Numa

DNS you own. Everywhere you go.

After Numa Pompilius, who built institutions that outlasted kings.

Block ads and trackers. Override DNS for development. Cache for speed. A single portable binary built from scratch in Rust — no Raspberry Pi, no cloud, no account. Your DNS travels with you.

Get Started Read the Architecture View on GitHub
The Problem

DNS is a single point of control

Every time you visit a website, you ask a DNS resolver where to go. That resolver sees every domain you visit, when, and how often.

Today, a handful of operators control this infrastructure. ICANN governs the root. Registrars can seize domains. Governments compel censorship. Your ISP logs your queries by default.

The protocol that underpins the entire internet has no built-in privacy, no cryptographic ownership, and no way for users to choose who they trust.

Your browser
Your ISP / OS resolver
|
Single point of failure
Cloudflare 1.1.1.1 / Google 8.8.8.8
|
ICANN root servers
TLD registrars (.com, .io, ...)
Authoritative nameservers
How It Works

Three layers, built incrementally

Numa starts as a practical developer tool and evolves toward a decentralized network. Each layer stands on its own.

Today

DNS You Control

  • Ad & tracker blocking — 385K+ domains, zero config
  • Ephemeral DNS overrides with auto-revert
  • Live dashboard with real-time stats and controls
  • REST API — 18 endpoints for programmatic control
  • TTL-aware caching (sub-ms lookups)
  • Single binary, portable — your ad blocker travels with you
Next

Self-Sovereign DNS

  • pkarr integration: Ed25519 keys as domains
  • Resolve via Mainline BitTorrent DHT (10M+ nodes)
  • No registrar, no blockchain, no ICANN
  • Cryptographic verification built-in
  • Human-readable aliases for pkarr domains
Vision

Decentralized Resolver Network

  • Operators run Numa nodes and stake tokens
  • Earn rewards for uptime, correctness, latency
  • Independent auditors send challenge queries
  • Slashing for NXDOMAIN hijacking or poisoned records
  • Geographic diversity bonuses
  • Privacy-preserving resolution (DoH/DoT)
Architecture

Resolution pipeline

Every query walks through the same deterministic pipeline. Local data takes priority; the network is the fallback.

Query
Overrides
Local Zones
Cache
pkarr / DHT
Upstream
Respond

Layered resilience

L4 Permanence
Arweave immutable zone snapshots (future)
L3 Distribution
Mainline DHT via pkarr — 10M+ nodes
L2 Serving
Numa instances worldwide
L1 Compatibility
Standard DNS wire protocol — RFC 1035

Network actors

Users

Choose resolvers from a decentralized marketplace based on latency, privacy, and reputation

Operators

Stake tokens, run Numa nodes, earn rewards proportional to verified service quality

Auditors

Send challenge queries from diverse locations, verify correctness and latency

Chain

Accounting, reputation scores, reward distribution, slashing proofs

Comparison

Why Numa is different

Comparison of Numa with existing DNS solutions
Pi-hole NextDNS Cloudflare AdGuard Home Numa
Ad & tracker blocking Yes Yes Limited Yes 385K+ domains
Portable (travels with laptop) No (Raspberry Pi) Cloud only Cloud only No (network appliance) Single binary
Developer overrides No No No No REST API + auto-expiry
Data stays local Yes Cloud Cloud Yes 100% local
Live dashboard Yes Yes No Yes Real-time + controls
Zero config needed Complex setup Yes Yes Docker/setup Works out of the box
Self-sovereign DNS roadmap No No No No pkarr / DHT
Under the Hood

Technical details

Runtime
Rust + tokio async (rt-multi-thread)
DNS Libraries
Zero — wire protocol parsed from scratch
Dependencies
6 runtime crates (tokio, axum, serde, serde_json, toml, log)
Packet Format
RFC 1035 compliant, 512-byte UDP
Concurrency
Arc<ServerCtx> + std::sync::Mutex (sub-µs holds, never across .await)
Signatures
Ed25519 via pkarr for self-sovereign domains
$ cargo install numa $ sudo numa # bind to :53 $ dig @127.0.0.1 google.com # test resolution $ curl localhost:5380/overrides # REST API $ curl -X POST localhost:5380/overrides \ -d '{"domain":"api.stripe.com", "target":"127.0.0.1", "duration_secs":1800}' # 30-min override
Roadmap

Where we're going

Phase 0 DNS proxy core — zones, caching, forwarding, async tokio runtime
Phase 1 Override layer + REST API with 18 endpoints
Phase 2 Ad & tracker blocking — 385K+ domains, live dashboard, one-click allowlist
Phase 3 System integration — auto-discovery of OS DNS routing, one-command install
Phase 4 pkarr spike — DHT resolution and publish endpoint
Phase 5 pkarr product — human-readable aliases, re-publish daemon, key management
Phase 4 Challenge and audit protocol for verifiable resolver behavior
Phase 5 Token economics, staking, and slashing mechanism
Phase 6 Decentralized resolver marketplace