Platform / Module

Haven

The DNS resolver. Filters ads and malware. Does not log what you look up.

Haven is the DNS resolver stack that runs on every WraithGate exit node. It answers your device's DNS queries, blocks known ad, tracker, and malware domains, and forwards the rest to reputable encrypted upstreams. Customers on the Haven-only tier use it as a DNS-over-HTTPS profile without a VPN; customers on Enclave use it automatically when the VPN is connected.

Resolver stack

Filtering front door — applies blocklists, answers from cache, implements DNS-over-HTTPS and DNS-over-TLS for Haven-only customers. Industry-standard filtering software, deployed on every node.
Validating recursive resolver — performs DNSSEC validation, available for queries that need recursion below our stack.
Upstream resolvers — Quad9 and Cloudflare, over DoH, in parallel. The first valid response wins. Used for the vast majority of queries that do not require recursion below our stack.

The stack binds on each node's WireGuard interface address (for VPN customers) and on a hardened public listener (for Haven-only DoH customers). UDP 53 on the WireGuard interface is only reachable from inside the tunnel.

Blocklists

Two well-known lists are applied by default: a general ad-and-tracker filter, and a community-maintained aggregate list that covers known malicious, phishing, and scam domains. Both are reputable, widely adopted lists maintained by third parties.

Blocklist updates are pulled on a schedule from their published sources. We do not author or modify the lists. If a domain is blocked that you need, our support address is the correct route — we do not maintain a per-customer allowlist yet.

Tiers

Paying Enclave customers can choose between three filter profiles: Standard (ads + trackers + known malware), High (adds aggressive tracking blocking), and Family (adds adult-content blocking). The profile is selected by the client when it connects; the resolver answers from the profile's cache. The profile selection lives on your device — we do not store per-customer filter preferences on the server.

What Katafract can see

Aggregate query counts — we know, per node, how many DNS queries were answered and how many were blocked. These counters are used for capacity planning and to verify blocklists are working.
A query in flight — while the resolver is answering a single query, the query name is in memory. It is not written to disk.

What Katafract does not log

Per-customer query history — the resolver's query log is disabled on every production node. There is no file that associates a client address with the domains it looked up.
Source addresses — the resolver does not write source IP + query pairs anywhere.
Remote transfer — nothing at the resolver layer ships query data off the node. There is nothing to transfer.

Upstream exposure

When a query has to leave our node — almost all queries, because we do not run a fully recursive resolver by default — it goes to Quad9 or Cloudflare over DoH. Those providers can see that our node looked up a domain, but not which customer was behind it. They have their own published privacy policies; neither logs identifying information about resolver queries as a matter of policy.

What this means for you

Haven's job is to answer fast and remember nothing. The blocklists run; the cache does its work; the queries leave the node via encrypted transports to upstreams that do not know who you are. If a subpoena asked us which domains a given customer looked up, the honest answer is that we do not record that data in the first place.

Back to all modules.