Technitium DNS (and DHCP)

Feature
26

First draft:

Install Technitium on Nethserver 7

Starting from a clean, up-to-date Nethserver 7 installation.

Install Docker and docker-compose

  • yum install nethserver-docker
  • curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
  • chmod +x /usr/local/bin/docker-compose

Install Technitium

  • mkdir /opt/technitium
  • cd /opt/technitium
  • nano docker-compose.yml
version: "3"
services:
  dns-server:
    container_name: dns-server
    hostname: dns-server
    image: technitium/dns-server:latest
    # Use "host" network mode for DHCP deployments
    # network_mode: "host"
    ports:
      - "5380:5380/tcp" #DNS web console
      - "5335:53/udp" #DNS service
      - "5335:53/tcp" #DNS service
      # - "67:67/udp" #DHCP service
      # - "853:853/tcp" #DNS-over-TLS service
      # - "443:443/tcp" #DNS-over-HTTPS service
      # - "80:80/tcp" #DNS-over-HTTPS service certbot certificate renewal
      # - "8053:8053/tcp" #DNS-over-HTTPS using reverse proxy
    environment:
      - DNS_SERVER_DOMAIN=dns-server #The primary domain name used by this DNS Server to identify itself.
      # - DNS_SERVER_ADMIN_PASSWORD=password #DNS web console admin user password.
      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web console admin user.
      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx.
      # - DNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks.
      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option.
      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option.
      # - DNS_SERVER_ENABLE_BLOCKING=false #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
      # - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false #Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests.
      # - DNS_SERVER_FORWARDERS=1.1.1.1, 8.8.8.8 #Comma separated list of forwarder addresses.
      # - DNS_SERVER_FORWARDER_PROTOCOL=Tcp #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
    volumes:
      - config:/etc/dns/config    
    restart: unless-stopped
volumes:
    config:
  • docker-compose up -d
  • docker network connect aqua dns-server

Make sure Technitium is up and running

  • Browse to http://your_ip:5380
  • Change/set the admin password

Create a test record

  • In the Technitium UI, create a zone of example.com
  • Create a TXT record for test.example.com with a random value of your choice
  • From another computer on your network, run dig @neth_ip -p 5335 txt test.example.com. You should get output like this:
dan@Dan-MacBook-Pro-2013  ~  dig @192.168.1.218 -p 5335 txt test.example.com

; <<>> DiG 9.10.6 <<>> @192.168.1.218 -p 5335 txt test.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.example.com.		IN	TXT

;; ANSWER SECTION:
test.example.com.	3600	IN	TXT	"foo"

;; Query time: 74 msec
;; SERVER: 192.168.1.218#5335(192.168.1.218)
;; WHEN: Sat Oct 30 14:22:33 EDT 2021
;; MSG SIZE  rcvd: 50

Tell Neth to use Technitium

  • mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf
  • nano /etc/e-smith/templates-custom/etc/dnsmasq.conf/25NameServers
#
# 25NameServers
#

# Don't read /etc/resolv.conf. Get upstream servers only from the
# command line or the dnsmasq configuration file.
no-resolv

# Specify IP address of upstream servers directly. Setting this flag
# does not suppress reading of /etc/resolv.conf, use "no-resolv" to do
# that.
server=127.0.0.1#5335

# By  default,  dnsmasq  will  send queries to any of the upstream
# servers it knows about and tries to favour servers that are known
# to  be  up.  Uncommenting this forces dnsmasq to try each query
# with  each  server  strictly  in  the  order  they   appear   in
# /etc/resolv.conf
all-servers
  • signal-event nethserver-dnsmasq-update

Note

Unfortunately, it isn’t currently possible to set a custom port on the DNS server without creating a custom template fragment like this. I’d expected to have been able to set it with config setprop dns NameServers 127.0.0.1#5335, but that breaks the dnsmasq template expansion.

Test

Run the same test as before, but without specifying the port number: dig @192.168.1.218 txt test.example.com. The results should be the same as before:

 dan@Dan-MacBook-Pro-2013  ~  dig @192.168.1.218 txt test.example.com

; <<>> DiG 9.10.6 <<>> @192.168.1.218 txt test.example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16410
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.example.com.		IN	TXT

;; ANSWER SECTION:
test.example.com.	3600	IN	TXT	"foo"

;; Query time: 7 msec
;; SERVER: 192.168.1.218#53(192.168.1.218)
;; WHEN: Sat Oct 30 14:29:27 EDT 2021
;; MSG SIZE  rcvd: 50

Conclusion

Technitium is now up and running on your Neth server, and DNSMasq on the Neth server is configured to use Technitium as its upstream DNS provider. From here, you’re on your own.

5 Likes