Mustafa Can Yücel
blog-post-1

Running your Private DNS Server

30 May 2023 | Mustafa Can Yücel | Technitium

Why Run Your Private DNS Server

Running a private DNS server and utilizing DNS over HTTPS (DoH) offer several compelling reasons for individuals and organizations concerned about privacy, security, and control over their internet activities. One key advantage of running a private DNS server is the ability to have complete control over your DNS resolution process. By hosting your own DNS server, you can manage and customize the domain name resolution for your network, ensuring faster response times and greater reliability. It also allows you to enforce custom filtering and blocking rules, protecting against malicious websites, ads, and unwanted content. Furthermore, DNS over HTTPS (DoH) enhances privacy and security by encrypting DNS queries and responses. With traditional DNS, queries are sent in clear text, allowing intermediaries to intercept and potentially manipulate the data. However, DoH encrypts these communications, adding an extra layer of protection against eavesdropping, censorship, and unauthorized tracking. This is particularly crucial when using public or untrusted networks, as it prevents attackers from intercepting and tampering with DNS data. In addition, DoH helps bypass certain forms of DNS-based restrictions and filtering implemented by ISPs or governments. By encrypting DNS traffic, DoH can effectively bypass DNS-based blocks or censorship, enabling individuals to access websites and online services that might otherwise be restricted or inaccessible. This promotes freedom of expression, ensures access to information, and safeguards against unwarranted censorship. Running a private DNS server and implementing DNS over HTTPS not only protects individual privacy but also contributes to a more resilient and decentralized internet infrastructure. By decentralizing DNS resolution and relying less on centralized DNS services, the internet becomes less susceptible to single points of failure and reduces the potential for data breaches or privacy violations by large DNS providers. In summary, running a private DNS server and utilizing DNS over HTTPS offers greater control, improved privacy, enhanced security, and the ability to bypass censorship or filtering. These benefits empower individuals and organizations to safeguard their online activities, protect their data, and contribute to a more secure and decentralized Internet ecosystem.

Which Server To Use

There are several compelling reasons to consider using Technitium DNS Server as your preferred DNS server solution. Firstly, Technitium DNS Server is open-source software, which means it is freely available and allows for community contributions and improvements. This fosters transparency, security, and accountability, as users have access to the source code and can verify its integrity. Secondly, Technitium DNS Server offers a range of advanced features and customization options. It supports both authoritative and recursive DNS modes, allowing you to configure it according to your specific needs. It also supports DNSSEC (DNS Security Extensions), which enhances the security and integrity of DNS data by digital signing DNS records. Additionally, Technitium DNS Server provides comprehensive logging and debugging capabilities, making it easier to troubleshoot and analyze DNS-related issues. Furthermore, Technitium DNS Server prioritizes privacy and security. It includes built-in support for DNS over HTTPS (DoH), allowing you to encrypt DNS traffic and protect against eavesdropping and manipulation of DNS data. This ensures that your DNS queries and responses are transmitted securely, even when using untrusted networks. The server also supports DNS caching and response rate limiting, which can improve performance and mitigate the risk of DNS-based attacks such as DNS amplification. Lastly, Technitium DNS Server offers cross-platform compatibility, running on Windows, Linux, and macOS. This flexibility allows you to deploy it on a variety of systems, ensuring its accessibility and usability across different environments. Additionally, the server has a user-friendly interface and straightforward configuration options, making it relatively easy to set up and manage for both experienced administrators and those new to DNS server administration. In conclusion, Technitium DNS Server stands out as a robust and customizable DNS server solution. Its open-source nature, advanced features, emphasis on privacy and security, cross-platform compatibility, and user-friendly interface make it an attractive choice for individuals and organizations seeking a reliable and flexible DNS server solution.

Installing ASP.NET Runtime

Before you install .NET, run the following commands to add the Microsoft package signing key to your list of trusted keys and add the package repository: 

wget https://packages.microsoft.com/config/debian/11/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
sudo dpkg -i packages-microsoft-prod.deb
rm packages-microsoft-prod.deb
Then we can install the dot.net SDK 7.0: 
sudo apt-get update && sudo apt-get install -y dotnet-sdk-7.0

Installing Technitium DNS Server

First, we need to download the latest version of the server from Technitium website. Then we extract it to /opt/technitium/dns: 

wget https://download.technitium.com/dns/DnsServerPortable.tar.gz
sudo mkdir -p /opt/technitium/dns
sudo tar -zxf DnsServerPortable.tar.gz -C /opt/technitium/dns
We use the following commands to install it as a daemon: 
sudo cp /opt/technitium/dns/systemd.service /etc/systemd/system/dns.service
sudo systemctl enable dns.service
sudo systemctl start dns.service
We can check if the DNS service is running: 
systemctl status dns.service
If it failed to start, You may want to check the systemd log entries to find an issue if the daemon fails to start: 
journalctl --unit dns --follow

Opening Ports

By default, Technitium uses the following ports:

  • 5380/tcp (for web console access)
  • 53443/tcp (for web console HTTPS access)
  • 53/udp (default DNS service)
  • 53/tcp (default DNS service)
  • 853/udp (DNS-over-QUIC service)
  • 853/tcp (DNS-over-TLS service)
  • 443/udp (DNS-over-HTTPS service over HTTP/3)
  • 443/tcp (DNS-over-HTTPS service over HTTP/1.1 and HTTP/2)
  • 80/tcp (DNS-over-HTTP service for reverse proxy or certificate renewal HTTP challenge)
  • 67/udp (if you plan to use the built-in DHCP server)
We are going to use a reverse proxy to access both the web console and the DNS-over-HTTPS, so we do not need to open any new ports. If you want to use DNS-over-TLS, you should open port 853/tcp.

Caddy Configuration

Similar to our previous posts, we will create a reverse proxy for our Technitium DNS Server. In this way, we will be able to connect the URL dns.example.com with HTTPS, and the connection between the DNS server and the Caddy can be unencrypted since it takes place within the localhost. We will create the configuration such that if the user navigates to the root of the subdomain (i.e. dns.example.com), it will be proxied to port 5380, which is the default web console access of the Technitium (no HTTPS; since it is reverse proxied over Caddy, which serves the page over HTTP). If the user navigates to the /dns-query path, it will be proxied to port 53, which is the default DNS port.

The initial Caddy configuration is as follows (remember that the Caddyfile is located in the /etc/caddy directory): 

dns.mustafacanyucel.com {
    reverse_proxy localhost:5380
}
This will allow us to access the web console of the Technitium DNS Server over HTTPS (Do not forget to add an A record to your DNS provider for the domain dns.example.com).

Configuring the DNS Server for Privacy and Security

Technitium DNS Server supports a variety of privacy and security features, including DNSSEC, DNS over HTTPS (DoH), DNS over TLS (DoT), DNS over QUIC (DoQ), DNS over HTTP (DoH), DNS caching, and response rate limiting. These features can help protect against DNS-based attacks, enhance the security and privacy of DNS traffic. This section will explain how to configure these features in Technitium DNS Server.

DNS servers and clients typically use UDP or TCP protocols to exchange unencrypted requests and responses. This means that anyone on the network can easily observe these requests and potentially manipulate them by sending falsified responses. Media reports have highlighted numerous instances of DNS hijacking carried out by malware, compromised home Wi-Fi routers, or even certain Internet Service Providers (ISPs). Some ISPs have been known to redirect users to customized search pages instead of Google Search, inject advertisements on non-HTTPS websites, and even employ their DNS servers to block access to certain websites as per government censorship orders.

To address these concerns, DNS-over-TLS and DNS-over-HTTPS protocols were developed and are currently offered by a few DNS providers, notably Cloudflare, Google, and Quad9. However, operating systems, applications, and web browsers do not natively support these protocols. By installing Technitium DNS Server on your computer or network, you can indirectly route all your application's DNS traffic through these secure protocols, thereby concealing your DNS activity from your ISP. In the following sections, we will explore how to configure the DNS Server to utilize these services and ensure secure domain name resolution on your computer or private networks.

Now we will navigate to the dns.example.com address and be prompted to enter a new password (the default username is admin, and can be changed later). Once we have entered a new password, we will go to the Settings in the UI. Browse through these settings to get familiar with the application.

In the Web Service tab, we change the local addresses to 127.0.0.1 because we are going to access the GUI through a reverse proxy.

In the Settings > General section, we need to define the DNS Server Domain and the DNS Server Local End Points. You can set the DNS Server Domain as dns.example.com. For the second option, we need to make a choice:

  • If we are going to use Technitium as DNS-over-HTTPS only, we can set this as 127.0.0.1:53, because we are going to define a reverse proxy and access it over localhost. This allows us to close the Technitium to the outside of the localhost.
  • If we are going to use DNS-over-TLS (which is the only option for Android yet, so if you are planning to use your DNS server on Android, you have to), we need to set the DNS server local endpoints as 0.0.0.53 and [::]:53. This allows the DoT connections to be available outside the localhost. This is a caveat of the Technitium; it does not allow listening to the 0.0.0.0 for TLS only. However, we already have a firewall, so we should be fine.
Since we are planning to use DoT, we will set the DNS Server Local End Points as 0.0.0.0:53 and [::]:53.

In the Optional Protocols section, we need DNS-over-HTTP because of our reverse proxy; our connection to the Caddy server is encrypted, and the connection between Caddy and Technitium is over localhost, so it is not necessary to use DNS-over-TLS or HTTPS. We will set the port as 5353, because the default port 80 is already in use by Caddy and port 53 is in use by the Technitium itself. Note that DNS-over-HTTP is meant to be used with a reverse proxy; it must be used with a TLS terminating reverse proxy like nginx and will work only on private networks. If we were to use the DNS server directly without a reverse proxy, we should have enabled more secure options and handled the certificate management ourselves.

Don't forget to click the Save Settings button at the bottom of the page to save the settings. The port changes will be automatically applied, therefore we do not need to manually restart the service.

Technitium can work both as an authoritative and recursive DNS server. For the recursion configuration, first, we will go to the Settings > Recursion tab. In the recursion section, we select "Allow Recursion". In this way, if we connect to the DNS server via our reverse proxy, it will check the forwarders and return a result for us.

Forwarders are DNS servers that this DNS Server should use to resolve recursive queries. If no forwarders are configured then this DNS server will use preconfigured ROOT SERVERS to perform recursive resolution. We will use the Cloudflare DNS-over-HTTPS forwarder. In the Settings > Proxy & Forwarders tab, within the Forwarders section we will use the Quickselect dropdown to select "CloudFlare DNS-over-HTTPS", with the "Forwarder Protocol" set to DNS-over-HTTPS.

More Caddy Configuration

Since we have configured our DNS server, we now need to reverse proxy any request to the dns.example.com/dns-query to localhost:5353. We do this by changing our dns.example.com block in the Caddyfile to the following: 

dns.example.com {
    handle /dns-query* {
            reverse_proxy http://localhost:5353 {
                    header_up Host {upstream_hostport}
                    header_up X-Real-IP {remote_host}
            }
    }
    handle {
            reverse_proxy http://localhost:5380 {
                    header_up Host {upstream_hostport}
            header_up X-Real-IP {remote_host}
            }
    }
}
Then we restart Caddy with 
sudo caddy reload
Let's explain this configuration. When a request is made to dns.example.com, Caddy will first check if the path ends with /dns-query. If it does, it will reverse proxy the request to localhost:5353, which is our Technitium DNS server. We also add the Host header to the request, because the Technitium DNS server requires it, and the real IP of the requester so that it can be logged. If the path does not have /dns-query, it will reverse proxy the request to localhost:5380, which is our Technitium DNS server UI. This way, we can access both the UI and the DNS server from the same domain name.

Testing

To check if our DNS server is working, we can use Technitium Dns Client. This client is also available in the GUI of the Technitium server.

To test DoH, we will enter our server DNS, dns.example.com/dns-query, enter a domain (like google.com), and select the DNS-over-HTTPS protocol. Then we will click on the Resolve button. If everything is working correctly, we should see the IP address of our server in the result, in the form of a JSON response. We can also check the logs of the Technitium server to see if the request was made.

To test DoT, we will enter our server DNS, dns.example.com, enter a domain (like google.com), and select the DNS-over-TLS protocol. Then we will click on the Resolve button. If everything is working correctly, we should see the IP address of our server in the result, in the form of a JSON response. We can also check the logs of the Technitium server to see if the request was made.

Troubleshooting

If you cannot get a response, you should backtrace the error based on your response. Any 5xx errors are most likely due to the incorrect configuration of Caddy. This can be verified in the Technitium logs; if you do not see your failed request in the Logs section, then your request is not reaching the DNS server and the most likely culprit is the Caddy configuration. If you still cannot solve your issue, the Reddit community is very helpful and you can ask for help there (r/technitium).

Using Your DNS Server

Windows 10/11

Go to Settings > Network and Internet, and select your active network. Then in the DNS Server Assignment section, click Edit, Select "Manual", and enter your server's IP address in the Preferred DNS box. In the DNS over HTTPS section select "On (manual template)", and enter "https://dns.example.com/dns-query" in the DNS over HTTPS template box. Disable "Fallback to plaintext". Click Save.

Android

Android's DoH support is experimental, and will possibly be available in Android 13. For this reason, we will use DoT. Go to Settings on your phone and search for DNS. In the Private DNS section, select "Private DNS provider hostname" and enter "dns.example.com". Click Save.

Do not forget to check the DNS leak test. You can use DNS Leak Test to check if your DNS server is working correctly.

Enabling Blocking

One of the best perks of having a private DNS server is that you can block ads and trackers before they are even downloaded. Technitium DNS server has a built-in blocking feature, which can be enabled by going to Settings > Blocking. You can also add your custom blocklists. There is even a "Quick Add" section that allows you to select a bunch of blocklists from a list. Select the ones that apply best to your needs, and don't forget to click "Save".