Zerosentinel versions

What ZeroSentinel Build Should You Run

This guide breaks down every ZeroSentinel build and shows you exactly which version to run based on your hardware, budget, and threat model. Whether you are using a Pi Zero, a Raspberry Pi 4 or Pi 5, or a mini PC, you’ll see the right architecture for DNSSEC, recursive DNS, Zerocanary, VPN lanes, and Tor isolation. Learn how to match your gear to a clean, resilient, self hosted privacy stack without wasted resources or broken configurations.

Your hardware decides your defenses. ZeroSentinel is built around a simple truth. Privacy stacks only work when they match the power you actually have. No overkill. No wasted silicon. No broken threat models. Build the version using what equipment you have, time and money you want to spend, or threat model you actually have.

ZeroSentinel Nano

Your Lightweight DNS Resolver and Time Authority

Hardware: Pi Zero W / 2 W only

Nano is the smallest ZeroSentinel build and the cleanest. It gives you a fast DNSSEC validating resolver and a trusted local clock. Nothing else. No canary. No filtering. No tunnels.

What it runs

  • Unbound
  • Chrony
  • UFW Firewall
  • Auto Heal
  • Nothing else

What it is for

  • A clean local resolver and a reliable time base when you only have a Pi Zero.

Who should run it

  • Anyone starting out with minimal hardware or anyone who wants a low noise DNS witness.

Why it pairs with any of the ZeroSentinel Builds

A Pi Zero is small, cheap, and plugs in anywhere. There is really no reason not to turn one into a dedicated micro infrastructure node.

If you’re building a layered privacy stack. You want:

  • A local recursive DNS resolver you control
  • A trusted time source that keeps DNSSEC and TLS from breaking
  • A isolated, locked down, single purpose machine that isn’t running 15 services
  • Something stable and easy to troubleshoot or replace.

ZeroSentinel Compact Core

All in one DNS, Filtering, VPN, and Canary

Hardware: Raspberry Pi 4+ or Mini PC

A compact and single box setup. A small raspberry Pi or old obsolete mini computer becomes your local resolver, your VPN lane, your alert engine, and your filter if needed. Everything in one place.

What it runs

  • WireGuard
  • Zerocanary with Nostr alerts
  • Unbound
  • Chrony
  • UFW Firewall
  • Fail2ban
  • AdGuard

What it is for

  • A full privacy stack when you only own one capable device or don’t want added complexity.

Who should run it

  • If you have a Pi 4 or Pi 5 and nothing else, run Core. It gives you the highest return for a single device. Run it on a mini computer if you don’t want or need the extra bells and whistles of ZeroSentinel Ultra.

AdGuard Placement

  • If your router can run it, then AdGuard should ideally live there and not on Core. You want filtering close to the edge. Also seperation saves CPU power, makes the DNS chain more resilient, and keeps the Pi focused on what it is good at. If you have a crappy ISP supplied router that doesn’t have that option, then bundle it in core.

ZeroSentinel Core

Split Brain Architecture With Independent DNS Witness

Hardware: Raspberry Pi 4+ or Mini PC plus Pi Zero

Adding ZeroSentinel Nano to the stack gives you what Core alone cannot. Isolation. DNS authority on the Raspberry Pi or mini computer and independent DNS truth on a Pi Zero with its own clock.

What the Pi 4+ or mini computer runs

  • WireGuard
  • Zerocanary with Nostr alerts
  • Fail2ban
  • AdGuard if your router cannot

What the Pi Zero runs

  • Unbound
  • Chrony
  • UFW Firewall
  • Auto Heal

What it is for

  • A resilient network where your ZeroCanary is not blind to failures on the same machine.

Who should run it

  • Anyone who has at least one powerful board and a Pi Zero. This is the best price to performance layout in the entire lineup.

Why you want it

  • Keeping your resolver and your time source on their own box is non-negotiable if you want stability. DNS and clock drift aren’t just services in your stack. They’re the ground beneath it. When they wobble, everything above them collapses without telling you why.

ZeroSentinel Ultra

Full Isolation. Heavy Services. Complete Watchdog.

Hardware: Mini PC plus Pi Zero

Ultra is the top tier build. The mini machine handles everything heavy. DNS. Filtering. IDS. Canary. The Pi Zero sits beside it and acts as a clean witness with its own view of DNS and time.

What the Mini PC runs

  • WireGuard
  • Zerocanary with Nostr alerts
  • Fail2ban
  • Suricata
  • Logging and retention
  • AdGuard if your router cannot

What the Pi Zero runs

  • Unbound
  • Chrony
  • UFW Firewall
  • Auto Heal

What it is for

  • High assurance networks where you want separation between trust and verification.

Who should run it

  • Anyone with a mini PC and a Pi Zero. This is the ZeroSentinel you build when you want the full architecture and zero lag.

Mini PC Options

Your mileage will vary depending on what box you use but you can generally find a mini pc on the used market cheaper than a Raspberry Pi 5 and with specs that blows it’s doors off.

ZeroSentinel Shadow

Optional Tor Lane Add On

Hardware: Raspberry Pi 5 or Mini PC

Shadow is an optional Tor only lane you can bolt onto any ZeroSentinel build. It runs one job and does it well. A dedicated pathway that isolates Tor traffic from the rest of your network so nothing leaks back into your normal DNS or VPN lanes.

Shadow does not replace your Core, Compact Core, Nano, or Ultra build. It sits beside them as a separate traffic environment.

ZeroSentinel FAQ

Do I need more than one device to run ZeroSentinel

No. If you only own a Pi 4 or Pi 5 you can run Core and get the full stack in one place. If you only have a Pi Zero you run Nano. Additional hardware gives you isolation but it is not required.

Why does the Pi Zero not run Zerocanary

Because it cannot compile the dependencies. The Nostr library and Python modules are too heavy for the Zero’s CPU. Its real job is clean DNS and accurate time. That makes it the ideal independent witness.

Why is Chrony required

DNSSEC breaks when the clock drifts. Chrony keeps the Pi Zero and the service box accurate so you can trust the signatures and the health checks.

Why would I run a Core build instead of Compact Core

Adding the additional Pi Zero gives you separation between your service box and your DNS witness. If Compact breaks or gets poisoned, Core still has an external view of the network and DNS truth.

Do I need a mini computer for Ultra

Yes if you want IDS or heavier analytics. The Raspberry Pi 4 or Pi 5 cannot handle Suricata or long term logging at scale. The mini box does the heavy lifting and the Pi Zero verifies DNS separately. Additionally the added resources of a mini PC just makes everything run snappier and smoother.

Is AdGuard required

No. AdGuard should sit in front of Unbound, not replace it. Unbound is the resolver. AdGuard is a optional filtering layer. You can run Unbound completely alone if you prefer a clean recursive setup but if you want filtering, put AdGuard in front of it. If you want cloud filtering instead, a reputable resolver like NextDNS beats the ISP supplied one any day.

Is WireGuard required

No. WireGuard is an optional lane. The core of ZeroSentinel is self hosted DNS integrity and alerting. The VPN is a bonus that enables home network access when you are away.

Can I run Tor on the same Pi as Core

Technically yes if on a Raspberry Pi 5 but it is not recommended. It is going to be slow and you lose isolation between normal DNS and your Tor traffic. A dedicated device is better for a Tor lane.

How do alerts work

Zerocanary performs local health checks on the machine it runs on and optionally compares those results with the status reported by the Pi Zero. If both views show trouble it sends an encrypted Nostr DM.

Can I use a Pi Zero 2 W instead of a Pi Zero W

Yes. Both behave the same for this project.

Can I mix and match DNS services

Yes. You can run AdGuard or Pi hole or nothing. The core requirement is Unbound with DNSSEC validation.

How much power does this use

Nano uses almost nothing. Compact Core and Core are still extremely low. Ultra depends on your mini PC but is still cheaper than any commercial appliance.

Do I need a UPS

If you care about data integrity or logging, then yes.

Do these builds replace a commercial firewall

No. ZeroSentinel is about DNS integrity and network truth. It is not a firewall platform. It complements whatever gateway you already have.

-GHOST
Untraceable Digital Dissident