Resources · olladns

Library Blog Docs & API Changelog Trust & Security

Featured library

All Threat research Deployment Case studies Webinars Whitepapers

THREAT RESEARCH · 9 min read

The 2025 phishing-as-a-service playbook

A teardown of three active PhaaS kits and how olladns’s phishing model catches them within hours of registration.

WHITEPAPER · 24 pages

Why DNS is the cheapest, deepest security layer

The first-principles case for moving phishing and malware controls left, to the resolver. With references.

WEBINAR · 38 min

Migrating off a legacy SWG without breaking your workday

Live walkthrough of a 14-site enterprise rollout, with the rollback plan, the diff, and the “oh no” moment.

GUIDE · 18 min read

The DNS-first deployment checklist

The 24 questions to answer before you touch your first resolver, plus the templates we hand to enterprise customers.

THREAT RESEARCH · 12 min read

Anatomy of a Cobalt Strike beaconing campaign

How we caught a coordinated C2 ring across 38 customers in under four minutes, using DGA + timing signals.

CASE STUDY · 5 min read

Bramble Health: phishing-down-73% playbook

Step-by-step of how a 9-clinic medical group deployed olladns without OR disruption.

From the blog

All posts →

May 22, 2026

Five years of zero-day phishing data, in three charts

What we’ve learned about how quickly phishing infrastructure spins up — and how to keep pace.

May 14, 2026

Introducing the olladns Terraform provider

Manage policies, sites, lists, and integrations as code. With a 12-line example to get you started.

May 6, 2026

What we did during the May 4 DNS root incident

Our anycast network rerouted around two failing roots in 11 seconds. Here’s the post-mortem and what we changed.

April 28, 2026

Hiring: Detection Engineering at olladns

We’re hiring engineers who care more about reducing FPs than shipping models. Here’s the work.

Docs & API

Everything you need to deploy, integrate, and build on olladns.

Open full docs

Getting started

Point your first resolver, deploy your first roaming client, see your first block.

Read guide

REST API reference

Every endpoint. Auth tokens, rate limits, pagination, and SDKs in Go, Python, and TypeScript.

Open API docs

Terraform provider

Manage policies, sites, and lists as code. Drift detection on every plan.

View provider

Roaming client setup

Jamf, Intune, Kandji, Workspace ONE — silent deploy guides for every MDM.

Setup guides

SIEM integration

Stream every query to Splunk, Sentinel, Datadog, or Elastic in minutes.

Read connectors

Identity sync

Connect Entra ID, Okta, or Google. SCIM provisioning, group mapping.

Read identity

Policy cookbook

Real-world policies: CIPA, HIPAA-safe, financial-services hardened, MSP defaults.

Open cookbook

Query log search

Query DSL, time windows, regex, exports. The reference for our search.

Read search

cURL Add a domain to your block list Copy

# Block a domain on your default policy
curl -X POST https://api.olladns.com/v2/policies/default/blocklist \
  -H "Authorization: Bearer $SENTINEL_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "pattern": "*.suspicious-domain.com",
    "note": "Added by Riley — flagged in incident #4821",
    "expires_at": "2026-07-01T00:00:00Z"
  }'

→ 201 Created
{ "id": "bl_8h2kj3", "applied_to": "480 devices", "propagated_in": "1.4s" }

Changelog

What shipped, when. Subscribe to changelog · RSS

May 22, 2026

v4.2.1

Phishing lookalike model · v4.2

Trained on 18M new labeled samples; precision lift +1.4pp, FP reduction 36%.
Added structural similarity scoring for Punycode & homoglyph domains.
Per-tenant brand lists — bring your own logos & we’ll watch for lookalikes.
The model now writes a short rationale in each detection for analyst review.

May 14, 2026

v4.1.4

Terraform provider v1.0 (GA)

Manage policies, sites, lists, integrations, and identity mappings as code.
Drift detection on every plan; safe-mode for production policies.
Examples for AWS, GCP, Azure, and on-prem deploys in the registry.

May 6, 2026

v4.1.2

Faster query-log search

Hot search p99 went from 1.4s → 380ms across 4B events.
Regex queries now supported on domain & user fields.
Saved searches with per-team sharing; alert when a saved search matches.

April 28, 2026

v4.0

Microsoft Sentinel native connector

One-click connector in the Sentinel content hub.
Auto-mapped ASIM DNS schema, with built-in analytic rules & workbooks.
Backfill up to 30 days of historical events on first connection.

Trust & Security

We host the most sensitive layer of your network. Here’s how we earn it.

SOC 2 Type II

Audited annually by an AICPA-accredited firm. Report available under NDA.

ISO 27001:2022

Certified, scope: all services and supporting systems.

HIPAA

BAA included on Enterprise. PHI never logged or transmitted to third parties.

Encryption in transit

DoH and DoT on every resolver. TLS 1.3 minimum, automatic cert rotation.

Data residency

US-only, EU-only, or APAC-only resolver regions available on Business+.

Bug bounty

Public program on HackerOne. Average payout: $1,400. Hall of fame: 184 researchers.

Read, learn, build with us.