Setup and requirements Product setup and support Custom Local Deployment Setup, maintenance, and support for an on-premises deployment are managed entirely by SafeDNS specialists, establishing a clear division of responsibilities. The client provides the required hardware and full remote access, after which SafeDNS performs the complete turnkey installation. Following deployment, SafeDNS specialists work with the client to configure the initial filtering rules and provide training to enable the client’s staff to make future adjustments independently. A dedicated support line is available for clients using on-premises solutions. VM Deployment via ISO Image As an alternative to a physical server installation, SafeDNS Shield can be deployed as a virtual appliance by mounting the provided ISO image in a virtual machine. This method streamlines deployment in environments that rely on virtualization infrastructure. System requirements The following specifications apply to a server running the SafeDNS Shield components. All deployments require Debian 12 (x86‑64). DNS Proxy Module Choose a configuration based on the expected peak query load. CPU: Intel 12th‑generation or later, Intel Xeon Silver/Gold, or equivalent AMD Ryzen/Epyc. Queries per second (QPS) CPU Cores RAM Storage Network Up to 1,000 4 8 GB 200 GB NVMe 1 Gbps Up to 15,000 12 16 GB 512 GB SSD (RAID 1) 1 Gbps Up to 310,000 64 128 GB 2 TB SSD/NVMe (RAID 1) 1 Gbps Up to 2,000,000 128 2 TB 16 TB SSD/NVMe (RAID 1) 25 Gbps ClickHouse Cluster (Statistics Storage) The ClickHouse cluster stores and analyzes DNS request logs. A single node meets the following minimum: CPU: 6 cores (x86‑64) RAM: 16 GB Storage: 500 GB NVMe Expandable up to 6 TB depending on traffic volume and retention needs Example configuration for 75,000 QPS and one year of log retention: 4 ClickHouse data nodes CPU: 6 cores RAM: 16 GB Storage: 6 TB NVMe 3 ClickHouse Keeper nodes (coordination service) CPU: 2 cores RAM: 4 GB Storage: 60 GB SSD We recommend a minimum cluster of 4 data servers arranged as 2 shards × 2 replicas. This provides parallel read/write operations and redundancy. A load balancer distributes incoming statistics across the nodes. For lower traffic volumes, a standalone ClickHouse server can be deployed without ClickHouse Keeper, eliminating the need for the coordination layer.