r/technitium

Hello

Quick Question. We were on Technitium 14.3 and everything was going fine. Suddenly "out of nowhere" the RAM usage started increasing in the dotnet process that we believe runs Technitium.

Our servers, hosting only Technitium, have 16Gig of RAM. So far we have watched this increase go from the baseline of 789MB to eating up 54% of the RAM available.

At this point we decided that something was wrong and upgraded to 15.2, made sure our Debian 13 boxes were up to date - 13.5. When we restart the servers memory usage goes back down to its baseline and then begins to increase very slowly day by day.

We are still investigating, but thought I would post this here just in case anyone else is also seeing issues.

​

I've just switched the other day from adguard home + unbound+ redis, set-up and I can safely say I'm quite impressed even though some things are not as straightforward to set up as they are in adguards ui

But this is where I'm stuck, I'm trying to whitelist these domains like I would in adguard home, unfortunately in I have to each domain individually.

These are all from rainbow 6 seige just as an example:

gamelift-ping.ap-northeast-2.api. aws

gamelift-ping.ap-northeast-1.api. aws

gamelift-ping.af-south-1.api.aws

In adguard him I can do this gamelift-ping.*-*-*.api.aws, and the variants of the domain are all in blocked but currently in techntium it's not possible, I'm just wondering if this a current limitation or I'm doing something wrong.

Any help would be greatly appreciated.

I have the technitium cluster configured, with second node joined to the cluster. Initial zone sync seem to work but now status of primary node is unreachable from secondary

I see follwoing in the logs

[2026-05-17 11:22:52 Local] Heartbeat failed for Primary node 'technitium01.technitium.local (192.168.5.40, 192.168.50.40, 192.168.30.40, 192.168.40.40)'.
System.Net.Http.HttpRequestException: The SSL connection could not be established since the TLS certificate failed DANE validation: no matching TLSA record was found, or the certificate had one or more issues [RemoteCertificateNameMismatch, RemoteCertificateChainErrors]. (technitium01.technitium.local:53443)
 ---> System.Security.Authentication.AuthenticationException: The SSL connection could not be established since the TLS certificate failed DANE validation: no matching TLSA record was found, or the certificate had one or more issues [RemoteCertificateNameMismatch, RemoteCertificateChainErrors].
   at TechnitiumLibrary.Net.Http.Client.HttpClientNetworkHandler.ValidateDane(X509Certificate2 certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors, IReadOnlyList`1 tlsaRecords) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Http\Client\HttpClientNetworkHandler.cs:line 515
   at TechnitiumLibrary.Net.Http.Client.HttpClientNetworkHandler.<>c__DisplayClass11_0.<ConnectCallback>b__0(Object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors sslPolicyErrors) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Http\Client\HttpClientNetworkHandler.cs:line 162
   at System.Net.Security.SslStream.VerifyRemoteCertificate(RemoteCertificateValidationCallback remoteCertValidationCallback, SslCertificateTrust trust, ProtocolToken& alertToken, SslPolicyErrors& sslPolicyErrors, X509ChainStatusFlags& chainStatus)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at TechnitiumLibrary.Net.Http.Client.HttpClientNetworkHandler.ConnectCallback(SocketsHttpConnectionContext context, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Http\Client\HttpClientNetworkHandler.cs:line 207
   at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)

I understand .NET is not officially support on Freebsd.

Got Technitium up and running, web interface is accessible, DNS resolution and blocking works fine.

Only issue I am encountering at the momember is SQLite suppport. Any attempt to create/join cluster causes following error. Any way to fix this?

[2026-05-16 12:56:46 Local] [192.168.5.195:51369] System.TypeInitializationException: The type initializer for 'Microsoft.Data.Sqlite.SqliteConnection' threw an exception. ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.DllNotFoundException: Unable to load shared library 'e_sqlite3' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using glibc, consider setting the LD_DEBUG environment variable: C

Or when trying to enable query log

[2026-05-16 12:33:01 Local] DNS App [Query Logs (Sqlite)]: System.TypeInitializationException: The type initializer for 'Microsoft.Data.Sqlite.SqliteConnection' threw an exception.
 ---> System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation.
 ---> System.DllNotFoundException: Unable to load shared library 'e_sqlite3' or one of its dependencies. In order to help diagnose loading problems, consider using a tool like strace. If you're using glibc, consider setting the LD_DEBUG environment variable: 
Cannot open "/opt/dotnet/shared/Microsoft.NETCore.App/10.0.3/e_sqlite3.so"
Cannot open "/opt/technitium/dns/config/apps/Query Logs (Sqlite)/e_sqlite3.so"
Shared object "e_sqlite3.so" not found, required by "dotnet"
Cannot open "/opt/dotnet/shared/Microsoft.NETCore.App/10.0.3/libe_sqlite3.so"
Cannot open "/opt/technitium/dns/config/apps/Query Logs (Sqlite)/libe_sqlite3.so"
Shared object "libe_sqlite3.so" not found, required by "dotnet"
Cannot open "/opt/dotnet/shared/Microsoft.NETCore.App/10.0.3/e_sqlite3"
Cannot open "/opt/technitium/dns/config/apps/Query Logs (Sqlite)/e_sqlite3"
Shared object "e_sqlite3" not found, required by "dotnet"
Cannot open "/opt/dotnet/shared/Microsoft.NETCore.App/10.0.3/libe_sqlite3"
Cannot open "/opt/technitium/dns/config/apps/Query Logs (Sqlite)/libe_sqlite3"
Shared object "libe_sqlite3" not found, required by "dotnet"

   at SQLitePCL.SQLite3Provider_e_sqlite3.NativeMethods.sqlite3_libversion_number()
   at SQLitePCL.SQLite3Provider_e_sqlite3.NativeMethods.sqlite3_libversion_number()
   at SQLitePCL.Batteries_V2.Init()
   at System.Reflection.MethodBaseInvoker.InterpretedInvoke_Method(Object obj, IntPtr* args)
   at System.Reflection.MethodBaseInvoker.InvokeWithNoArgs(Object obj, BindingFlags invokeAttr)
   --- End of inner exception stack trace ---
   at System.Reflection.MethodBaseInvoker.InvokeWithNoArgs(Object obj, BindingFlags invokeAttr)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
   at Microsoft.Data.Sqlite.SqliteConnection..cctor()
   --- End of inner exception stack trace ---
   at Microsoft.Data.Sqlite.SqliteConnection..ctor(String connectionString)
   at QueryLogsSqlite.App.InitializeAsync(IDnsServer dnsServer, String config) in Z:\Technitium\Projects\DnsServer\Apps\QueryLogsSqliteApp\App.cs:line 414
   at DnsServerCore.Dns.Applications.DnsApplication.InitializeAsync() in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\Applications\DnsApplication.cs:line 208
[2026-05-16 12:33:01 Local] DNS Server successfully loaded DNS application: Query Logs (Sqlite)

can it act like a any cast dns?

While I'm able to craft RFC2136 updates in a way to send multiple updates in one request I don't see how to do this using the Technitium API.

It's not about "if this fails, back out what I did before" (although that would be nice, too) but having a script that needs to update dozens of RRs in the same domain, triggered by an IP address update of some routers. Right now this is causing multiple zone updates which results in bombastic serial numbers ("mine is larger than yours, I bet!") and serious WAN traffic between DNS, even if it is IXFR.

Is there a solution I'm missing?

Running Technitium DNS Server in a cluster (dns1 + dns2). I added stun.l.google.com via the Blocked tab (top nav, not Settings → Blocking). The zone got auto-created with NS + SOA records pointing to dns1.home.arpa, no A or AAAA records, which matches what I'd expect for an empty Blocked-tab entry.

The Query Logs (Sqlite app) show this when a client queries the blocked domain:

Client: 10.99.0.11
Protocol: Udp
Response Type: Authoritative
RCODE: Refused
Domain: stun.l.google.com
Type: A (and AAAA)

So Technitium is responding authoritatively with RCODE=Refused — not NXDOMAIN, not NoError/NODATA.

I expected NXDOMAIN given:

• The zone exists locally as an empty zone (NS + SOA, no resource records)
• No "Allow Recursion Only For Private Networks" path is involved (the client is on RFC1918 10.0.0.0/8 and the log says response source is Authoritative, not Recursive)
• The CHANGELOG mentions: "Fixed critical bug in block list condition check causing server to respond with RCODE=Refused when only using Blocked zone. Added option to respond with RCODE=NxDomain for blocked domains instead of returning 0.0.0.0 address."

That changelog entry suggests there's a setting to control this, but I can't find a "Blocking Type" control in Settings → Blocking on my version. Some older Reddit threads mention a "Blocking Type" radio (NX Domain / Anyone Address / Custom Address), but on my UI that section doesn't appear that way.

Questions:

1. Is Refused the expected/correct response code for a manually-added Blocked-tab entry on current versions of Technitium, or is there a setting I'm missing that would make it return NXDOMAIN?
2. Is the "Blocking Type" setting that older posts reference still present in the current UI? If so, where? If not, what replaced it?
3. Does the Blocking Type setting (if present) only apply to Block List Zone (URL-based lists) entries, or does it also affect the manually-added Blocked tab entries?
4. The dashboard "Blocked" counter doesn't increment for these Refused responses — they show up under "Refused" instead. Is that the intended categorization, or should manually-blocked-zone Refused responses count toward the Blocked counter?

Functionally the block is working — the client (kvmd-janus on a GL.iNet KVM) makes a few retries on Refused then gives up, which is actually the desired behavior. But I'd like to understand the response code logic so I can configure it deliberately rather than accidentally.

Version: 14.3

Thanks!

Is technitium clustering really a cluster or is it just 2 servers that share configs? I have always thought of a cluster as 2 servers that are just pieces treated like a single server environment. Am i mistaken in that the technitium "cluster" is just 2 separate servers that synchronize configurations? I am not saying that aint GREAT but is it really a "cluster"?

On the technitium app its possible to disabled blocking but how on earth do i disable blocking on the gui???

I would like to reserve an address manually so it will get the address on first connect. However, I can not find a way to do this. The reserved lease page does not all you to add a lease.

In the release notes they mention that the service now runs as non-root. To get this though you have to uninstall and reinstall. How does this work for a cluster? Do we still do primary then secondary? Or is this essentially creating a new cluster and you restore a backup to it/them?

I've got Technitium setup and running and now i'd like to switch to DNS over TLS for my forwarders (Cloudflare and Quad9). This appears simple enough, I select Cloudflare over TLS and it automatically selects the correct protocol, I save the changes. then I test a ping from a laptop on the network (it's DNS is pointing to Technitium) and I ping something unusual that won't be in the cache. I then sheck the logs on the dashboard and I see a recursive lookup (as expected) but over UDP not TLS.

I can't see anything else to change so i'm a confused as to how to troubleshoot this. (yes i've tried rebooting)

Can anyone advise what i'm doing wrong or how I can troubleshoot this issue please?

Hi everyone! I’ve just installed Technitium on my home server and I need some help with a specific setup. I'm using an Ubiquiti router for DHCP with the local domain disabled. I want to figure out how to resolve local device names through Technitium without having a domain. On AdGuard Home, I used to use [/ /]192.168.1.1, but I’m not sure how to do the same here. Any advice?

How do I remove some verbosity from these logs:

[2026-05-12 10:21:32 UTC] DNS Server failed to resolve the request 'expiredsig-243c898d.test-alg13.dnscheck.tools. AAAA IN'.
TechnitiumLibrary.Net.Dns.DnsClientResponseDnssecValidationException: Attack detected! DNSSEC validation failed due to invalid signature [SignatureExpired] for owner name: expiredsig-243c898d.test-alg13.dnscheck.tools/AAAA
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 records, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones, DnssecValidateSignatureParameters parameters, Boolean isAuthoritySection, Boolean isAdditionalSection) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 3165
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateSignatureAsync(DnsDatagram response, IReadOnlyList`1 dnsKeyRecords, IReadOnlyList`1 unsignedZones) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2998
   at TechnitiumLibrary.Net.Dns.DnsClient.DnssecValidateResponseAsync(DnsDatagram response, IReadOnlyList`1 lastDSRecords, DnsClient dnsClient, IDnsCache cache, UInt16 udpPayloadSize, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 2806
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass45_1.<<RecursiveResolveAsync>b__7>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1170
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass89_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4681
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass89_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4850
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass89_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4540
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func`3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 5012
   at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, IPv6Mode ipv6Mode, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsResolution, List`1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1138
   at TechnitiumLibrary.Net.Dns.DnsClient.RecursiveResolveAsync(DnsQuestionRecord question, IDnsCache cache, NetProxy proxy, IPv6Mode ipv6Mode, UInt16 udpPayloadSize, Boolean randomizeName, Boolean qnameMinimization, Boolean dnssecValidation, NetworkAddress eDnsClientSubnet, Int32 retries, Int32 timeout, Int32 concurrency, Int32 maxStackCount, Boolean minimalResponse, Boolean asyncNsResolution, List`1 rawResponses, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 1822
   at DnsServerCore.Dns.DnsServer.<>c__DisplayClass182_0.<<DefaultRecursiveResolveAsync>b__2>d.MoveNext() in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 5194
--- End of stack trace from previous location ---
   at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func`2 func, Int32 timeout, CancellationToken cancellationToken)
   at TechnitiumLibrary.TaskExtensions.TimeoutAsync[T](Func`2 func, Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary\TaskExtensions.cs:line 65
   at DnsServerCore.Dns.DnsServer.DefaultRecursiveResolveAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, IDnsCache dnsCache, Boolean dnssecValidation, Boolean skipDnsAppAuthoritativeRequestHandlers, CancellationToken cancellationToken) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 5190
   at DnsServerCore.Dns.DnsServer.RecursiveResolverBackgroundTaskAsync(DnsQuestionRecord question, NetworkAddress eDnsClientSubnet, Boolean advancedForwardingClientSubnet, IReadOnlyList`1 conditionalForwarders, Boolean dnssecValidation, Boolean cachePrefetchOperation, Boolean cacheRefreshOperation, Boolean skipDnsAppAuthoritativeRequestHandlers, TaskCompletionSource`1 taskCompletionSource) in Z:\Technitium\Projects\DnsServer\DnsServerCore\Dns\DnsServer.cs:line 4879
```

```

Hello

How can I send DHCP logs to a syslog server—and only the DHCP logs, not the DNS logs? Log exporter doesn't seem to support this feature.

Is it possible? If yes, how can I do that?

Thank you for your help.

BR

I’m running Technitium DNS Server as my network-wide DNS server and I’m trying to make sure ad blocking is working correctly.

My setup:

DHCP is handled by a Nokia XS-2425G-B modem/router

DHCP hands out my Technitium box as DNS (192.168.1.12)

Clients are resolving through Technitium

I am not using upstream forwarders — Technitium is running as a full recursive resolver

Blocking is enabled in Technitium

Blocklist currently used: https://raw.githubusercontent.com/hagezi/dns-blocklists/main/wildcard/pro.txt

I initially thought blocking wasn’t working because ads were still showing, but testing doubleclick.net in Technitium DNS Client now returns:

RCODE: NxDomain

and:

source=blocked-zone; domain=doubleclick.net

So it looks like blocking itself is working.

What still confuses me:

I still see ads in some apps/sites

Dashboard sometimes shows relatively low blocked counts even though ad-related domains appear in query logs

I’m trying to understand whether this is normal DNS behavior (first-party ads / app CDN domains), or if I’m still missing something in my setup

A few questions for people familiar with Technitium:

Is doubleclick.net returning NXDOMAIN enough to confirm the blocking pipeline is working correctly?

Is it normal to still see ads in apps/social media even with a working DNS sinkhole?

Which domains are best to test next to verify whether ads are bypassing DNS or just coming from first-party domains?

Any recommended blocklists/settings that improve mobile app ad blocking without breaking normal services?

Would appreciate any troubleshooting advice.

This all runs in docker

I am looking at switching away from Adguard and want to incorporate a technitium cluster into my homelab.

I currently do not have a reverse proxy setup as I am trying to learn how to configure that as well.

I have a Pi 5 & a server running proxmox.

Looking for some advice on the best way to setup using my current hardware. Also do I need to setup a second node in the cloud?