Millions of QPS per node
Engineered for sustained high throughput under real subscriber traffic, not just lab microbenchmarks.
DnsMARA focuses only on what matters for subscriber resolvers in ISP networks: massive throughput, sub-ms latency, Anycast resilience, encrypted DNS, proactive caching, and resolver-level security to curb infections and abuse.
Carrier-grade performance & scaling
Linear cluster scaling
Add nodes/PoPs and grow capacity predictably; ideal for phased rollouts and seasonal peaks.
Consistent sub-ms latency
Fast code paths and hot caches keep p50/p95 low—even during traffic surges.
Malware blocking & infection detection (RPZ)
Resolver-level protection
Block access to known malware, phishing, and C&C domains using Response Policy Zones (RPZ).
Reduce infections at the source
Prevent callbacks to malware infrastructure so bots fail to activate or update.
Identify infected subscribers
Analytics flag lines repeatedly querying malicious domains—helping your abuse desk notify and remediate.
Protect operator reputation
Lower the chance of your IP ranges being blacklisted by peers and services.
Proactive prefetching — zero-latency answers
Refresh before TTL expiry
DnsMARA prefetches hot records proactively so subscribers almost always hit a warm cache.
Visible QoE improvement
Fewer upstream lookups means faster page starts and a snappier feel on your network.
Encrypted DNS (DoT/DoH) without losing visibility
Keep subscribers on-net
Offer DoT/DoH so users don’t defect to public resolvers for privacy.
Preserve analytics & logs
Maintain traffic insights and policy controls even with encrypted sessions.
Plan for the future
Meet rising privacy expectations and regulatory requirements with minimal latency impact.
Anycast & high availability
Nearest healthy node—automatically
Carrier-class Anycast steers traffic to the closest responder with graceful failover.
Maintenance without downtime
Rolling upgrades and node drain make changes safe and predictable.
Resilient under stress
Health checks, back-pressure, and rate controls help ride out floods and anomalies.
Observability & analytics
Everything you need to see
QPS, latency histograms, cache hit ratios, NXDOMAIN rates, error surfaces, and health.
Subscriber-level insights
Spot infected lines and misbehaving resolvers; export to your SIEM/SOC.
Stream & automate
Streaming logs and APIs integrate with Prometheus/Grafana/ELK and your OSS/BSS.
Automation & integration
API-first control plane
Provision new PoPs, push config, manage RPZ policies, and roll changes via REST.
Template-based rollout
Standardize resolver nodes and clusters; version and reuse templates safely.
Fits your workflows
Hooks for ticketing/orchestration so NOC teams stay in their familiar tools.
Security hardening & safe operations
Attack-aware resolver
Rate limiting, query flooding protections, and cache-poisoning mitigations.
Role-based access & audit
Control who can change what; keep a verifiable trail of operations.
Signed updates & lifecycle
Hardened base OS, signed images, and a predictable patch cadence.
DIY open source vs. DnsMARA — the practical comparison
DIY (Unbound/Knot/BIND)
Great building blocks, but you own Anycast tuning, DoT/DoH overhead, RPZ feed orchestration, dashboards, and on-call debugging—without a resolver-specific SLA.
DnsMARA
A finished, supported resolver platform purpose-built for ISPs: scale, latency, Anycast HA, prefetching, RPZ security, analytics, and APIs—ready on day one.
POC blueprint & exit criteria
- p95 DNS latency ≤ agreed target under peak load
- Headroom ≥ 30–50% QPS at steady state
- Zero query loss during a node failure test
- RPZ policy propagation ≤ 60s under load
- DoT/DoH enabled with minimal latency delta vs UDP baseline
- Rolling upgrade validated with no user-visible impact