ABOUT QX9
QX9 is an independent cross-functional engineering group bringing forward fully encrypted platform designs for critical communications such as public safety radio dispatch and next-generation 911.
ABOUT VEILID
Veilid is an open-source, peer-to-peer application framework created by the Veilid Foundation (veilid.org). It provides encrypted, private, and resilient networking primitives that applications can build on - including end-to-end encrypted messaging, distributed hash table storage, and anonymous routing. Veilid is written in Rust and designed so that every node in the network contributes to the infrastructure, with no central servers required.
QX9's interest in Veilid stems from its potential as the transport layer for private, low-complexity critical communication networks.
VNS (VEILID NAME SYSTEM) ALPHA
VNS (pronounced "Venus") is a DNS replacement built on the Veilid network. Pick a few words, get an address. No registrars, no ICANN, no annual fees, no certificates. The same words always produce the same cryptographic address on any machine, with no central authority.
Where DNS maps domain names to IP addresses, VNS maps word phrases to Veilid DHT records. Content is stored directly in the distributed hash table - not just pointers. VNS replaces the entire domain + hosting + certificate stack with deterministic key derivation from words you choose.
qx-venus
The reference implementation of VNS. Word-addressed static site hosting, identity binding,
forums, encrypted messaging, and content safety scanning - all over the Veilid DHT. Two Rust
crates: qx-venus (core naming, 377 tests) and qx-venus-social
(identity, forums, PMs, 197 tests).
DNS Pipeline
VNS provides deterministic name resolution (HKDF-SHA256), built-in ed25519 signing (native, not bolted on like DNSSEC), chain-of-trust delegation, DHT-based service discovery, keeper refresh (replaces zone transfers), and transport encryption via Veilid's P2P overlay. All queries are end-to-end encrypted - no equivalent of ISP DNS logging.
Hosting + Certificates
Static sites stored directly in the DHT (up to ~192 MB across 6 volumes). No hosting provider to shut down, no SSL certificates to renew, no CA hierarchy to trust. Content authenticity is verified by ed25519 signatures from the publisher's keypair. Large files stream on demand via Veilid AppCall with Merkle proof verification.
Volunteer Archivists
Keepers are volunteer nodes that refresh DHT records every 10 minutes, keeping content available. Pointer guardians monitor up to 1,500 sites each (watch mode). Chunk guardians refresh full volumes. Keepers choose what to host - they can inspect content before claiming, refuse encrypted or unknown sites, and subscribe to community denylists. No one is forced to host anything.
Four Security Layers
Layer 0 (Open), Layer 1 (Signed - ed25519), Layer 2 (Pinned - TOFU, like SSH known_hosts), Layer 3 (Delegated - DNSSEC-style chain of trust). Multi-pointer consensus writes identical signed pointers to 3-9 independent DHT keys - an attacker must hijack the majority simultaneously. Realm keys provide cryptographic namespace isolation for private federations.
Status: VNS is alpha (v0.8.0). The protocol specification is a community review draft. Breaking API changes may occur before v1.0.
QX-TOOLKIT WIP
The QX9 Network Analysis Toolkit is an open-source collection of protocol analysis tools, documentation, and infrastructure for inspecting and understanding peer-to-peer network traffic. The toolkit is released under MPL-2.0 (code) and CC BY-SA 4.0 (docs).
Wireshark Veilid Dissector
A Lua dissector for inspecting Veilid peer-to-peer protocol traffic in Wireshark. Covers all known wire message types with TCP reassembly, heuristic detection, expert diagnostics, and display filters.
Protocol Diagrams
SVG diagrams illustrating Veilid datagram structures across all transport layers. Each diagram was generated from constants and offsets validated against veilid-core 0.5.3 source code.
| Type | Description |
|---|---|
| ENV0 | Encrypted envelope layout |
| ENV1 | Reserved envelope layout |
| RCP0 | Out-of-band receipt layout |
| BOOT | Bootstrap request/response flow |
| TCP | VL frame structure |
| UDP | Fragment header and reassembly |
| QUIC | QUIC transport (reserved) |
| WS | WebSocket transport framing |
Architecture Reference
Architecture overview of the dissector plugin covering installation, plugin structure, the dissector pipeline, wire format diagrams, and the full technical reference.
Roadmap: This Lua dissector is a reference implementation while the Veilid wire protocol is still under active development and pre-RFC. Once the protocol specification is finalized (targeting Veilid v1.0), the dissector will be ported to C and submitted upstream to Wireshark for inclusion as a built-in dissector.
NODE INFRASTRUCTURE
QX9 operates prototype Veilid nodes running the nightly build
of veilid-server. These nodes participate in the live network and serve as a
testbed for the toolkit.
| Node | Hostname | Location | Addressing |
|---|---|---|---|
| n1 | n1-sfo.one | San Francisco, US | IPv4 + IPv6 |
| n2 | n2-atl.two | Atlanta, US | IPv4 + IPv6 |
| n3 | n3-ams.three | Amsterdam, NL | IPv4 + IPv6 |
| n4 | n4-fra.four | Frankfurt, DE | IPv4 + IPv6 |
| n5 | n5-sin.five | Singapore, SG | IPv4 + IPv6 |