What is Technitium DNS Server

It is a modern open source authoritative as well as recursive DNS server. You can use it for your ISP as a recursion server and/or point domains to it and use it as your own authoritative DNS server. It provides caching and is SUPER SIMPLE to install. It will install on windows as well as Linux environments, and works quite well. Something else though, is that it can also block DNS entries based on lists, very similar to PiHole, however, configuration of a ISP grade DNS recursion system is super simple, as out of the box it will go to the root servers, vs forwarding to 1.1.1.1 or some other server as PiHole does.

It also supports all of the modern security features, such as DNS-over-TLS, DNS-over-HTTPS and DNS-over-QUIC. All of these are secure technologies, that allow for secure DNS lookups, if that is something you want. I really want my DNS server to be “quick” so I always install the DNS-over-QUIC as that’s the fastest implementation.

Authoritative vs Recursive

Ok, what are these big words? Ahh, ya. So, lets start with recursive, basically this is a DNS server that gives any and all answers to clients. These are what you as an ISP should have in place for all of your customers. This server, goes and gets the answers for DNS queries for clients, normally it would cache, or store those DNS entries for xyz time, during witch, it will already have the DNS answer for clients as its stored in memory. This is called a caching DNS recursive server. It will give out non-authoritative answers to DNS queries, as its “non- authoritative” or not responsible for giving the answers. However, since it gives out these, it goes to the authoritative source and gets the answer, but since its NOT the authoritative source, it gives out non- authoritative answers, as it should. Most ISPs run recursive servers, that they hand out to their clients to provide fast and reliable DNS services.

Authoritative is a DNS server that hosts a domain name, and since its is the server of authority, it would be a authoritative server. So, we will look at a domain, lets use mikrotikrouter.com. The register, the place where you register the domain has DNS servers for said domain name, says where to look for the DNS server that responsible for that domain. Here you will get the authoritative server for mikortikrouter.com, this would be ns1.linktechs.net and ns2.linktechs.net. So, then your DNS recursive server will go to ns1 and ns2 server and request the domain mikrotikrouter.com, this in turn will give you the answer. This would be an authoritative answer as its coming from the server that is responsible, but since you are using a recursive server, that answer will be stored according to the cache settings of the server and domain, then a non-authoritative answer will give to the client, and hence DNS is allowed us to go to that website.

What DNS Should you Run?

Well that really depends on a number of factors. In my opinion, with all of the DNS attacks on Cloudflare and AWS, I would prefer to self-host my authoritative DNS. There are many reasons to do and not to do this. If you lump yourself with all of the others, such as Cloudflare DNS service, then that is a massive attack vector for someone that wishes to do harm to the internet. Take down that service and how many websites go down? On the other hand, since they are such a large service, they do have mitigation methods to prevent this from occurring. So, that’s one thought, another is bandwidth, since we don’t have as much bandwidth, we could be attacked and thus have the same issue, I don’t think I have enough bandwidth / time / security experts to prevent this from harming me, but then again, if I host only a few domains, am I worth attacking? Touché huh?

As far as an ISP is concerned, all ISPs should have recursion servers, two of them not one. They should be placed at the top of your network, or at a common location on your network that has low latency access. Faster access = faster DNS times. Recursion servers need some love, keep that in mind, they need to be secure from the public internet, but that will be in the security section .

Why Should I Care?

DNS simply runs the internet. No DNS = no internet for 99.99% of the people out there. So this means, that if you do not provide DNS services to your customers as an ISP, you have a potential issues on your hands. I have lots of ISPs that run google DNS or Cloudflare and while this gets you by, the question is “Is Google or Cloudflare within your circle of influence?” I know, what does that mean. That means, if there is any issue, or question about the service, is there a phone number, email, something? Can you tell them, “I am not paying for anything for your free service, but something is not right fix it?” Well of course you an tell them that, but will your statement carry any weight with them? Since both of those services are free, yes they care if someone can’t get to them, but honestly do you think you will have any luck getting something fixed in a timely manner? I can tell you, from my experience, that answer is no.

Google Issue Resolution Time

We had Google DNS have some kind of “routing issue” they conversed with us via email, and even confirmed it. But, it took about 5 days to get that, and then they said they would be doing maintenance on the affected device in three weeks, and then it should be corrected! What!! Three weeks! Yep, that’s what they said. Keep in mind it’s a free service, so do I expect an instance resolution, no of course not, but this just drove myself and the customer to install our own DNS servers. Hence this article. .

So now back to Technitium DNS Server

So, when I was looking at DNS servers, this one stood out. There are a number of ISPs using Simple DNS (a paid windows application) that does everything this does, but this does it all and there is zero cost, not to mention it can RUN on windows, but also runs on Linux as well. Something else, is that it has a configurable caching system, out of the box, that goes do the root servers by default, not forward like PiHole does, so this is a one, two punch to Pi-Hole DNS. It is just as simple to install, one command, and is fairly light-weight.

In some of our customers cases, they were running Pi-Holes with unbound as a DNS forwarder to be able to go to the root servers. We also had to play with the config files of the Pi-Hole as we needed more caching based on the numbers that the ISP had. While this worked quite well, the next question is can we do all of that inside one application without playing with settings. Furthermore, some of these customers use Simple DNS as their authoritative servers, therefore, is possible to drop two windows VMs and just go with a pair of Linux VMs with Technitium DNS installed.

So, saving CPU as not having windows VMs, saving disk space and running all open source sounds super nice. One web interface vs multiple interfaces is also nice, and the fact that Pi-Hole really came about due to DNS blocking and Technitium DNS can do that as well using the SAME lists, heck it’s a win-win!

So how to install Technitium DNS Server

In our case, we spun up a Ubuntu 24 container, but you can spin up a VM it would be up to you and your environment. With that container we put a public IP on it, on our public VLAN, and got it ready. In this case we put a temp public IP on it to be able to load and it make it work, later we will change it to our primary DNS IP (currently running Pi-Hole). Once you get the Ubuntu up and running, you should do your updates

Sudo apt update
Sudo apt upgrade -y

This should get you up to date as always. Then you can install the Technitium DNS server.

curl -sSL https://download.technitium.com/dns/install.sh | sudo bash
===============================
Technitium DNS Server Installer
===============================
Updating ASP.NET Core Runtime...
ASP.NET Core Runtime was updated successfully!

Downloading Technitium DNS Server...
Updating Technitium DNS Server...

ICU package is already installed.

Restarting systemd service...

Technitium DNS Server was installed successfully!
Open http://dns1:5380/ to access the web console.

Well was that not simple, yep. Its installed and running.

Updating to DNS-over-QUIC

To update this server to support DNS-over-QUIC, you need a new package from Microsoft, this would be the following:

wget https://packages.microsoft.com/config/$ID/$VERSION_ID/packages-microsoft-prod.deb -O packages-microsoft-prod.deb -4  

sudo dpkg -i packages-microsoft-prod.deb

rm packages-microsoft-prod.deb

sudo apt update

sudo apt install libmsquic -y

sudo apt upgrade -y

You must wget the package, install it as a dpkg, then you can delete the .deb file, update apt to get the new library and then install the package, as well as I would make sure everything is updated by doing a upgrade -y.

Configruation of Technitium DNS

95% of the configuration is already done for you. It’s a high-performance DNS server, primarily a recursion server, however, you need to secure the recursion portion. Normally this is done by only allowing private IPs to do the recursion, but in ISPs cases, you need your public blocks listed as well, go to settings recursion.

Here you will get the option to changed to use Specified Network Access Control List or ACL, this is the list that will be allowed recursion. . Put any and all IP address, both IPv6 and IPv4 in this block and save it. This will allow all of your public IPs to do recursion.

Next is caching entries, go to settings cache.

The only thing here I would change is the Cache Maximum Entries. By default, its 10,000, but as an ISP with many clients using it, I would up this to between 50,000 and 200,000 . What you want is the maximum value that you can get with the RAM that you have allocated. I allocated 8gig as I have plenty to use, so, I have RAM for days if it were. The normal thought is 150,000 would be between 2k and 5k per entry, or 300 to 750meg of ram for up to 150,000. Assuming heavy or DNSSEC + extra features, you can figure 10kb per device, so that would be up to 1.5GB. 8 gigs is plenty of RAM, but if you are tight, I would keep it excessive. Also note the next section will affect ram usage. In this case I would use 2-4 gig of RAM just to be safe.

Using Block Lists (if you want to)

As an ISP, you really should not block much if anything. I have plenty of ISPs that do not block any DNS query, if a customer wishes to do that themselves, they can follow this article and go from there, but otherwise, what do I recommend blocking ? Well, I normally stick with adware & Malware. If you go to Settings Blocking, here you can add an Allow / Block list. By default, this list is blocking, if you don’t want it to be blocking, i.e. allow, that would be ! in front of it, or don’t put it in. In this case, I would use only, Steven Black [adware + malware] list as is provided by the service. This is a basic ad and malware block list, and I don’t know of anyone who has an issue with blocking these types of lists. Just add them here, and hit save.

Reviewing your setup

If you go to your dashboard, you will see how many total requests, what kind of requests, lots of information as needed, note that this server does NOT by default store your queries, and if you wanted to do that, there is an APP plugin that you can use depending on what kind of server you have.

This is one of the major listing, basically giving you how many zones, you are authoritative for, how many items you have in your cache, and the big one how many domains are on the block list.

The big things to keep in mind when you are looking at this. How much is in your cache, as well as how much is blocked.

Another issue is by default they have queries per min limits on ipv4 and ipv6, this is in the settings General section. The normal of 600 and 6000 is fine, but watch your list of top clients. If you have someone reaching that number your dropped queries will go up and it will be listed here. There is a box to exempt and IP or range from those, but I would not do that under normal operations.

So what have we Done ?

Well we installed Technetium DNS server, configured it for maximum caching as well as added a block list, if wanted, to your ISP DNS server. Now the only thing you have to do is either put it on a public IP and/or duplicate it again for your secondary server. Once you have both servers configured, now you can put them into production via DHCP or whatever means you have. Remember, fast DNS = Fast internet, and is directly proportional to how close the DNS server is to the customers.

About Link Technlogies, Inc.

Link Technologies Inc has been in business for just under 20 years. We provide MikroTik, 9Dot, and NetPoint antenna hardware and various other hardware and software solutions. We focus on MikroTik hardware with several engineering level consultants here to serve our customers and provide said services. “Find a need and fill a need”, is our motto, designing software such as TowerCoveage.com to fulfill customer needs in relation to RF propagation software that ingrates web-based tower mapping and end use customer inquiries. We also operate https://cloud.linktechs.net providing a MikroTik based cloud management solution with backups and monitoring. We also provide a full enterprise-grade backup solution to many industries.

Our customers include ISPs, Fiber Operators, Hotels, Casinos, Healthcare, MSP businesses, and Credit Unions. Our solutions include zero-trust networking, firewalling, BGP, VPLS, MPLS, OSPF, RIP, MikroTik, Cisco, Juniper, web-proxy, backup services, hosting email and servers. We also sell rack-space in our dedicated DC in House Springs, MO, as well as provide on-site MikroTik and operational training services.

https://shop.linktechs.net – On-Line Shopping / Website
https://cloud.linktechs.net – MikroTik Cloud Services
https://towercoverage.com – On-Line RF Propagation Mapping

How to Contact Us

Phone: (314) -735 – 0270
E-Mail: sales@linktechs.net