Technitium

Last updated on May 24, 2024

Technitium DNS Server is an open source authoritative as well as recursive DNS server that can be used for self hosting a DNS server for privacy & security. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any modern web browser.

Personally I have switched from Pi-hole to Technitium in 2024.

Using docker compose

Make a directory, for example named technitium, and create a docker-compose.yml file in that folder. Add the config below.

services:
  dns-server:
    container_name: dns-server
    hostname: dns-server
    image: technitium/dns-server:latest
    # For DHCP deployments, use "host" network mode and remove all the port mappings, including the ports array by commenting>
    # network_mode: "host"
    ports:
      - "5380:5380/tcp" #DNS web console (HTTP)
      # - "53443:53443/tcp" #DNS web console (HTTPS)
      - "53:53/udp" #DNS service
      - "53:53/tcp" #DNS service
      # - "853:853/udp" #DNS-over-QUIC service
      - "853:853/tcp" #DNS-over-TLS service
      # - "443:443/udp" #DNS-over-HTTPS service (HTTP/3)
      # - "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2)
      # - "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal)
      # - "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy)
      # - "67:67/udp" #DHCP service
    environment:
      - DNS_SERVER_DOMAIN=dns-server #The primary domain name used by this DNS Server to identify itself.
      # - DNS_SERVER_ADMIN_PASSWORD=password #DNS web console admin user password.
      # - DNS_SERVER_ADMIN_PASSWORD_FILE=password.txt #The path to a file that contains a plain text password for the DNS web>
      # - DNS_SERVER_PREFER_IPV6=false #DNS Server will use IPv6 for querying whenever possible with this option enabled.
      # - DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 #The TCP port number for the DNS web console over HTTP protocol.
      # - DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 #The TCP port number for the DNS web console over HTTPS protocol.
      # - DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false #Enables HTTPS for the DNS web console.
      # - DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false #Enables self signed TLS certificate for the DNS web console.
      # - DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false #Enables DNS server optional protocol DNS-over-HTTP on TCP port 80>
      - DNS_SERVER_RECURSION=Allow #Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseS>
      # - DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 #Comma separated list of IP addresses or network addresses to deny >
      # - DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 #Comma separated list of IP addresses or network ad>
      - DNS_SERVER_ENABLE_BLOCKING=true #Sets the DNS server to block domain names using Blocked Zone and Block List Zone.
      - DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=true #Specifies if the DNS Server should respond with TXT records containing >
      - DNS_SERVER_BLOCK_LIST_URLS=!https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt, https://big.oisd.nl/, https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts, https://blocklistproject.github.io/Lists/ads.txt, https://blocklistproject.github.io/Lists/fraud.txt, https://blocklistproject.github.io/Lists/malware.txt, https://blocklistproject.github.io/Lists/phishing.txt, https://blocklistproject.github.io/Lists/ransomware.txt, https://blocklistproject.github.io/Lists/scam.txt, https://blocklistproject.github.io/Lists/tracking.txt, https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt, https://phishing.army/download/phishing_army_blocklist_extended.txt, https://shreshtait.com/newly-registered-domains/nrd-1w, https://shreshtait.com/newly-registered-domains/nrd-1m #A comma separated list of block list URLs.
      - DNS_SERVER_FORWARDERS=1.1.1.1, 1.0.0.1 #Comma separated list of forwarder addresses.
      # - DNS_SERVER_FORWARDER_PROTOCOL=Tls #Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson.
      # - DNS_SERVER_LOG_USING_LOCAL_TIME=true #Enable this option to use local time instead of UTC for logging.
    volumes:
      - config:/etc/dns
    restart: unless-stopped
    sysctls:
      - net.ipv4.ip_local_port_range=1024 65000

volumes:
    config:

Then all you need to do is run docker compose up -d and login on servers IP address at port 5380.

Using Automated Installer / Updater

Automated installer script can be used to install or update the DNS Server. The automated installer script has been tested on following distros:

• Ubuntu Server (x64)
• Ubuntu Desktop (x64)
• Raspbian (Buster) (ARM32)
• CentOS 8.2 (2004) (x64)
• Fedora Server 32 (x64)

The installer script may work on other distros and platforms as well.

curl -sSL https://download.technitium.com/dns/install.sh | sudo bash

Blocking

To block ads, malware, fraud, phising, tracking and so on you can go to Settings -> Blocking.

Here are the blocklists I’m personally recommend using.

!https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
https://big.oisd.nl/
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://blocklistproject.github.io/Lists/ads.txt
https://blocklistproject.github.io/Lists/fraud.txt
https://blocklistproject.github.io/Lists/malware.txt
https://blocklistproject.github.io/Lists/phishing.txt
https://blocklistproject.github.io/Lists/ransomware.txt
https://blocklistproject.github.io/Lists/scam.txt
https://blocklistproject.github.io/Lists/tracking.txt
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://shreshtait.com/newly-registered-domains/nrd-1w
https://shreshtait.com/newly-registered-domains/nrd-1m