If you've ever managed network infrastructure for an Internet Service Provider (ISP) or a large corporate network, you know that DNS is the Achilles' heel. A slow DNS resolver frustrates thousands of users, and a compromised one leads to massive security breaches.
Most solutions out there require hours of manual Linux tuning, kernel adjustments, and painful dashboard setups. I wanted to solve this by creating something that deploys itself and optimizes its own performance based on the hardware it's running on.
So, I built Sentinel DNS ā an open-source, high-performance DNS Firewall appliance built on top of Rocky Linux and Unbound.
Here is a look at what I built and how it works under the hood.
š The Core Features
Instead of distributing just a script, I decided to remaster a full Linux ISO. The goal was to go from "bare metal" to "production-ready DNS Firewall" in less than 5 minutes, 100% offline.
Unattended Kickstart Installation
You just boot the ISO. A custom ks.cfg (Kickstart) automatically partitions the LVM (isolating logs to prevent disk exhaustion), installs Node.js, Redis, and Unbound, and sets up the dashboard without a single keystroke from the user.Dynamic OS & Services Auto-Tuning
This is the part I'm most proud of. On every boot, a startup script calculates the physical hardware (CPU cores and RAM) and automatically adjusts the system:
Linux Kernel UDP Buffers (rmem_max and rmem_default) are expanded up to 16MB to prevent UDP packet drops during heavy loads.
Unbound Cache Slabs are calculated as a Power of 2 matching the CPU cores for lock-less memory access.
Cache limits are dynamically scaled up to 4GB of RAM.
- Real-Time 3D NOC Dashboard Most DNS dashboards are boring tables. I wanted something that looked like a futuristic Network Operations Center. I used Three.js to build a holographic 3D globe that draws real-time geographic arcs connecting local clients to the global malware threats that the DNS firewall is blocking.
Sentinel DNS 3D DashboardThe NOC Dashboard measuring ICMP/TCP jitter and rendering 3D threat arcs.
š”ļø Security & Resilience
To make it bulletproof for ISPs, I implemented several advanced DNS RFCs natively:
RFC 8767 (Serve-Expired): If the global root servers go offline or suffer a DDoS attack, Sentinel continues to serve cached records for up to 24 hours.
RFC 7706 (Hyperlocal): It runs a local copy of the root zone, meaning resolution for root servers happens in exactly 0 milliseconds.
Cyber Threat Intelligence (CTI): An asynchronous Node.js engine processes up to 20,000 lines of Unbound logs per execution, blocking malware and Algorithmically Generated Domains (DGAs) in real-time.
š ļø The Tech Stack
Base OS: Rocky Linux 9.7 (Minimal)
DNS Engine: Unbound (with DNSSEC active by default)
Backend: Node.js + Redis (for high-speed temporary metrics and cache persistence)
Frontend: HTML5, Vanilla JS, CSS, and Three.js (no heavy frontend frameworks to keep the dashboard blazing fast).
š„ Try it out
The project is fully open-source. You can download the remastered ISO directly from the website and test it in a Virtual Machine (Proxmox, VMware, VirtualBox).
Official Website: dns.sentineldns.uk
GitHub Repository: devairfernandes/dns.sentineldns
If you are into networking, self-hosting, or Linux administration, Iād love to hear your feedback! Have you ever built custom Linux appliances using Kickstart? Let me know in the comments.
Top comments (0)