← dashboard

0druid.cc

A privacy and security focused provider. Debian 13. 0druid.cc. Maintained by Druid520.

Overview

This server runs a curated set of open-source services. Every service is chosen for simplicity, wide adoption, and strong security defaults. No proprietary software, no third-party tracking, no forwarded DNS.

The server is hardened at every layer: kernel, network, SSH, firewall, TLS, DNS, NTP, and application. Post-quantum key exchange on all encrypted services. Automated maintenance on timers. AppArmor mandatory access control profiles restrict every service (9 profiles, all enforcing).

The DNS-over-TLS proxy (dot-proxy) is a custom C program — Zero runtime dependencies beyond libssl/libc. TLS 1.3 only, drops root, per-child resource limits, no session tracking. Diagnostics page shows your connection details.

IPv6 is fully disabled system-wide.

Services

DNS — Ad/Malware Blocker port 53

dnsmasq blocks ads, trackers, and malware domains (2.9M+ entries). Forwards to Unbound on port 5335.

DNS — Recursive Resolver port 5335

Unbound performs recursive DNS resolution directly with root servers — no third party sees your queries.

DNS-over-TLS ports 853, 8535

dot-proxy — 23KB C binary. TLS 1.3 termination with PQ key exchange. Forks per connection.

client compatibility
ClientPQConnectsNotes
OpenSSL 3.5+yesyesopenssl s_client -connect 0druid.cc:853
BoringSSL (Android, Chrome)yesyesAndroid Private DNS = 0druid.cc
GnuTLS < 3.8.10noyeskdig, wget, chrony — falls back to X25519
systemd-resolvedyesyesUses OpenSSL on most distros
unbound (forwarder)yesyesLinked against OpenSSL/LibreSSL; use forward-tls-upstream

VPN / WireGuard port 51820

WireGuard with pre-shared key (PSK). ChaCha20-Poly1305 symmetric encryption is quantum-resistant. Full-tunnel — routes all client traffic through hardened Debian 13 KVM nodes.

VPN Nodes

NodeIPSpecsConfig
Node 165.75.201.472 vCPU, 4GB RAM, 40GB NVMe, KVMdownload

NTP + NTS Server ports 123 + 4460

Chrony provides accurate time using encrypted NTS with privacy-focused servers only.

Security

Post-Quantum Cryptography

ProtocolAlgorithmStatus
SSHmlkem768x25519-sha256active
TLSX25519MLKEM768active
DNS-over-TLSX25519MLKEM768active (OpenSSL clients)
NTPNTS (AEAD-AES256-GCM) — client + serveractive
DNSDNSSEC (ECDSA P-256)active

SSH port 3447

Firewall (UFW)

PortProtoRuleService
3447TCPLIMITSSH
9090TCPALLOWCockpit
80,443TCPALLOWCaddy HTTP/HTTPS
53TCP+UDPALLOWdnsmasq DNS
5335TCP+UDPALLOWUnbound DNS
123UDPALLOWChrony NTP
4460TCPALLOWChrony NTS-KE
853TCPALLOWDNS-over-TLS (blocked)
8535TCPALLOWDNS-over-TLS (raw)

AppArmor 9 profiles enforcing

Mandatory access control restricts every service: caddy, dnsmasq, unbound, dot-proxy, chrony, fail2ban, monit, sshd, cockpit-tls.

Kernel Hardening

Maintenance

7 systemd timers: cleanup (weekly), security-audit (daily), health-check (daily), disk-monitor (6h), blocklist-update (weekly), cert-sync (12h), logrotate (daily). Journal capped at 50MB / 30 days. Swap: 2GB.