ZeroSentinel Hub

ZeroSentinel is your off site access point and DIY privacy node. A self hosted node that becomes a private WireGuard server, a local recursive resolver, and a remote health sentinel you fully control. This hub collects every part of the build from OS install to Unbound, canary alerts, Nostr monitoring, and network hardening so you can deploy a clean, reliable, self hosted access doorway.

ZeroSentinel is your self hosted privacy layer. A modular system you build from cheap, available hardware. It gives you a real recursive resolver, a trusted time base, a decentralized driven canary using Nostr, and optional VPN and Tor lanes depending on what gear you own. No subscriptions. No corporate boxes. No blind trust.

Every guide here walks you through the exact steps to deploy Nano, Compact Core, Core, Ultra, or Shadow and run a clean, resilient privacy stack you control end to end.

Want all the how to guides in one place? Join the SECURE CHANNEL

What ZeroSentinel Is

A set of hardware driven builds that let you turn a Raspberry Pi Zero, Pi 4 or Pi 5, or a cheap mini PC into a hardened privacy node.

ZeroSentinel gives you:

• A real recursive DNS resolver you own
• DNSSEC with no upstream rewriting
• A trusted time authority
• Zerocanary with encrypted Nostr DM alerts
• Optional WireGuard home tunnel
• Optional Tor only lane
• Clean separation between trust and verification

It’s built around one rule: stop trusting the defaults and build your own infrastructure.

Why Build It

Because the defaults fail silently.

• ISPs rewrite DNS
• Phones leak the moment a VPN drops
• Travel networks inject tracking
• Cloud resolvers log everything
• Most VPNs hide their outages
• Nobody tells you when your resolver breaks

ZeroSentinel gives you visibility, control, and a resilient fallback path even when everything else goes sideways.

Who This Hub Is For

Anyone who wants practical, hardware based privacy:

• Beginners who need a step by step build
• Travelers who need stable DNS and a fail safe tunnel
• Power users who want a Pi based anchor at home
• Anyone replacing cloud dependency with self hosted infrastructure

Equipment List

You choose your build by what you already own. That’s the point.

Nano

• Pi Zero W or Zero 2 W
• microSD
• Power

Compact Core

• Pi 4 or Pi 5
• or mini PC

Core

• Pi 4 or Pi 5
• Pi Zero

Ultra

• Mini PC
• Pi Zero

Shadow (Tor lane add on)

• Pi 5 or Mini PC

Realisistic Expectations

ZeroSentinel began with the Pi Zero carrying WireGuard, Unbound, and the canary. That setup was slow, unstable, and barely usable. The project evolved because real testing forced better design.

Now:

• Pi Zero = DNS + Chrony only
• Pi 4/5 = Full stack if you keep it lean
• Mini PC = Heavy services and IDS
• Tor = Separate box for isolation

This hub shows you the actual working builds, not idealized diagrams.

The point is simple: you do not need corporate hardware or subscription privacy. You can build your own tools. Low cost. High control.

LAST UPDATED: Dec 2025

---

Related Master Guides

The master guides give you the system level defenses behind the tactical steps. Each of these expands the footprint work into system level defenses.

• Operational Privacy: From Setup to System

---

Core Guides

The ZeroSentinel Project: The Privacy Node You Build Yourself

Introduction to the project

What ZeroSentinel Build Should You Run

The full lineup. Nano, Compact Core, Core, Ultra, Shadow.

---

Main Sequence Build Guides

These are your core build steps.

ZeroSentinel Nano: Build Guide

Your Lightweight DNS + Time Authority for a Clean, Fast, Local Network

This guide walks you through building the ZeroSentinel Nano a lightweight recursive DNS resolver and local time authority that replaces your ISP’s tracking resolver with a clean, private, hardened DNS core.

ZeroSentinel: WireGuard Setup Guide

• Flashing the OS
• Configuring networking
• Installing WireGuard
• Creating keys
• Building the home endpoint
• Verifying tunnel routing

3. ZeroSentinel Part 2: Add Unbound as a Local Recursive Resolver

• Installing Unbound
• Enabling DNSSEC
• Root trust anchors
• Blocking fallback DNS
• Forcing all resolution through the tunnel
• Testing for leaks and rewrites

4. ZeroSentinel Part 3: Canary Scripts + Nostr Integration

• DNSSEC canary check
• WireGuard handshake monitor
• Resolver health check
• Upstream connectivity tests
• Encrypted Nostr DM alerts
• Logging + alert frequency

5. ZeroSentinel Part 4: Upgrading to Version 2

ZeroSentinel Version One shows you the lower bound of what’s possible. Version Two moves WireGuard to the router where it belongs, adds AdGuard on the router, and frees the Pi to handle recursive DNS and sentinel duties for the entire network.

6. ZeroSentinel Part 5: Fail Safe Routing Mode

• Killswitch rules
• nftables blocking defaults
• Tunnel enforcement
• Preventing fallback to LAN or ISP resolvers

---

Advanced Modules

These are optional but valuable expansions.

ZeroSentinel Project: Blocklist Integration

Adding filtered DNS through Unbound or external lists without breaking DNSSEC.

ZeroSentinel Project: Metrics + Health Dashboard

Pi status monitoring, Unbound stats, WG counters, uptime visibility.

ZeroSentinel Project: Running ZeroSentinel on a Pi 5

Higher speed setups, heavier load, multi-client support.

ZeroSentinel Project: Portable Privacy Kit

Turning ZeroSentinel into a complete travel bundle.

---

Related Support Hubs

• Digital Footprint Hub – Erase identifiers before hardening.
• Digital Lockdown Hub – Harden devices, browsers, and networks against surveillance.
• Network Privacy Hub – Kill DNS leaks, VPN failures, and ISP logging.
• Phone Privacy Hub – Mobile telemetry, OS residue cleanup, and location hardening.
• Crisis Mode Hub – Active threats, fast responses, and RF quieting.
• ZeroSentinel Hub – Your DIY privacy node

Build it. Run it. Trust yourself. ZeroSentinel is the first system in your stack that refuses to hand your privacy to someone else. Start with Part 1 and build your own off site sentinel today.