VeilNet
Login

Identity & DNS

How Anchor uses gVisor for an in-memory virtual gateway and a local DNS server with post-quantum verification over the control plane.

Overview

The Anchor Protocol uses gVisor to create a virtual network gateway inside the host memory. This gateway does not depend on a separate kernel module or dedicated hardware; it runs as part of the Conflux runtime and provides the data-plane entry and exit point for overlay traffic.

Alongside this gateway, Anchor runs a local DNS server on each node. That server does not resolve names via the public DNS hierarchy or a centralised internal registrar. Instead, it sends DNS queries through the Anchor protocol control plane, where resolution is performed with Post-Quantum signature verification. Every response is tied to a cryptographically verified identity, so the DNS layer is as trustworthy as the rest of the overlay.

Decentralised, Identity-Scoped DNS

The DNS service in Anchor is fully decentralised and identity-scoped. Name-to-address bindings are dynamically linked to the tag of each Conflux node. They are not stored in or served from a single central registry. As a result:

  • No propagation delay — There is no central registrar to update or replicate. Bindings are derived from the current control-plane state and the identity (tag) of the nodes you are allowed to see.
  • Always up to date — Resolution reflects the live view of the overlay for your identity. When a node’s tag or addressing changes, the next DNS query over the control plane sees the new state; there is no separate propagation step.

This design keeps DNS consistent with Anchor’s identity-native, post-quantum model: resolution is part of the same control plane that secures the overlay, so you get decentralised, identity-scoped DNS that stays current without relying on any centralised registrar.

How to set the Conflux node tag

The tag identifies the Conflux node and is used for DNS: the node is reachable by the name <tag>.veilnet. You set the tag when starting or registering Conflux.

Developer (Go)

Pass the tag as the second argument to StartConflux. The tag is then used as the DNS name <tag>.veilnet for this node.

tag := "my-server"
subprocess, anchor, err := anchor.StartConflux(token, tag, ip, nil, nil)

See the Golang quick start for a full example. For registration with JWT and other options, see Advanced.

DevOps (CLI, Docker, Kubernetes)

CLI / system service: set the tag at registration with --tag or the VEILNET_CONFLUX_TAG environment variable:

veilnet-conflux register --tag "edge-1" --taints "prod" --taints "us-east"

Or with env vars:

export VEILNET_CONFLUX_TAG=my-server
veilnet-conflux register ...

Docker: set VEILNET_CONFLUX_TAG in your .env (or Compose environment):

VEILNET_CONFLUX_TAG=dev-server-1

Kubernetes: set VEILNET_CONFLUX_TAG in the same Secret (or ConfigMap) you use for the Conflux container, e.g. for sidecar or DaemonSet deployments.

For more details, see the DevOps quick start, system service, and Docker deployment docs.

Data Flow

Egress, ingress, relay flows in the Anchor Protocol

Realm DHCP

Decentralised DHCP via NATS control channel, no DB or sync

VeilNet • © 2026 All rights reserved