Security & Trust

Our Commitments

How ArmorDNS Works

ArmorDNS runs on dedicated infrastructure hosted in the United States. Here's the high-level architecture:

Your Device
    │
    ▼ (DNS-over-TLS or DNS-over-HTTPS, encrypted)
┌─────────────────────────────────────────────┐
│  ArmorDNS Filtering Server                  │
│  ├─ Extracts your device token from SNI    │
│  ├─ Checks domain against your blocklists  │
│  └─ Blocked → returns 0.0.0.0              │
│      Allowed → forwards to resolver        │
└─────────────────────────────────────────────┘
    │
    ▼ (encrypted)
┌─────────────────────────────────────────────┐
│  Recursive Resolver (Unbound)               │
│  └─ Queries upstream DNS (Cloudflare)       │
└─────────────────────────────────────────────┘
    │
    ▼
  Response returned to your device

Key points:

• Your device connects via encrypted DNS (DoT on port 853 or DoH on port 443)
• Plain DNS (port 53) is disabled for external connections — only encrypted protocols accepted
• Each device gets a unique token embedded in the DNS hostname (e.g., abc123.dns.armordns.com)
• We use Cloudflare's DNS (1.1.1.1) as our upstream resolver

Encryption

In Transit

• DNS queries: Encrypted with TLS 1.2+ via DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH)
• Web dashboard: HTTPS with TLS 1.2+, HSTS enabled, secure headers enforced
• API calls: All API endpoints require HTTPS

At Rest

• Passwords: Hashed with bcrypt (never stored in plain text)
• Database backups: Encrypted with AES-256 before storage
• Query logs: Stored temporarily in memory (Redis), not written to disk, auto-deleted after 24 hours

What We Log (and What We Don't)

DNS Query Logs (24-hour retention)

After 24 hours, query logs are automatically and permanently deleted. We have no mechanism to recover them.

Account Data (retained while account active)

• Email address, hashed password
• Device names and filtering preferences
• Billing information (stored by Stripe, not us)
• Audit log of account actions (login, password change, etc.)

Service Availability

We target 99.9% uptime for DNS resolution. Our infrastructure includes:

• Automated service monitoring every 2 minutes
• Automatic restart of failed services
• External uptime monitoring with email alerts
• Daily encrypted database backups with 30-day retention

This is a best-effort target, not a contractual SLA. We're a small team and occasional maintenance windows may be necessary. We'll notify users in advance of planned downtime when possible.

Security Vulnerability Disclosure

If you discover a security vulnerability in ArmorDNS, please report it responsibly:

We commit to:

• Acknowledging your report within 48 hours
• Keeping you informed of our progress
• Not pursuing legal action against good-faith security researchers
• Crediting you (if desired) when we disclose the fix

Please do not publicly disclose vulnerabilities until we've had a chance to address them.

Abuse Reporting

If you believe ArmorDNS is being used for abusive purposes (spam, malware distribution, illegal activity), please contact us:

Email: abuse@armordns.com

We take abuse reports seriously and will investigate promptly. We reserve the right to terminate accounts used for illegal or abusive purposes.

Blocklist Sources & Attribution

ArmorDNS uses community-maintained blocklists and threat intelligence feeds to identify and filter harmful, unwanted, and inappropriate domains. The following are our primary sources (not exhaustive):

These lists are updated daily. ArmorDNS does not modify or redistribute the original list files — we compile them into our filtering categories server-side. If you maintain a blocklist included here and have questions, please email security@armordns.com.

Questions?

For general security questions, email security@armordns.com.

For privacy questions, see our Privacy Policy or email privacy@armordns.com.