Technitium DNS Server (TDNS) has gotten a new release with many awesome features: TOTP authentication, an upgraded .NET library, and many security and performance fixes.
But most important of all, it now supports clustering. A long-awaited feature, this allows Technitium to sync DNS zones and configurations across multiple nodes, without needing an external orchestrator like Kubernetes, or an out-of-band method to replicate underlying data. For selfhosters, this would enable resilience for many use cases, such as internal homelab adblocks or even selfhosting your public domains.
From a discussion with the developer and his sneak peek on Reddit, it is now known that the cluster is set up as a single-primary/multiple-secondary topology. They communicate via good-old REST API calls, and transported via HTTPS for on-the-wire encryption.
To sync DNS zones (i.e. domains), the primary server provisions the “catalog” of domains, for secondary ones to dynamically update records in a method known as Zone Transfers. This feature, standardized as Catalog Zones (RFC9432), were actually supported since the previous v13 release as groundwork for the current implementation.
As an interesting result, nodes can sync to a cluster’s catalog zone, as well as define their own zones and even employs other catalog zones from outside the cluster. This would allow setups where, for example, some domains are shared between all nodes, and some others only between a subset of servers.
To sync the rest of the data such as blocklists, allowlists, and installed apps, the software simply sends over incremental backups to secondaries. The admin UI panel is also revamped to improve multi-node management: it now allows logging in to other cluster nodes, as well as collating some aggregated statistics for the central Dashboard. Lastly, a secondary node can be promoted to primary in case of failures, with signing keys also managed within for a seamless transition of DNSSEC signed zones.
More details about configuring clusters is to be provided in a blogpost in the upcoming days. It is important to note that this feature only supports DNS stuff, and not DHCP just yet (Technitium is also a DHCP server). This, along with DHCPv6 and auto-promotion rules for secondaries, is planned for the upcoming major release(s) later on.
As a single-person copyleft project, the growth of this absolute gem of a software has been tremendous, and can only get better from here. I personally can’t wait to try it out soon
Disclaimer: I’m just a user, not the maintainer of the project. Information here may be updated for correctness and you can repost this to whatever
It already could sync zones, I’ve been doing primary -> secondary zone transfers for at least two years.
It didn’t sync lists and other configs, though. That’s new.
I am about to install a second Technitium instance, so this is great timing.
This looks really cool. And I just setup Pihole 😐
What does it do?
Technetium is a recursive DNS resolver with a nice web UI. If you’re familiar with PiHole or AdGuard Home, you can think of it in that genre, but much more full-featured.
Is it kind of like unbound with a webgui then?
I use it like I might use unbound or dnsmasq, but I’d think of it more like bind. It’s can be used as a recursive or authoritative resolver. It supports all kinds of protocols (DOT, DOH, DNSSEC, etc). Handles zone transfers easily. It’s pretty slick. Definitely worth a look
If only reverse proxying Technitium wasn’t a pain in the ass to do I would actually use it. Maybe one day they’ll fix the login issues until then PiHole works.
What issues did you have reverse-proxying? For me it was just as simple as pointing to port 5380. Other ports like 53 could be passed on with a layer-4 router
What about the login issues? I’d hope they’ll be integrating with OIDC or some other auth mechanism, but for now managing 2FA creds should make do
This was a while ago so the details are fuzzy, I gave it Traefiks docker labels on port :5380 but that didn’t seem to work then I read an a bug report saying give Traefik :8053 so I tried that and again didn’t work so I went back to :5380 and all of a sudden it reverse proxied but my login wouldn’t work even though it worked when going to the LAN IP+Port didn’t find much in terms of troubleshooting and documentation so I eventually gave up on it.
I have had terrible experiences with recursive DNS resolvers, PiHole+Unbound worked for maybe an hour then would completely kill my internet access, the same essentially went with OpenSense, I had hope for Technitium but alas didn’t feel the need to spend hours troubleshooting something that PiHole alone did with ease.
Ah, I see. Well I’m glad you found PiHole useful and stick to using it anyhow!
How is this better/differentthan pihole?
Off the top of my head:
- Allows using DoH/DoT/DoQUIC/recursive upstreams without installing extra packages (unbound, cloudflared, etc)
- Allows acting as a DoH/DoH3/DoT/DoQUIC server alongside normal DNS over UDP and TCP
- Allows configuring SOCKS/HTTP proxies for forwarders
- Act as authoritative zone server with DNSSEC signing
- Allows custom responses via plugins (e.g. conditional responses based on client’s IP addresses)
- Accept PROXY Protocol to forward client IPs from trusted load balancers
- All the clustering and zone transfers magic
- DNS64
It really dives deep into the inner workings of DNS and does pretty much anything Pi-Hole does, with many more security and QoL features. Although the UI may feel a bit dated, I’d recommend it to anyone running their own homelab infrastructure beyond just adblocking
The feature list sounds even better than adguard home. I might give this a try!
Proxy protocol is the one thing I’m missing from adguard, nice that it has it!
One big advantage is that you don’t need to run unbound in addition to free yourself from (commercial/non-profit) upstream dns providers completely.
Is this done by keeping recursion set to the default and leaving Forwarders blank?
I’d love to hear from anyone has used this, especially if you moved from Pi-hole to Technitium. I run Pi-hole in an LXC and on a Pi3b and it’s mildly annoying to make changes or updates, so clustering has piqued my curiosity.
I moved from pihole to technitium roughly two years ago. I was tired of pihole not doing “adult” DNS things, like zone transfers. Technitium is a real DNS server, pihole is just a resolver. You can create actual soa and srv records with technitium.
Plus side, the increase in functionality with technitium is drastic. Down side, the increase in functionality is drastic…
You can do everything you’d want to do with pihole with technitium instead, but there’s a lot of additional advanced features that will have you reading a lot of documentation.
I tried out Pi-hole many years ago, found it a bit too dumbed down and limited for my taste. I’ve been running Technitium for 5-ish years in my homelab, it’s been rock solid and very pleasant work with. I’ve even deployed it at work for a few projects as well. Been waiting for the clustering feature for a while now, super stoked to see this release.
