Filtering at that step stops a threat at the earliest link of the attack chain; the controls behind it can only inspect or contain traffic that is already flowing.
| Control layer | Blocks before connection |
All ports & protocols |
Every device, agentless |
Protects IoT & OT |
Deployment effort |
|---|---|---|---|---|---|
| Firewall / NGFW | High | ||||
| Proxy / Secure Web Gateway | High | ||||
| Web Application Firewall | Medium | ||||
| Endpoint Security / EDR | High | ||||
| VeraDNS · DNS Security | Low |
● full · ◐ partial · ✕ none — DNS security complements the stack; it does not replace it. It stops the majority of commodity threats before they ever reach the controls behind it.
The DNS layer is the outermost ring of a layered defence — it removes the easy, high-volume threats so your firewall, proxy and EDR can focus on what's left.
A domain is resolved before any connection opens. Blocking it severs Delivery and Command-and-Control at the earliest stage — neutralising DNS-based C2 before exploitation.
Acts under the NIST CSF Protect function — not just Detect. It aligns directly to recognised secure-DNS and boundary-protection controls.
Because resolution happens before any port or protocol is chosen, one policy covers every device — including agentless IoT and OT that endpoint tools can't reach.
Zero agents. Zero client software. VeraDNS evaluates every DNS query against your policies, blocklists and threat intelligence before a single connection is made.
Install via Docker on your own server or VM, then point your network's DNS to VeraDNS. No data ever leaves your environment.
Each DNS request is evaluated against your security policies, blocklists and access rules — in real time, at the resolver.
Malware, phishing, trackers and policy-violating domains are stopped before a connection is established — for every device at once.
Every query, block and admin action is logged. Investigate incidents, generate reports and demonstrate compliance on demand.
From network-wide filtering to compliance reporting — everything your team needs to secure DNS, running entirely on your own infrastructure.
Filter every DNS query for every device — users, servers, IoT and OT — with no endpoint agents to install or maintain.
Auto-updating feeds block malware, phishing, ransomware and C2 domains the moment they're known — no manual upkeep.
Admin, Editor and Viewer tiers — enforced at the API layer with JWT auth, not just hidden in the interface.
Define allow/block rules by category, group, client or time window — and roll them out across your whole estate instantly.
Branded executive reports mapped to NIST 800-53, CIS v8, ISO 27K and NCSC — generated locally, never sent off-box.
Every request — domain, client, type, status, answer, latency — searchable live, with time-series trends.
Stream audit and query logs to Splunk, Sentinel or Elastic via REST in JSON or CSV — your data, your pipeline.
Standard DNS, DoH, DoT and DNSSEC validation — enforce encrypted transport for internal clients to stop interception.
Runs on-premise, in your private cloud or your own VMs. No third-party dependency, no external query visibility.
VeraDNS streams every resolution to a live, searchable log — domain, client, country, category, answer and latency — the instant it resolves. Filter to any device or threat category, replay any second, and export forensic evidence without a single query ever leaving your network.
VeraDNS blocks on your own infrastructure, but it learns from the whole internet. Every resolver draws on a worldwide threat feed — attack hotspots, hostile networks, phishing and DDoS telemetry — refreshed continuously, so a domain weaponised in one region is already blocked on yours.
// aggregated, anonymised threat telemetry — illustrative of the global feed VeraDNS consumes; figures refresh continuously.
Vera Insight turns raw resolution logs into board-ready intelligence — threat trends, compliance posture mapped to your frameworks, and the categories driving risk. Computed entirely on your own infrastructure.
Manage your team with built-in RBAC. Admins configure everything; Editors manage policy; Viewers get read-only — and permissions hold at the API layer, not just the interface.
Admin, Editor and Viewer, each with clearly scoped permissions.
Permissions can't be bypassed through the UI or direct API calls.
Secure HttpOnly cookies, configurable session expiry, and every permission change recorded in the audit log.
| Permission | ADM | EDI | VIW |
|---|---|---|---|
| View dashboard & logs | ✓ | ✓ | ✓ |
| Manage blocklists | ✓ | ✓ | — |
| Modify DNS settings | ✓ | — | — |
| Manage users & roles | ✓ | — | — |
| Export audit records | ✓ | ✓ | — |
Generate branded executive reports as PDF, CSV or HTML in a single click, mapped to NIST 800-53, CIS v8, ISO 27K and NCSC. Ready to hand to your auditor today.
Resolution outcomes, latency and top talkers, with severity ratings.
Every admin action, user change and login attempt in one export.
Every export is produced on your own infrastructure, never sent off-box.
One resolver, many mandates. VeraDNS adapts to the threat model, compliance regime and scale of each kind of organization — without changing how your network works.
Roll out network-wide filtering to thousands of devices — laptops, servers, BYOD and unmanaged IoT — without installing a thing. Policy follows the network, not the device.
Point each site's internal resolvers (or DHCP) at an HA pair of VeraDNS appliances. Active Directory groups map to policies, so Finance, Engineering and Guest Wi-Fi each enforce their own rules from one console.
Isolate every client in its own tenant with separate policy, branding and audit trail. Push a baseline globally, tune per customer, and hand each one a clean monthly report.
Spin up a tenant per client, apply your managed baseline, and white-label the portal and monthly PDF. New customers go live just by repointing their resolver — no on-site visit.
Enforce age-appropriate filtering and block proxies, malware and adult content across campus Wi-Fi and 1:1 devices — with the category logs auditors ask for.
Deploy at the district gateway and sync with your SIS / Google Workspace so student, staff and lab devices inherit the right filtering tier. Block-page messaging is branded per school.
Shield infusion pumps, imaging systems and EHR workstations from C2 and data exfiltration at the DNS layer — segmenting clinical VLANs without disrupting care.
Sit VeraDNS between clinical VLANs and the internet. Biomedical IoT and EHR subnets get strict allowlists; guest Wi-Fi gets standard filtering — every query logged for HIPAA audits.
Block newly-registered domains, lookalike phishing and DNS-tunnelling exfil in real time — adding negligible latency to trading and core-banking traffic.
Run inline on core-banking and trading segments with sub-millisecond caching, then stream the query log to your SIEM and SOC for real-time tunnelling and beaconing detection.
Keep every query inside your perimeter — no third-party cloud, air-gap-friendly deployment, and immutable logs mapped to national cyber-defence standards.
Install fully on-prem or air-gapped with signed threat-feed updates. RBAC and immutable logs satisfy auditors, and no query ever crosses the national boundary.
On-premise, sovereign and agent-free — compared to the protective-DNS platforms teams evaluate most.
| Capability | VeraDNSOn-premise | Cisco UmbrellaCloud | InfobloxAppliance | DNSFilterCloud |
|---|---|---|---|---|
| On-premise & data-sovereign | Appliance | |||
| Zero endpoint agents | Roaming client | Roaming client | ||
| Real-time threat intelligence | ||||
| Full query log on your infra | ||||
| One-click compliance reports | Partial | Partial | Limited | |
| Encrypted DNS (DoH / DoT / DNSSEC) | Partial | |||
| SIEM & REST export | ||||
| No per-query cloud dependency | ||||
| Deploy in under an hour |
// comparison based on publicly available vendor information; capabilities vary by edition and configuration.
Three packages that scale with your network, plus optional security add-ons. Every plan runs on your own infrastructure.
For small teams and single-site offices getting started with network-wide DNS security.
For growing organisations needing higher throughput, richer threat feeds and SIEM integration.
For large enterprises and MSPs needing maximum scale, custom integrations and 24/7 SLA support.
Deeper threat intelligence, malware sandboxing and command-and-control (C2) detection beyond the standard feeds.
Extended dashboards, behavioural anomaly detection and custom report builders for your SOC team.
Request a 7-day trial with full Professional-plan features, or talk to Network365 about on-premise deployment, integration and support.