Updated on: 25 May, 2019

Technitium DNS Server


Help Topics

Contents

  1. Introduction
  2. Understanding The Dashboard
  3. Creating Authoritative Zones
  4. How To Delegate A Zone
  5. Configuring DNS Server Local Addresses And Web Service Port
  6. Configuring DNS-over-TLS And DNS-over-HTTPS Optional DNS Server Protocol
  7. Configuring Prefetching And Auto Prefetching Options

Note: This page is under construction and will be expanded with more topics in coming days.


Introduction

Technitium DNS Server is a free, open source, cross-platform, authoritative and recursive DNS server that is aimed at self hosting a local DNS Server for privacy and security, software development and testing on small to medium size networks. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

The server packs a lot of features that should be understood before making any configuration changes:

  • Cross-Platform: Built using .NET Standard and .NET Core, the server can be installed on Windows, Linux, macOS and even on Raspberry Pi. The server would work on any platform that you can install .NET Core 2.2 on.

  • Blocked Zones: Supports blocking any domain name either by adding them manually or by using one or more block list URLs. The server updates the blocked zone using the block list URLs every 24 hours automatically. Allowed zones allows to add exception to unblock domain names listed in blocked zones.

  • Authoritative: Allows you to create zones to host your domain name. The authoritative zone supports features like wildcard records, enabling or disabling individual records, zone delegation using NS records, etc.

  • Recursive: Allows you to recursively resolve any domain name using pre-configured root servers or using forwarders.

  • Caching: Caching allows the server to quickly respond to queries for which it had received a response earlier. The server caches DNS records and uses the record's TTL value to keep the record in cache for that many seconds. Thus, you will see the TTL value count down in every subsequent response. When the TTL value reaches 0, the record is considered expired or stale and the DNS server must refresh the record again. The server also supports advance caching features like serve stale, prefetching and auto prefetching.

    The serve stale feature works automatically and keeps expired entries in cache for up to 7 days so that when the server is unable to resolve the domain name, the stale entry in cache is returned instead of failing to resolve the domain name. The idea behind this feature is that a stale bread is better than no bread. The server returns stale response if the domain's name servers are not responding or if the server is unable to reach forwarder servers or if there is any network connectivity issue.

    When the server receives a query for which it has a valid records in cache, the server returns the cached records and checks if the record TTL is less than prefetch trigger. If the TTL value is indeed less than the trigger value, the prefetch feature will trigger a background task to refresh the record in cache. This allows frequently queried records from expiring so that the server can respond to queries with minimum delays.

    In addition to prefetch feature which is dependent on receiving queries to check for trigger, the auto prefetch feature keeps eligible records refreshed in cache keeping the cache "hot" for popular queries to allow fast response times.

    The server also does negative caching, that is if a domain name does not exists, the server will cache this response to avoid querying for same request again. The SOA minimum value from the response is used as a TTL value for such cache entries. Similarly, a server failure response will also get cached for minimum of 300 (5 minutes) to prevent constant querying to the authoritative name server.

  • DNS-over-TLS and DNS-over-HTTPS: The server supports these new optional secure protocols along with standard UDP/TCP port 53. These optional protocols provide privacy and security over network since the default UDP and TCP protocols are vulnerable to snooping and MiTM attacks.

  • Forwarders: Forwarders are other recursive DNS servers that you can configure so that your DNS server queries them instead of doing recursive resolution itself. This feature allows you to chain multiple recursive DNS servers.

    Forwarders can be configured with DNS-over-UDP, DNS-over-TCP, DNS-over-TLS, or DNS-over-HTTPS protocol. Using forwarders, you can setup the DNS server to use any of the public DNS resolvers like Cloudflare, Google or Quad9.

  • Proxy: The server supports using HTTP or SOCKS5 proxy allowing you to route DNS traffic over any network. This feature is specifically useful when you want your DNS traffic to be routed via Tor network.

    Combining proxy and forwarder feature, its possible to use Cloudflare's hidden DNS resolver hosted over .onion address. The advantage of such a setup is that you are effectively hiding all your DNS traffic from your ISP and from Tor exit nodes (since hidden services are end-to-end encrypted and data never exits Tor network) while also masking your IP address from Cloudflare. In addition to that, Tor keeps switching to different circuits every 10 minutes by default and thus, your hidden connection to Cloudflare too keeps changing making it difficult to co-relate with your previous session that was on different circuit.

  • IPv6 Support: The server has IPv6 support capabilities allowing you to host the server on native IPv6 networks. IPv6 support is disabled by default and should be enabled from Settings only if your server has native IPv6 connectivity. Enabling IPv6 support when you don't have native IPv6 connectivity will severely affect the server performance.

  • Logging: The server supports optional query logging feature that will log query and response data into a daily log file. By default the server does error and audit logging.

  • Web Console: The server provides a built in web console that internally uses REST API calls to configure the server. It is possible to use these REST API calls directly from any application to configure the server or to develop a similar web console.

  • DNS Client: The web console has a built-in DNS Client interface that allows you to query any DNS server using any supported protocol. It also has an Import feature that can be used to import records in the response into a local authoritative zone.

The DNS Server is ideal for use by end users by directly installing it on each of their computers/laptops or installing it on a single computer and configure it with DHCP for entire network usage. Latest secure protocols like DNS-over-TLS or DNS-over-HTTPS are not supported by most software applications or operating systems and thus, having Technitium DNS Server installed allows using public DNS resolvers like Cloudflare, Google or Quad9 with these secure protocols.

Recommended way to use the DNS server on a small/home network is to install the server on a Raspberry Pi 3 B+ single board computer and connect it directly to your Internet router with DHCP setup. Such a setup allows device on your entire network to use secure protocol and also allows you a greater control over your network such as blocking domain names on your network as per your policy or blocking Ads on your entire network.


Understanding The Dashboard

Technitium DNS Server web console provides a dashboard which displays useful stats that can be used to understand the DNS server operations. The dashboard contains a main chart which displays query and response related data, and a top query type donut (pie) chart. It also lists top clients, top domains and top blocked domains in a tabular format.


Main Chart

The dashboard can display stats for last hour, last day, last week, last month and last year time frames. The server internally stores all stats with UTC time stamps and the dashboard's javascript displays the time on x-axis of the main chart by converting it into local time.

Dashboard - Main Chart

Dashboard - Main Chart

The stats displayed at the top of the main chart are also plotted on the chart using the same color scheme (except for the Allowed and Blocked zone numbers). Lets understand each item in the stats and chart:

  • Total Queries: These are the total number of queried the DNS server has received and processed.

  • Cache Hit: The total number of queries that were responded using data available with the server. This include responses from cache zone, authoritative zone and blocked zone. Higher cache hit percentage is better since, the DNS server does not need to resolve the query and can respond quickly from cache.

  • No Error: The total number of queries that were responded positively by the server. This usually means that the server was able to satisfy the query with desired response either from cache zone, authoritative zone, blocked zone, or by recursively resolving it.

  • Server Failure: This is an important stat to keep an eye on. It indicates total number of queries that the server failed to respond positively. This is a generic failure that can be caused by many different factors. Most common factor is network connectivity, that is, the server was unable to connect to the name server or forwarder server either due to Internet connectivity issues or due to the remote name server failing to respond within a time period usually of 2 seconds. Exact reason for failure can only be deduced from the logs.

  • Name Error: It may seem to indicate an error but is actually an indication of non-existence of a domain name. The server will try to resolve a domain name in the query and if the domain name does not exists, it will receive a Name Error response code which is also relayed as a response to the original query. Name error responses are generated only by authoritative name server of a domain name and recursive DNS servers only relay these responses.

  • Refused: The total number of queries this DNS server refused to resolve. This can commonly occur when you have "Allow Recursion Only For Private Networks" enabled in settings and the server receives a recursive query request from public network.

  • Blocked: The total number of queries this DNS server blocked by responding with "0.0.0.0" (or "::" for AAAA) for A record request. The DNS server uses Blocked Zone which can be configured with block list URLs in settings.

  • Clients: The total number of unique clients based on IP address of the queries.

  • Allowed (Zones): Total domain names added in Allowed zone to be excluded from being blocked.

  • Blocked (Zones): Total domain names added in Blocked zone. This includes domain names added manually and automatically via block list URLs.


Top Query Type Chart

This is a donut (pie) chart which shows the share of top 5 query types that this DNS server received for the selected time frame. Most common entry in this start is type A (which returns IPv4 address) and type AAAA (which returns IPv6 address). Although you don't have IPv6 connectivity, some applications like web browsers do query for an AAAA record to test IPv6 connectivity.

Dashboard - Top Query Type Chart

Dashboard - Top Query Type Chart