What this server offers and how to verify you are using it.
| Property | Value |
|---|---|
| Protocol | TLS 1.3 only |
| Ciphers | TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256 |
| Key exchange | X25519MLKEM768 PQ |
| Certificate | Let's Encrypt — valid until Oct 14 2026 |
| Hostname | 0druid.cc • 23.191.184.49 • Debian 13 |
PQ depends on your TLS library: OpenSSL 3.5+, BoringSSL, LibreSSL 4.x = yes. GnuTLS < 3.8.10 = classical X25519 fallback.
Plain DNS on :53 may be blocked by some cloud providers and ISPs. Ports 5335 (plain), 853 (DoT), and 8535 (DoT raw) are always available.
| Path | Address | Encryption | Key exchange | Blocking |
|---|---|---|---|---|
| DoT | 0druid.cc:853 | TLS 1.3 | PQ | Ad/malware |
| DoT raw | 0druid.cc:8535 | TLS 1.3 | PQ | None |
| Plain recursive | 0druid.cc:5335 | None | N/A | None |
| Service | Address | Encryption | Key exchange |
|---|---|---|---|
| NTP data | 0druid.cc:123 | AEAD-AES-256-GCM | PQ |
| NTS-KE | 0druid.cc:4460 | TLS 1.3 | X25519 |
NTP data channel uses AES-256-GCM (quantum-resistant). NTS-KE key exchange is classical because chrony links GnuTLS 3.8.9.
server:
interface: 127.0.0.1
port: 53
access-control: 127.0.0.1 allow
tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
verbosity: 0
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 23.191.184.49@853#0druid.cc
server 0druid.cc iburst nts
# Via DoT (ad-blocked path):
kdig check.0druid.cc
# 23.191.184.49 = yes, you are using our dnsmasq
# SERVFAIL = your client has DNSSEC validation enabled (hosts entry is unsigned)
# Plain DNS (:53) may be blocked by your ISP or cloud provider.
# Use :5335 or DoT instead.
# Check if port is reachable:
nc -zv 23.191.184.49 853
# Check negotiated group (requires OpenSSL 3.5+):
openssl s_client -connect 0druid.cc:853 -brief | grep group
# X25519MLKEM768 = post-quantum
# X25519 = classical (GnuTLS or old OpenSSL)
# List NTP sources:
chronyc -n sources | grep druid
# Check NTS status:
chronyc -N authdata | grep druid
# NTS column shows NTS if negotiated
# Full details:
chronyc ntpdata 0druid.cc | grep -E "Authenticated|Remote"
# Authenticated: Yes = NTS active
# NTP data = AEAD-AES-256-GCM (quantum-resistant)
# NTS-KE = classical (GnuTLS 3.8.9)
# Check your public IP — should match the VPN node:
curl -s ifconfig.so
# Node IPs:
# Node 1 — 65.75.201.47
# Check WireGuard status:
wg show
# WireGuard with pre-shared key (PSK).
# ChaCha20-Poly1305 symmetric encryption (quantum-resistant).
# No logs kept.