A privacy and security focused provider. Debian 13. 0druid.cc. Maintained by Druid520.
This server runs a curated set of open-source services. Every service is chosen for simplicity, wide adoption, and strong security defaults. No proprietary software, no third-party tracking, no forwarded DNS.
The server is hardened at every layer: kernel, network, SSH, firewall, TLS, DNS, NTP, and application. Post-quantum key exchange on all encrypted services. Automated maintenance on timers. AppArmor mandatory access control profiles restrict every service (9 profiles, all enforcing).
The DNS-over-TLS proxy (dot-proxy) is a custom C program — Zero runtime dependencies beyond libssl/libc. TLS 1.3 only, drops root, per-child resource limits, no session tracking. Diagnostics page shows your connection details.
IPv6 is fully disabled system-wide.
dnsmasq blocks ads, trackers, and malware domains (2.9M+ entries). Forwards to Unbound on port 5335.
0druid.cc:53 / 23.191.184.49:53 (may be blocked by cloud providers/ISPs — use :5335 or DoT instead)Unbound performs recursive DNS resolution directly with root servers — no third party sees your queries.
0druid.cc:5335 / 23.191.184.49:5335dot-proxy — 23KB C binary. TLS 1.3 termination with PQ key exchange. Forks per connection.
| Client | PQ | Connects | Notes |
|---|---|---|---|
| OpenSSL 3.5+ | yes | yes | openssl s_client -connect 0druid.cc:853 |
| BoringSSL (Android, Chrome) | yes | yes | Android Private DNS = 0druid.cc |
| GnuTLS < 3.8.10 | no | yes | kdig, wget, chrony — falls back to X25519 |
| systemd-resolved | yes | yes | Uses OpenSSL on most distros |
| unbound (forwarder) | yes | yes | Linked against OpenSSL/LibreSSL; use forward-tls-upstream |
WireGuard with pre-shared key (PSK). ChaCha20-Poly1305 symmetric encryption is quantum-resistant. Full-tunnel — routes all client traffic through hardened Debian 13 KVM nodes.
| Node | IP | Specs | Config |
|---|---|---|---|
| Node 1 | 65.75.201.47 | 2 vCPU, 4GB RAM, 40GB NVMe, KVM | download |
Chrony provides accurate time using encrypted NTS with privacy-focused servers only.
server 0druid.cc iburst nts| Protocol | Algorithm | Status |
|---|---|---|
| SSH | mlkem768x25519-sha256 | active |
| TLS | X25519MLKEM768 | active |
| DNS-over-TLS | X25519MLKEM768 | active (OpenSSL clients) |
| NTP | NTS (AEAD-AES256-GCM) — client + server | active |
| DNS | DNSSEC (ECDSA P-256) | active |
| Port | Proto | Rule | Service |
|---|---|---|---|
| 3447 | TCP | LIMIT | SSH |
| 9090 | TCP | ALLOW | Cockpit |
| 80,443 | TCP | ALLOW | Caddy HTTP/HTTPS |
| 53 | TCP+UDP | ALLOW | dnsmasq DNS |
| 5335 | TCP+UDP | ALLOW | Unbound DNS |
| 123 | UDP | ALLOW | Chrony NTP |
| 4460 | TCP | ALLOW | Chrony NTS-KE |
| 853 | TCP | ALLOW | DNS-over-TLS (blocked) |
| 8535 | TCP | ALLOW | DNS-over-TLS (raw) |
Mandatory access control restricts every service: caddy, dnsmasq, unbound, dot-proxy, chrony, fail2ban, monit, sshd, cockpit-tls.
7 systemd timers: cleanup (weekly), security-audit (daily), health-check (daily), disk-monitor (6h), blocklist-update (weekly), cert-sync (12h), logrotate (daily). Journal capped at 50MB / 30 days. Swap: 2GB.