← dashboard

Connection Diagnostics

What this server offers and how to verify you are using it.

Server capabilities

TLS / HTTPS port 443

PropertyValue
ProtocolTLS 1.3 only
CiphersTLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256
Key exchangeX25519MLKEM768 PQ
CertificateLet's Encrypt — valid until Oct 14 2026
Hostname0druid.cc • 23.191.184.49 • Debian 13

PQ depends on your TLS library: OpenSSL 3.5+, BoringSSL, LibreSSL 4.x = yes. GnuTLS < 3.8.10 = classical X25519 fallback.

DNS Resolvers

Plain DNS on :53 may be blocked by some cloud providers and ISPs. Ports 5335 (plain), 853 (DoT), and 8535 (DoT raw) are always available.

PathAddressEncryptionKey exchangeBlocking
DoT0druid.cc:853TLS 1.3PQAd/malware
DoT raw0druid.cc:8535TLS 1.3PQNone
Plain recursive0druid.cc:5335NoneN/ANone

NTP / NTS

ServiceAddressEncryptionKey exchange
NTP data0druid.cc:123AEAD-AES-256-GCMPQ
NTS-KE0druid.cc:4460TLS 1.3X25519

NTP data channel uses AES-256-GCM (quantum-resistant). NTS-KE key exchange is classical because chrony links GnuTLS 3.8.9.

Client configuration

unbound /etc/unbound/unbound.conf

server:
    interface: 127.0.0.1
    port: 53
    access-control: 127.0.0.1 allow
    tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
    verbosity: 0

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 23.191.184.49@853#0druid.cc

chrony /etc/chrony/chrony.conf

server 0druid.cc iburst nts

Verification

DNS: are you on our resolver?

# Via DoT (ad-blocked path):
kdig check.0druid.cc
# 23.191.184.49 = yes, you are using our dnsmasq
# SERVFAIL = your client has DNSSEC validation enabled (hosts entry is unsigned)

# Plain DNS (:53) may be blocked by your ISP or cloud provider.
# Use :5335 or DoT instead.

DoT: PQ or classical?

# Check if port is reachable:
nc -zv 23.191.184.49 853

# Check negotiated group (requires OpenSSL 3.5+):
openssl s_client -connect 0druid.cc:853 -brief | grep group
# X25519MLKEM768 = post-quantum
# X25519         = classical (GnuTLS or old OpenSSL)

NTP: are you using our server? NTS? PQ?

# List NTP sources:
chronyc -n sources | grep druid

# Check NTS status:
chronyc -N authdata | grep druid
# NTS column shows NTS if negotiated

# Full details:
chronyc ntpdata 0druid.cc | grep -E "Authenticated|Remote"
# Authenticated: Yes = NTS active
# NTP data = AEAD-AES-256-GCM (quantum-resistant)
# NTS-KE   = classical (GnuTLS 3.8.9)

VPN: are you connected?

# Check your public IP — should match the VPN node:
curl -s ifconfig.so

# Node IPs:
#   Node 1 — 65.75.201.47

# Check WireGuard status:
wg show

# WireGuard with pre-shared key (PSK).
# ChaCha20-Poly1305 symmetric encryption (quantum-resistant).
# No logs kept.