From the resolver to the SOC, olladns is the modern DNS security platform. Six interconnected surfaces — built for teams who care about milliseconds and audit trails.
Every setting is a REST endpoint or an MCP tool. The dashboard is read-only on purpose — config changes have to be versionable, diff-able, and auditable.
api.olladns.com · OpenAPI 3.1 with x-required-scopes · auth via JWT or scoped API key.mcp.olladns.com · auto-generated from OpenAPI via FastMCP. Connect Claude, Cursor, Continue, Goose, any MCP client.Register a device, get its unique DoH URL. AGH writes the device suffix into every query log row, so every analytics endpoint can answer "which device looked up X?"
dns.olladns.com/dns-query/<tenant>--<slug> — point your laptop, your phone, your router each at their own.A high-throughput record of every DNS lookup on your network — searchable in milliseconds, exportable in seconds.
| Time | Action | Domain | Category | Device |
|---|---|---|---|---|
| 09:42:18 | block | login-microsoft-secure.cf | Phishing | MacBook-Pro-Riley |
| 09:42:17 | allow | api.github.com | Productivity | jenkins-runner-03 |
| 09:42:16 | block | c2-server-relay.icu | Malware C&C | Win10-Finance-08 |
| 09:42:15 | allow | cdn.cloudflare.com | Cloud | vpn-lax-09 |
| 09:42:13 | block | paypal-verify-update.top | Phishing | iPad-Pro-Mia |
Our models are trained on 180+ billion daily queries across thousands of customers. They see new threats before threat-intel vendors finish writing the report.
Build policies from 80+ content categories, custom block/allow lists, schedules, and threat sources. Assign them to sites, groups, or individual devices.
Lightweight clients for every major platform. Encrypted DoH/DoT to the nearest POP. Same policy whether the laptop is on the office Wi-Fi, an airport, or a hotel.
Push silently via Jamf, Intune, Kandji, Workspace ONE, or Google Endpoint Management. No popups, no certificates to install, no user interaction.
Two transparent classifiers run at ingest, with zero per-query vendor cost: a DGA scorer (entropy + ngram + vowel-ratio features) and a typosquat detector (Damerau-Levenshtein ≤ 2 with homoglyph normalization). Stacked on a curated catalog of 30 community blocklists that you opt into per-tenant.
Feature-based scoring (entropy, character n-grams, vowel ratio). Surfaces via /analytics/top-dga; tunable threshold (default 0.7). No auto-block by default — flagged for review.
Damerau-Levenshtein distance ≤ 2 after homoglyph normalization (Cyrillic 'а'→Latin 'a', etc.). Length-band pruning keeps the per-query cost bounded. Catches g00gle.com, githab.com, paypa1.com.
Curated community blocklists across 15 categories: phishing, malware, ads, NRD, DGA, NSFW, gambling, telemetry, AI scrapers, bypass-bypass (Tor + DoH), regional (IN/RU/JP/CN/PL), and more. Per-tenant subscriptions reconciled to AGH automatically every 5 minutes.
Per-tenant default-deny toggle flips resolution from blocklist to allowlist: nothing resolves unless explicitly permitted. The Fortune-500-healthcare / SCIF / kiosk mode. Layered under existing per-tenant allow entries.
Push your owned domains (yourcompany.com, internal-tool.com) to /policies/protect-list. The typosquat detector scores incoming queries against your list — catches phishing campaigns built around your specific brand within minutes of the first DNS lookup.
Every API mutation writes an audit-log row tagged with the actor (human session or specific agent token). Every audit event can fan out to your SIEM via HMAC-signed webhook.
actor_type + user_id or api_key_id. Filter by humans, by agents, by system actions.policy.*, threat.*, device.create, or *. Bodies HMAC-SHA256 signed; timestamp header for replay protection./analytics/export for ad-hoc pulls into your data lake.Flip log_anonymize_clients per tenant; the AGH-to-ClickHouse poller drops source IPs at ingest. Analytics still slice by device slug — privacy without losing device-level visibility.
Per-tenant log_retention_days from 1 to 365. ClickHouse TTL is applied at partition rotation. Default 30; healthcare tenants typically choose 90; a few choose 1.
Subscribe to the Hagezi DoH-bypass and Tor-exit catalog entries to block users from circumventing your DNS filter via third-party encrypted resolvers.
Identity, SIEM, MDM, alerting — wire olladns to the rest of your security graph in minutes, not weeks.
Free 14-day trial. Connect 50 devices in 15 minutes. No commitment.