r/technitium

Technitium DNS PSA: Don't whitelist the root domain unless you really mean it

I learned something today while tuning my Technitium DNS Server with HaGeZi Ultimate, HaGeZi TIF, OISD Big, OISD NSFW, and the DoH/VPN bypass list.

At first, I was whitelisting root domains like:

facebook.com
tailscale.com
anydesk.com
fbcdn.net

I assumed this would only allow those specific domains.

After testing with dig and Technitium's EDE (Extended DNS Error) responses, I discovered that's not how the allow list behaves.

Example:

If you whitelist:

tailscale.com

then these are effectively allowed as well:

login.tailscale.com
log.tailscale.com
pkgs.tailscale.com
controlplane.tailscale.com
wwwv2.tailscale.com

Likewise:

facebook.com

also allows:

graph.facebook.com
pixel.facebook.com
m.facebook.com
lookaside.facebook.com
...

The proof came when I removed the parent domain from my whitelist and instead allowed only the hostnames my applications actually required.

Immediately afterwards:

$ dig pixel.facebook.com

;; status: NXDOMAIN

EDE: 15 (Blocked)
source=OISD Big
source=HaGeZi Ultimate

So my tracking protection started working again without breaking Facebook, WhatsApp, Instagram, or Tailscale functionality.

My recommendation is:

This keeps your services working while allowing your blocklists to continue blocking advertising, telemetry, and tracking endpoints.

Has anyone else observed the same behavior in Technitium's allow list? I'd be interested to know if this is documented somewhere, because it was one of the most useful things I've learned while fine-tuning my DNS setup.

reddit.com
u/neo-ahmad — 5 hours ago

Feature Idea / Discussion: Excluding loopback and cluster sync queries from Dashboard stats to get "realistic" metrics?

Hey everyone,

I’m currently running a Technitium DNS cluster and noticed a small issue with the Dashboard statistics. Because the cluster nodes constantly query each other for sync and health checks, and local services use the loopback address (127.0.0.1 / ::1), my Dashboard graphs are heavily distorted.

The internal automated traffic completely floods the total query count. This makes it really hard to see and analyze actual, realistic client traffic because the percentages and charts are skewed by the background noise.

I'm thinking about opening a Feature Request on GitHub for an option to exclude specific IPs/subnets (like loopback and other cluster nodes) from the Dashboard UI calculations—while keeping them in the raw logs for debugging, of course.

Before I do, I wanted to ask the community:

  1. Are you guys running into the same issue with your clusters or local setups?
  2. How do you currently handle this to get clean metrics? (Anyone using Grafana workarounds?)
  3. Do you think a native "Exclude IPs from Dashboard Stats" settings toggle would be a useful addition?

Would love to hear your thoughts or suggestions on this before pitching it to the devs!

reddit.com
u/Timely-Interaction94 — 16 hours ago

How to map a name to a MAC?

When I was using dsnmasq I had the possibility to map a name to a MAC: every time this MAC was being offered an IP, the built-in DNS was mapping my chosen name to that IP. In other words, the IP was floating, but each device had a wel-defined name.

I cannot find this feature in technitium. The only thig I found is to fix the current IP that the device got, and then manually map this IP to a name in the DNS section.

Is there a better way?

reddit.com
u/sendcodenotnudes — 1 day ago

Sharing my small addon for Technitium DNS Server's Advanced Blocking app, since there's no way to pause blocking without hand-editing JSON

Technitium DNS Server's Advanced Blocking app (the one that does per-client-group block lists, regex lists, adblock lists) only exposes its config as a raw JSON textarea in the web console. There's no button to just pause blocking for a bit, and no form to edit groups or block lists without hand-editing that JSON.

Im sharing my small self-contained addon that runs alongside the DNS server and adds:

- Pause/resume for the whole app or individual groups, with an optional timer (5 min, 1 hour, custom duration, whatever) and a countdown, so you can turn blocking off for a bit without forgetting to turn it back on

- A proper form based editor for the whole config: groups, block lists, allow lists, endpoint/network mappings, instead of hand editing JSON

- Styled to match the actual Technitium console (same CSS, same theme switcher, light/dark/amber) so it doesn't feel bolted on

- Self update from GitHub releases, works on Windows (including as a real Windows Service) and Linux (systemd), self contained so nothing extra needs installing on the host

It talks to the DNS server over its existing HTTP API, the same one the web console itself uses, so it's not forking or modifying the DNS server or the Advanced Blocking app in any way. It has its own login separate from your DNS server's auth, since it holds an API token with modify permissions and I didn't want that exposed to anyone who can reach the port.

Still early, v0.1.0, and only covers Advanced Blocking for now. Plan is to cover other apps in the store that use JSON config too, eventually.

GitHub: https://github.com/Hemsby/TDNS-AdvAppConfig

reddit.com
u/Hemsby1975 — 21 hours ago

Pausing advanced blocking.

Is there a way to pause blocking when using the advanced blocking app? I see ho to do it with the standard built in blocking but I can’t seem to find a way to do it when using an app.

reddit.com
u/50n0fm0gh — 2 days ago

Brand new to anything like this, had my home setup running for a couple weeks. How does this 7 day view of my dashboard look?

Does this look normal? The only thing my untrained eye can see is the amount of devices but that’s probably just due to dynamic IP’s of random devices.

EDIT: I should say I installed this and configured it to block ads.

u/indochris609 — 7 days ago

Switching from AGH to Technitium

Happy to be here!

I've been using AdGuard Home (AGH) in my homelab for about four years to protect my family's devices and to avoid relying on my ISP for DNS. It worked well overall, but I ran into a few issues over the years, especially with DHCP and some resolver-related behavior.

My setup was:

Clients → AdGuard Home → Unbound → Cloudflare DoT

This gave me two layers: AGH for filtering and Unbound as the validating recursive resolver forwarding securely to Cloudflare.

I had tried Technitium DNS Server before, but I wasn't confident enough to switch completely. This week I decided to give it another chance and see if I could use it as a complete solution without adding multiple DNS layers.

The only thing that confused me was DNSSEC validation. At first, I added Unbound because I wasn't sure whether Technitium was validating correctly. After doing much deeper testing with dig and other tools, I tested dnssec-failed.org:

dig dnssec-failed.org +dnssec

Here are the results I received:

Cloudflare

EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dnssec-failed.org.)

Quad9

EDE: 6 (DNSSEC Bogus)

Technitium (DNSSEC Validation enabled, forwarding to Cloudflare DoT)

EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dnssec-failed.org.)   ← From Cloudflare

EDE: 9 (DNSKEY Missing): (Attack detected! No SEP matching the DS found for dnssec-failed.org.)   ← Added by Technitium

Based on these results, it appears that Technitium is performing DNSSEC validation correctly. However, I'm still confused about one thing:

Why does Technitium report EDE 9 (DNSKEY Missing) instead of EDE 6 (DNSSEC Bogus) like Quad9?

Is this simply a difference in implementation and reporting between DNS resolvers, or is there something in my configuration that I'm missing?

I'd appreciate any clarification from people who have more experience with Technitium and DNSSEC.

reddit.com
u/neo-ahmad — 6 days ago
▲ 5 r/technitium+1 crossposts

How to load container for offline use?

So Im trying to use VyOS as a container-host in an environment where the VyOS installation wont be able to reach internet as in not having access to a registry such as docker.io.

At first I tried to figure out a way to setup your own private registry.

I was thinking of having an easy way similar to when you need a quick http-server you can just run:

python3 -m http.server 8000

But it turned out to be more complicated than I wanted (unless someone have some tips?).

So instead I tried to save/load the container as a tar-file, like so:

Create a local "mirror" of the container (on a computer with internet access):

docker pull docker.io/technitium/dns-server:latest
docker save -o ~/docker/technitium_dns-server_`date +%Y-%m-%d`.tar docker.io/technitium/dns-server:latest
gzip -9 ~/docker/technitium_dns-server_2026-06-18.tar

Optionally the pulled image can be removed using "docker rmi <id>".

Transfer gzip-file to VyOS using scp:

scp ~/docker/technitium_dns-server_2026-06-18.tar vyos@192.0.2.1:/config

Then on VyOS:

gunzip /config/technitium_dns-server_2026-06-18.tar.gz
podman load -i /config/technitium_dns-server_2026-06-18.tar

To verify that its loaded:

podman images

would output something like:

REPOSITORY                       TAG         IMAGE ID      CREATED      SIZE
docker.io/technitium/dns-server  latest      ba2762a21fbd  5 weeks ago  275 MB

To create directories needed for the container:

mkdir -p /config/dns-server/config
mkdir -p /config/dns-server/logs

Reference regarding defaults and available options for the particular container:

https://github.com/TechnitiumSoftware/DnsServer/blob/master/docker-compose.yml

Config in VyOS:

set container name dns-server allow-host-networks
set container name dns-server capability 'net-bind-service'
set container name dns-server environment DNS_SERVER_WEB_SERVICE_LOCAL_ADDRESSES value '192.0.2.1'
set container name dns-server image 'docker.io/technitium/dns-server:latest'
set container name dns-server memory '4096'
set container name dns-server port dns-tcp destination '53'
set container name dns-server port dns-tcp protocol 'tcp'
set container name dns-server port dns-tcp source '53'
set container name dns-server port dns-udp destination '53'
set container name dns-server port dns-udp protocol 'udp'
set container name dns-server port dns-udp source '53'
set container name dns-server port mgmt-http destination '5380'
set container name dns-server port mgmt-http protocol 'tcp'
set container name dns-server port mgmt-http source '5380'
set container name dns-server restart 'on-failure'
set container name dns-server volume config destination '/etc/dns'
set container name dns-server volume config source '/config/dns-server/config'
set container name dns-server volume logs destination '/var/log/technitium/dns'
set container name dns-server volume logs source '/config/dns-server/logs'

But then I get stuck...

When doing commit of above Im getting:

[ container ]

WARNING: Image "docker.io/technitium/dns-server:latest" used in
container "dns-server" does not exist locally. Please use "add
container image docker.io/technitium/dns-server:latest" to add it to
the system! Container "dns-server" will not be started!

So somehow the vyos-configd doesnt fully understand that podman already have the image loaded.

So ehm, what to do next? :-)

u/Apachez — 6 days ago

Add Unbound as Forwarding and DNSSEC Validation refer to Issue DNSSEC validation with Technitium

This issue led me to use Unbound for DNSSEC validation with Technitium DNS Server. I adjusted several settings to optimize compatibility with Unbound, and the issue has been resolved successfully.

Below is my Unbound configuration file, along with screenshots of the Technitium DNS Server cache and main settings. Feel free to use them if you find them helpful.: https://gist.github.com/jo20201/0c9df33bc26faefca9b44ba9729cb83a#file-unbound-conf

https://preview.redd.it/bhkvl2r5b8ah1.png?width=516&format=png&auto=webp&s=b757342c60c2903cbbda7034825b9e9c4714e4c9

https://preview.redd.it/t17wutk7b8ah1.png?width=517&format=png&auto=webp&s=e3b518145df1ef355943e3982e9b38a247d40227

reddit.com
u/neo-ahmad — 7 days ago

How to set access / notify / xfer

Hi

So I have a cluster - 4 nodes and around ~ 10 zones forward and reverse

Now I want to set the default access policy and xfer and notify.

If I set this on the catalog - then all of the zones that are part of the catalog will inherit those values ?

Should I have the primary node as part of the notify / xfer list

right now my zones are up ffailed to notify when they try to notify themselves

so pi5-a is my primary - it has 3 ip's ipv4 ipv6 GUA & ULA.

in the lof it fails because notify to itself fails

what do i do ?

reddit.com
u/Horror-Breakfast-113 — 6 days ago

Query Logs (SQLLite) only saving/searching for part of the day

This is new. Or at least I just found it today. In View Logs, I see logs going back to November 2025 when I reinstalled everything. But it appears only about 2 1/4 hours are searchable on one server and around 7 1/2 hours on the other. Currently the oldest thing I can find is 2026-06-29 11:46:14 on one server and 2026-06-29 06:32:44 on the other and the newest 2026-06-29 14:01:22. Dashboard stats go back to November.

Logging is to file and In-memory stats is off. This was working at least a few months ago, but now everything seems to no stay in the database. Version 15.2

reddit.com
u/CrustyBatchOfNature — 7 days ago

Wildcard zones

I have a weird situation and probably doing this wrong. What’s the best way?

Currently have *.local.com pointing to 192.168.1.2 for caddy but also also nas.local.com pointing to 192.168.1.10 as an A record in the same zone.

Some devices resolve nas to .10 and others to .2

What’s the way to do this properly? Thanks

reddit.com
u/SamVimes341 — 9 days ago

No logs older than an hour

Hi,

In my dashboard I only see the logs for the last hour.

Every other time tab has no entry.

Does someone have a tip on how to solve for me?

Regards

u/whitesnuf — 7 days ago

Can you freely upgrade (and downgrade?) technitium/dns-server as container?

Looking at https://hub.docker.com/r/technitium/dns-server the oldest version that exists seems to be 14.0.0.

Dunno if thats the first container edition or not but anyway.

If I would start with 14.0.0 can I then just reload into 15.2.0 and it will just work (regarding config-files) or how does upgrading works?

Is it also possible to downgrade?

Like if I got a 15.2.0 installation and replace the image with an older one - how far back can I moonwalk?

Im thinking since its not uncommon (compared to others) that if you for example would have been on version 13.0.0 you must upgrade through all major version like from 13.0.0 to 14.0.0 then 15.0.0 and finally you can jump onto the last one currently being 15.2.0.

And also that downgrading outside of current majorversion is often not supported.

Like if I currently have 15.2.0 I can downgrade down to 15.0.0 but not like back to 14.x.x or below.

So whats the official support for upgrading and downgrading containers with Technitium?

And what have those of you running technitium/dns-server experienced in the wild regarding upgrading or downgrading?

My main concern is how critical it is to apply each update.

Unless there are some CVE findings or some other bugs/features affecting me I would normally no jump onto each released version (unless I got some spare time to call for another maintenance window). But at the same time waiting for too long, at least with others, will also cause a headache.

reddit.com
u/Apachez — 8 days ago

Primary and Secondary DNS with cluster

If I have a cluster of two TDNS servers, am I correct in thinking that, for my DHCP advertised DNS servers, I can use one as primary and the other as secondary?

reddit.com
u/helical_coil — 11 days ago

DNS Server -- DHCP logs show continual assignments

Technitium keeps assigning ip addresses to one google client.

Fresh LXC install with restored setting file.

````

026-06-27 06:42:20 UTC] Logging started.
[2026-06-27 06:42:20 UTC] [10.10.10.111:56632] [admin] All log files were deleted.
[2026-06-27 06:42:20 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:42:20 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:25 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:27 UTC] [0.0.0.0:68] DHCP Server offered IP address [10.10.21.1] to wlan0 [CC-8C-BF-55-E7-63] for scope: Default
[2026-06-27 06:42:28 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.1] to wlan0 [CC-8C-BF-55-E7-63] for scope: Default
[2026-06-27 06:42:28 UTC] DHCP Server updated DNS A record 'TuyaE763.lan.718homelab.net' with IP address [10.10.21.1].
[2026-06-27 06:42:28 UTC] DHCP Server updated DNS PTR record '1.21.10.10.in-addr.arpa' with domain name 'TuyaE763.lan.718homelab.net'.
[2026-06-27 06:42:29 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:30 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:42:33 UTC] Saved zone file for domain: lan.718homelab.net
[2026-06-27 06:42:33 UTC] Saved zone file for domain: 10.10.in-addr.arpa
[2026-06-27 06:42:33 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:38 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:40 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:42:42 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:46 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:50 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:42:50 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:55 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:42:59 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:43:00 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:43:03 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:43:08 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:43:10 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:43:12 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:43:16 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:43:20 UTC] DHCP Server successfully saved scope file: /etc/dns/scopes/Default.scope
[2026-06-27 06:43:20 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
[2026-06-27 06:43:25 UTC] [0.0.0.0:68] DHCP Server leased IP address [10.10.21.2] to [1C-53-F9-13-AF-B3] for scope: Default
````
reddit.com
u/Ok_Specialist1784 — 9 days ago

Issue with UDP 53 not responding, TCP 53 works fine

I have been trying to figure out why zone transfers will fail occasionally between the primary and secondary. Also, nslookup against the secondary will fail.

After spending several hours digging into the issue I have found the problem, but not sure how to fix.

Primary is running in Docker on my NAS IP 10.0.10.20
Secondary is running on Win 11 IP 10.0.10.10

After doing DNS client tests from the primary to the secondary, I found that TCP works, UDP fails every time. Same issue from any client as well.

My secondary is a special creature. It is a PC running the following
NIC 1 10.0.10.10 with full routing table and gateway
Wireguard Server (WS4W) with ICS
Tailscale

NIC 2 10.0.12.6 has no gateway and is on the VLAN with my cameras. This is to minimize RTSP traffic across my router between BlueIris and the cameras
BlueIris

ICS also uses UDP 53 which is causing DNS requests to fail due to the port conflict. If I disable ICS, UDP works immediately.

https://preview.redd.it/ac9kj8nuv79h1.png?width=1142&format=png&auto=webp&s=a72a132412495cf7931e58a867c43f50f49d1c3b

Any suggestions on how I can make this work?

EDIT: I ordered a GL.inet Brume 3 to take over the VPN duties. That should fix the issue, as ICS won't be needed any longer.

Need to convince the wife that I need a redundant NAS for data security, then I can move my secondary DNS to it, and of course keep a redundant copy of my data there.

reddit.com
u/Temporary-Cherry-282 — 12 days ago

Technitium/dns-server with clustering

After reading https://blog.technitium.com/2025/11/understanding-clustering-and-how-to.html I got some questions :-)

What would you say would be the drawback to setup 2x or more technitium/dns-server in a cluster?

Or a variant of above - for those of you who tried clustering in the wild, what drawbacks have you experienced?

Since the "Primary Node IP Address" is a single entry does this mean that the sync between two nodes can only use one physical path?

There is no way to have it like "use PROD while it works but if that fails try to use MGMT as last resort to sync config"?

When you break up a cluster - what will happen to each node?

Like the catalog zone where you have put your zones that will be autosynced within the cluster.

Will each node extract those and place as regular zones or will the content of the catalog zone be lost?

Or will the catalog zone remain but you must manually export/import each zone from within the catalog zone to become a regular zone?

u/Apachez — 12 days ago

Is tag:latest currently the same as tag:15.2.0 ?

Im trying to do some housekeeping of which images is used and instead of relying on tag:latest I try to figure out what is the actual latest version and fetch that tag.

This way I can also better track of what is actually being runned where.

So when I take backup of an image it will be stored as (for example) technitium_dns-server_15.2.0_260624.tar.gz

Any of you who happens to know if this is possible purely through CLI?

You can use "sudo podman inspect" to find out the digest of an image.

But I assume you then cant pull that with its current tag from a repo such as docker.io?

Currently Im doing a manual method of visiting https://hub.docker.com/r/technitium/dns-server and in the dropdown for Recent tags compare their digest.

Using the above manual method I found that for https://hub.docker.com/r/technitium/dns-server the digest between tag:latest and tag:15.2.0 is different - how come?

Is tag:latest newer than tag:15.2.0 when it comes to technitium/dns-server?

reddit.com
u/Apachez — 12 days ago