Enterprise License
Run your own DNSlurp instance with full features
Why Run Your Own Instance?
The public site at dnslurp.esoup.net is great for quick lookups, but an enterprise instance
unlocks capabilities you can't get from a public tool:
Get a License
Contact us: Email support@esoup.net for payment options, volume licensing, or questions about enterprise deployment. We'll get you set up with a license and binaries for your platforms.
Self-service with crypto: Purchase instantly with USDC via the x402 protocol. No accounts, no forms — pay with your wallet and receive your license and downloads automatically.
- All enterprise features
- 5 platform binaries
- Signed license file
- Renewal via x402
- 30 req/min DNS lookups
- 15 req/min authoritative
- No signup required
- x402 bypass: $0.01/hr
Enterprise Features
A licensed instance is a standalone DNS lookup tool with no rate limits, no external dependencies, and full configuration control.
Supported Platforms
darwin-arm64 (Apple Silicon Mac)
darwin-x64 (Intel Mac)
linux-x64
linux-arm64
windows-x64 (Authenticode signed)
How to Purchase
The license purchase uses the x402 HTTP payment protocol. An x402-compatible wallet or the @x402/fetch library handles the payment flow automatically.
Request a License
Hit the purchase endpoint. It returns 402 with USDC payment instructions.
curl https://dnslurp.esoup.net/api/license/purchase # Returns 402 with x402 payment requirements
Pay with USDC on Base
Use an x402 client to sign and submit payment. The @x402/fetch library handles this automatically.
// Automatic payment with @x402/fetch import { wrapFetchWithPaymentFromConfig } from '@x402/fetch'; const payingFetch = wrapFetchWithPaymentFromConfig(fetch, { schemes: [...] }); const res = await payingFetch('https://dnslurp.esoup.net/api/license/purchase');
Receive License + Downloads
On successful payment, you receive a signed license.json, download links for all platforms, and a bearer token for authenticated downloads.
Run Your Instance
Place license.json next to the binary and start it. That's it.
# Download, configure, run ./dnslurp # Output: Licensed to: 0xYourWallet...
Already Purchased?
If you've already paid, provide your wallet address to get a fresh download token and re-download your binaries:
curl "https://dnslurp.esoup.net/api/license/purchase?wallet=0xYOUR_WALLET" # Returns license + accessToken + download links if active # Download with your token curl -H "Authorization: Bearer YOUR_ACCESS_TOKEN" \ "https://dnslurp.esoup.net/api/license/download/linux-x64" -o dnslurp
License expired? The endpoint returns 402 again — pay to renew.
Deployment Ideas
DNSlurp is a single binary that listens on a configurable port. Run it however suits your environment:
Direct: ./dnslurp — listens on port 3000 by default. Set PORT and HOSTNAME env vars to customize.
systemd: Create a unit file with ExecStart=/opt/dnslurp/dnslurp for automatic start on boot.
Behind nginx: proxy_pass http://127.0.0.1:3000; — add TLS termination and access control at the proxy layer.
Behind Apache: ProxyPass / http://127.0.0.1:3000/ with mod_proxy.
IIS: Use URL Rewrite + ARR to reverse proxy to the binary. The Windows binary is Authenticode signed.
Docker: Wrap in a minimal FROM scratch or FROM alpine container. Mount config.json and license.json.
Place license.json in the same directory as the binary, or in the working directory. Optionally add a config.json to customize DNS servers, branding, and rate limits.
Configuration Reference
DNSlurp works out of the box with sensible defaults. To customize, place a config.json in the same directory as the binary. Environment variables override config.json, which overrides built-in defaults.
Priority: Environment Variables > config.json > Built-in Defaults
Example config.json
{
// HTTP server
"port": 3000,
"hostname": "127.0.0.1",
// DNS servers shown in the UI
"servers": {
"standard": [
{ "address": "8.8.8.8", "name": "Google", "protocol": "UDP", "checked": true },
{ "address": "1.1.1.1", "name": "Cloudflare", "protocol": "UDP", "checked": true },
{ "address": "9.9.9.9", "name": "Quad9", "protocol": "UDP", "checked": false },
{ "address": "10.0.0.53", "name": "Internal AD", "protocol": "UDP", "checked": true },
{ "address": "10.0.0.54", "name": "Pi-hole", "protocol": "UDP", "checked": false }
],
"doh": [
{ "address": "dns.google", "name": "Google DoH", "protocol": "DoH" },
{ "address": "cloudflare-dns.com", "name": "Cloudflare DoH", "protocol": "DoH" }
]
},
// Rate limiting
"rateLimit": {
"enabled": true,
"requestsPerMinute": 60,
"dailyLimit": 5000,
"whitelist": ["10.0.0.0/8", "192.168.1.0/24"]
},
// UI branding
"branding": {
"title": "ACME DNS Lookup",
"aboutUrl": "https://intranet.acme.com/dns-tool"
},
// Audit logging
"audit": {
"enabled": true,
"destination": "syslog",
"syslog": {
"host": "siem.acme.com",
"port": 514,
"facility": "local0",
"appName": "dnslurp"
}
}
}
DNS Servers
Each server entry has four fields:
address — IP address or hostname. Use internal IPs for Active Directory, Pi-hole, Unbound, etc.
name — Display label shown as a button in the UI.
protocol — UDP, TCP, DoH, or DoT.
checked — Whether the server is selected by default when the page loads (standard servers only).
Rate Limiting
enabled — Set false to disable all rate limiting. Default: true.
requestsPerMinute — Max requests per minute per source IP. Default: 30.
dailyLimit — Max requests per day per /24 subnet. Default: 1000.
whitelist — Array of IPs or CIDR ranges exempt from rate limits.
Branding
title — Page title and header text. Default: "DNSlurp".
aboutUrl — URL for the About link. Opens in a new tab. Useful for linking to an internal wiki or support page.
aboutHtmlFile — Path to a local HTML file served as the About page (alternative to aboutUrl).
aboutHtml — Inline HTML string for the About page (fallback if no file or URL is set).
Audit Logging
Every DNS lookup can be logged for compliance and security monitoring.
enabled — Enable audit logging. Default: false.
destination — Where to send logs: "stdout", "file", or "syslog".
file — Path to log file (when destination is "file").
syslog.host — Syslog server hostname. Default: "127.0.0.1".
syslog.port — Syslog server port. Default: 514.
syslog.facility — Syslog facility (local0–local7). Default: "local0".
syslog.appName — Application name in syslog messages. Default: "dnslurp".
Environment Variable Overrides
Environment variables take priority over config.json. Useful for containers and systemd.
| Variable | Default | Description |
|---|---|---|
PORT | 3000 | HTTP server port |
HOST | 127.0.0.1 | Bind address (0.0.0.0 for all interfaces) |
RATE_LIMIT_ENABLED | true | Enable rate limiting |
RATE_LIMIT_RPM | 30 | Requests per minute per IP |
RATE_LIMIT_DAILY | 1000 | Requests per day per /24 subnet |
RATE_LIMIT_WHITELIST | — | Comma-separated IPs to exempt |
BRANDING_TITLE | DNSlurp | Page title and header |
BRANDING_ABOUT_URL | — | URL for About link |
BRANDING_ABOUT_FILE | — | Path to custom About HTML file |
AUDIT_ENABLED | false | Enable audit logging |
AUDIT_DESTINATION | stdout | stdout, file, or syslog |
AUDIT_FILE | — | Log file path (file destination) |
AUDIT_SYSLOG_HOST | 127.0.0.1 | Syslog server host |
AUDIT_SYSLOG_PORT | 514 | Syslog server port |
AUDIT_SYSLOG_FACILITY | local0 | Syslog facility |
AUDIT_SYSLOG_APPNAME | dnslurp | App name in syslog |
Binary Integrity
Verify your download matches the published SHA-256 hashes. The Windows binary is additionally Authenticode signed (BLACK HAT BOOZE LLC via SSL.com).
Verify on macOS/Linux: sha256sum dnslurp-linux-x64 or shasum -a 256 dnslurp-darwin-arm64