Frequently asked questions for the SecDNS protective DNS platform.
Brand-new to SecDNS? Start here. Most users are protected within 5 minutes.
Sign in, finish the onboarding wizard (Organization → first profile → first device). The wizard hands you a DoH URL like https://abc123.dns.secdns.io/dns-query — paste it into iOS/Android Private DNS, your router, or import the iOS/macOS mobileconfig from the Devices page.
A profile holds the policy (categories, services, custom rules, schedule). A device is one endpoint (a phone, laptop, or whole household behind a router) bound to a profile. Multiple devices can share the same profile.
Every profile gets a unique label like abc123.dns.secdns.io. Configuring this DoH/DoT URL on a device is enough — no extra credentials, and it survives IP changes.
Yes. Most modern routers (Ubiquiti, OPNsense, MikroTik, OpenWrt, Synology, Asus with Merlin) support DoT or DoH upstream. Use the device's DoT hostname; the whole network gets protection.
Categories block large topic groups, services block specific apps, custom rules let you allow/deny anything by domain.
Categories like Adult, Gambling, Piracy, Social Media, AI/chatbots, Drugs, Violence, Dating each map to a curated, frequently-updated domain feed. Toggle one on in the profile and SecDNS compiles the change to every edge node within seconds.
SafeSearch rewrites Google, Bing, DuckDuckGo, YouTube and (where supported) Brave search results to enforce family-safe content. Toggle the providers you want under Profile → SafeSearch. YouTube also gets restricted-mode DNS pinning.
Yes. Profile → Service blocking has curated presets for ~25 apps (TikTok, Instagram, Snapchat, Netflix, Disney+, Roblox, Fortnite, ChatGPT, Discord, Twitch, Steam, …). Each preset only contains that app's own domains so there is no collateral damage.
Each rule can carry a schedule (timezone, weekdays, hh:mm window). Outside the window the rule is treated as if it didn't exist. Common pattern: weekday-night TikTok block, weekend-morning gaming block, "homework hours" override.
A daily-refreshed feed of every domain registered in the last 30 days (NRD-30). Phishing campaigns rely on disposable domains, so blocking NRD catches a lot of social-engineering before any other feed has heard of the domain.
Yes. Custom blocklists accept either an inline list or a remote URL (auto-refresh on a configurable interval). Common formats — hosts file, dnsmasq, plain text — are auto-detected.
Native client apps are coming. In the meantime SecDNS works with every OS and router that supports DoH or DoT upstream.
Devices page → click the device → copy the DoH URL or scan the QR code. The DoT hostname is the same label without /dns-query.
Devices page → "Apple mobileconfig". Email the file to yourself, open it on the device, and approve the profile in Settings → General → VPN & Device Management.
For non-DoH-capable clients (smart TVs, IoT) we accept plain DNS over IPv4 from a known, frequently-updated IP. Devices page → Linked IP lets you pin one or run our tiny DDNS updater on a NAS / router.
Yes. Profile → Block page lets you set a title, message, contact email and logo. The page is served on a sinkhole address so HTTPS clients see a clean explanation instead of a connection error.
A Windows tray app, macOS menubar app and Android/iOS apps are on the roadmap. Today the Python CLI in apps/cli plus the OS-native DoH/DoT clients cover all platforms.
Every blocked or allowed query lands in your private query log within 1–2 seconds.
Dashboard → Live queries shows the last few minutes in real time. Queries page lets you filter by device, action (allow/deny), category, and time window — and export to CSV.
Retention follows your plan: Free 3 days, Starter 6, Pro 9, Enterprise 30. Set retention down to "off" any time for privacy.
A background scoring engine flags devices that suddenly query more domains than usual, talk to lots of NRDs, or hit known C2 infrastructure. Anomalies surface on the dashboard and can fire webhooks.
Yes. Settings → SIEM export ships query logs as JSON to any HTTP endpoint, with retry + signature verification. Splunk HEC, Datadog Logs, Elastic, S3 buckets — anything that accepts JSON works.
Everything in the dashboard is also a versioned REST API. Bring your own automation.
Settings → API Keys → Create. Send the key as Authorization: Bearer sk_live_xxx. Per-key rate limits follow your plan.
Settings → Webhooks → add a URL. SecDNS POSTs JSON for scan.completed, scan.failed, anomaly.detected, subscription.* events. Verify the X-SecDNS-Signature header against the secret to reject forgeries.
GET /docs on the API host renders the live OpenAPI spec. The bottom of every endpoint page in the docs has a copy-pasteable curl example.
Yes. Settings → SSO → SCIM gives you a base URL plus a bearer token; Okta / Entra / Google Workspace all bind to it. Group-to-profile mapping is configured in Settings → Group bindings.
All plans, the 14-day refund, and how to cancel.
Yes. Starter and Pro include a 14-day free trial — no card-charge until the trial ends, and the 14-day money-back guarantee runs on top of that for paid plans.
Settings → Subscription → Open Stripe portal lets you manage payment methods, change plans (prorated), and cancel. Cancellation takes effect at the end of the current billing period.
Yes — within 14 days of payment we refund 100%, no questions asked. Settings → Subscription → "Request refund" handles it automatically.
Use the Contact page for general questions, support@secdns.io for billing/account issues, security@secdns.io for vulnerability reports. Pro and Enterprise customers get prioritized handling.