DNS Server

Username

Password

Enter OTP

Enter the 6-digit code you see in your authenticator app.

Login

Forgot Password?

or login with OpenID Connect

DNS Server

New Update Available!

Last Hour Last Day Last Week Last Month Last Year Custom

Start End Show

100

100%

Total Queries

70

0%

No Error

5

0%

Server Failure

5

0%

NX Domain

10

0%

Refused

10

0%

Authoritative

10

0%

Recursive

10

0%

Cached

10

0%

Blocked

5

0%

Dropped

10

Clients

10

Zones

10

Cache

10

Allowed

10

Blocked

10

Allow List

10

Block List

Top Clients

More

Top Domains

More

Top Blocked Domains

Blocking

• Enable Blocking
• Disable Blocking
• Disable Blocking For 1 Minute
• Disable Blocking For 2 Minutes
• Disable Blocking For 5 Minutes
• Disable Blocking For 10 Minutes
• Disable Blocking For 15 Minutes
• Disable Blocking For 30 Minutes
• Disable Blocking For 1 Hour
• Disable Blocking For 3 Hours

More

Add Zone

Edit

Page Number

Zones Per Page102550100250500 Go

0 zones

0 zones

|

• ← Back

example.com

PrimaryDNSSECEnabledcatalog Expiry: 01 Jan 2020 00:00:00

Add RecordEnable ZoneDisable ZoneDelete ZoneResync Options

• Import Zone
• Export Zone
• Convert Zone
• Clone Zone
• Zone Options

Permissions DNSSEC

• Sign Zone
• Hide DNSSEC Records
• Show DNSSEC Records
• View DS Info
• Properties
• Unsign Zone

Name

Type

Page Number

Records Per Page102550100250500 Go

0 records

0 records

|

Browse

technitium.com

DeleteFlush

AllowBrowse

technitium.com

ImportExportDeleteFlush

BlockBrowse

technitium.com

ImportExportDeleteFlush

App StoreInstall

Server

Domain

TypeANSCNAMESOAPTRMXTXTRPAAAASRVNAPTRDNAMEDSSSHFPRRSIGNSECDNSKEYNSEC3NSEC3PARAMTLSAZONEMDSVCBHTTPSURICAAANYAXFRANAME

DNS-over-UDPTCPTLSHTTPSQUIC

EDNS Client Subnet

Enable DNSSEC Validation

ResolveImport

Response

Raw Responses ()

DNS Server Domain

The primary fully qualified domain name used by this DNS Server to identify itself.

DNS Server Local End Points

Local End Points are the network interface IP addresses and ports you want the DNS Server to listen for requests.

DNS Server IPv4 Source Addresses

The IPv4 source addresses that the DNS Server must use for making all outbound DNS requests when the server is connected to two or more networks. Network addresses are also accepted.

DNS Server IPv6 Source Addresses

The IPv6 source addresses that the DNS Server must use for making all outbound DNS requests when the server is connected to two or more networks. Network addresses are also accepted. Note that this option will be used only when Prefer IPv6 option is enabled.

Note! The DNS Server local end point changes will be automatically applied and so you do not need to manually restart the main service.

Note! The source adddresses configured above must be the IP addresses that are configured on the local system's network interface. When using source addresses option, its also necessary to ensure that the system has a default route or a specific route for the source address to be able to reach the destination network. When source addresses are not configured, the IP address of the interface with a default route will be used as the source address.

Default Record TTL seconds (default 3600/1h)

The default TTL value to use if not specified when adding or updating records in a Zone.

Default NS Record TTL seconds (default 14400/4h)

The default TTL value to use if not specified when adding or updating NS records in a Primary Zone.

Default SOA Record TTL seconds (default 900/15m)

The default TTL value to use if not specified when adding or updating SOA records in a Primary Zone.

Default Responsible Person

The default SOA Responsible Person email address to use when adding a Primary Zone.

Zone Defaults

Use SOA Serial Date Scheme

The default SOA Serial option to use if not specified when adding a Primary Zone.

Minimum SOA Refresh seconds (default 300/5m)

The minimum Refresh interval to be used by Secondary, Stub, Secondary Forwarder, and Secondary Catalog zones. This minimum value will be used if a zone's SOA Refresh value is less than it.

Minimum SOA Retry seconds (default 300/5m)

The minimum Retry interval to be used by Secondary, Stub, Secondary Forwarder, and Secondary Catalog zones zones. This minimum value will be used if a zone's SOA Retry value is less than it.

Zone Transfer Allowed Networks

Enter IP addresses or network addresses one below another that are allowed to perform zone transfer for all zones without any TSIG authentication.

Notify Allowed Networks

Enter IP addresses or network addresses one below another that are allowed to Notify all Secondary Zones.

DNS Apps

Enable Automatic Update

The DNS Server will check for DNS Apps update every day and will automatically download and install the updates.

IPv6 Support

Disable IPv6 Disables IPv6 support such that the DNS Server uses only IPv4 for all outbound DNS and HTTP(s) requests.

Enable IPv6 Enables IPv6 support such that the DNS Server uses both IPv6 (whenever possible) and IPv4 with equal weightage for all outbound DNS and HTTP(s) requests.

Prefer IPv6 Enables IPv6 support such that the DNS Server prefers using IPv6 (whenever possible) for all outbound DNS and HTTP(s) requests and will use IPv4 only after exhausting all IPv6 attempts.

Warning! Enable IPv6 support only if this DNS Server has native IPv6 Internet access otherwise it will affect performance. There are many name servers on the Internet that do not respond over IPv6 and thus using Prefer IPv6 option when you are running DNS Server in recursive resolver mode (i.e. without any forwarders) may cause frequent operational issues with resolution that may result increase in Server Failure responses.

UDP Socket Pool

Enable UDP Socket Pool

The DNS Server will use UDP socket pool for all outbound DNS-over-UDP requests when enabled.

UDP Socket Pool Excluded Ports

Enter port numbers one below other to be excluded from being used by the UDP socket pool.

Note! Enabling UDP socket pool provides port randomization for all outbound DNS-over-UDP requests to mitigate spoofing attacks. It is recommended to enable UDP socket pool on Windows platform. On Linux, ports are fairly random and thus socket pool may be enabled if more randomization is desired. The DNS Server can detect DNS spoofing attack attempts based on ID mismatch and switch to TCP protocol automatically.

EDNS UDP Payload Size bytes (valid range 512-4096; default 1232)

The maximum UDP payload size that can be used to avoid IP fragmentation.

DNSSEC

Enable DNSSEC Validation

The DNS Server will validate all responses from name servers or forwarders when this option is enabled.

Warning! Devices that do not have a real-time clock and rely on NTP when booting (e.g. Raspberry Pi), enabling DNSSEC validation will cause failure to resolve the NTP server domain name thus causing the DNS Server to fail to validate all other domain names too due to invalid system date/time. To fix this issue, just create a Conditional Forwarder zone for the NTP server domain name (e.g. ntp.org) with forwarder set to this-server and Enable DNSSEC Validation option unchecked. This conditional forwarder zone will disable DNSSEC validation for the NTP server domain name and allow the device to update its system data/time on boot.

Warning! When forwarders are configured, DNSSEC validation will work only if the forwarders are security aware i.e. can respond to DNSSEC requests correctly.

Note! Enabling DNSSEC may increase delays in resolving domain names when the cache is initially empty. As the cache fills up, the performance will be normal as expected.

EDNS Client Subnet (ECS)

Enable EDNS Client Subnet

The DNS Server will use the public IP address of the request with a prefix length, or the existing Client Subnet option from the request.

ECS IPv4 Prefix Length (valid range 0-32; default 24)

The IPv4 prefix length to define the client subnet.

ECS IPv6 Prefix Length (valid range 0-64; default 56)

The IPv6 prefix length to define the client subnet.

ECS IPv4 Override

The IPv4 network address that must be used as ECS for all outbound requests overriding client's actual subnet.

ECS IPv6 Override

The IPv6 network address that must be used as ECS for all outbound requests overriding client's actual subnet.

Warning! EDNS Client Subnet (ECS) option when enabled will compromises user's privacy since the DNS Server will send the user's public IP network subnet to name servers or forwarders when resolving requests. When not using encrypted DNS protocols, this information can also be read passively by anyone on the network.

Note! EDNS Client Subnet (ECS) option allows passing the user's client subnet information to name servers or forwarders so that the response may contain IP addresses of servers closer to the user's geographic region. EDNS Client Subnet (ECS) option thus is only useful when the DNS Server is hosted in a geographically different region compared to the users that are configured to use it.

Note! Enabling EDNS Client Subnet (ECS) option will significantly increase the DNS Server's memory usage since the server will have to cache data for each client subnet separately. It will also increase cache misses since DNS Server will have to resolve requests and cache them for each client subnet separately.

Queries Per Minute (QPM) Limits (IPv4)

The maximum queries an IPv4 client subnet can make to DNS-over-UDP and DNS-over-TCP protocol services per minute on average based on the sample size. Set limit value to 0 to allow unlimited queries for a specific protocol in an entry or delete the entry altogether to remove rate limiting for the prefix.

Queries Per Minute (QPM) Limits (IPv6)

The maximum queries an IPv6 client subnet can make to DNS-over-UDP and DNS-over-TCP protocol services per minute on average based on the sample size. Set limit value to 0 to allow unlimited queries for a specific protocol in an entry or delete the entry altogether to remove rate limiting for the prefix.

QPM Sample Size minutes (valid range 1-60; default 5)

The sample size in minutes to sample latest data from Last Hour stats for limiting queries per client.

QPM Limit UDP Truncation % (valid range 0-100; default 50)

The percentage of requests that are responded with a truncation (TC) response when QPM limit exceeds for DNS-over-UDP protocol service while the rest of the requests are dropped. A TC response will cause a real client to retry to DNS-over-TCP protocol service.

QPM Limit Bypass List

Enter IP addresses or network addresses one below another that are allowed to bypass the QPM limit.

Note! Queries Per Minute (QPM) feature will limit requests from a client subnet based on its IP address and the specified subnet prefix lengths except for loopback IP addresses. The QPM limit configured will be compared with the average count from the sample size which means a client may exceed the QPM limit for a given minute but won't exceed for the given sample size in minutes. Rate limited clients will be listed in orange color on the dashboard top clients table.

Note! The configured TCP limits apply to the DNS-over-TCP protocol service as well as to the DNS-over-TLS, DNS-over-HTTPS and DNS-over-QUIC optional protocol services.

Client Timeout milliseconds (valid range 1000-10000; default 2000)

The amount of time the DNS Server must wait before responding with a ServerFailure response to a client request when no answer is available.

TCP Send Timeout milliseconds (valid range 1000-90000; default 10000)

The maximum amount of time the DNS Server will wait for the response to be sent. This option will apply for DNS requests being received by the DNS Server over TCP, TLS, TcpProxy, or HTTPS transports.

TCP Receive Timeout milliseconds (valid range 1000-90000; default 10000)

The maximum amount of time the DNS Server will wait for receiving data. This option will apply for DNS requests being received by the DNS Server over TCP, TLS, TcpProxy, or HTTPS transports.

QUIC Idle Timeout milliseconds (valid range 1000-90000; default 60000)

The time interval after which an idle QUIC connection will be closed. This option applies only to QUIC transport protocol.

QUIC Max Inbound Streams (valid range 1-1000; default 100)

The max number of inbound bidirectional streams that can be accepted per QUIC connection. This option applies only to QUIC transport protocol.

Listen Backlog (default 100)

The maximum number of pending inbound connections. This option applies to TCP, TLS, TcpProxy, and QUIC transport protocols.

UDP Send Buffer Size KB (valid range 8-65536; default 2048)

The UDP listener socket send buffer size. This option applies to UDP and UdpProxy transport protocols.

UDP Receive Buffer Size KB (valid range 8-65536; default 2048)

The UDP listener socket receive buffer size. This option applies to UDP and UdpProxy transport protocols.

Max Concurrent Resolutions per CPU core (default 100)

The maximum number of concurrent async outbound resolutions that should be done per CPU core.

Web Service Local Addresses

Local addresses are the network interface IP addresses you want the Web Service to listen for requests. ANY addresses (0.0.0.0 & [::]) cannot be used together with unicast IP addresses. The web server uses dual-mode sockets by default so the IPv6 ANY address ([::]) works for IPv4 too. The default values work for most scenarios so, do not change these defaults unless you have a requirement for the Web Service to listen on specific networks. Configured unicast IP addresses will be included as Subject Alternative Name (SAN) in the self signed TLS certificate.

Web Service HTTP Port (default 5380)

Specify the TCP port number for this web console over HTTP protocol.

HTTPS Options

Enable HTTPS

Enable HTTP/3

Enable HTTP to HTTPS Redirection

Use A Self Signed TLS Certificate When TLS Certificate File Path Is Unspecified

Web Service HTTPS Port (default 53443)

Specify the TCP port number for this web console over TLS protocol.

TLS Certificate File Path

Specify a PKCS #12 certificate (.pfx or .p12) file path on the server. The path can be relative to the DNS Server's config folder. The certificate must contain private key.

TLS Certificate Password

Enter the certificate (.pfx) password, if any.

Real IP Header

The HTTP header that must be used to read client's actual IP address when the request comes from a reverse proxy with a private IP address.

Note! The Web Service port changes will be automatically applied and so you do not need to manually restart the main service. The TLS certificate too will be automatically reloaded when the certificate file's date modified property on disk changes. This web page will be automatically redirected to the new web console URL after saving settings. The HTTPS protocol will be enabled only when a TLS certificate is configured.

Note! When using a reverse proxy with the Web Service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the Web Service to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

Note! The Web Service uses Kestrel web server which supports both HTTP/2 and HTTP/3 protocols when TLS certificate is configured. HTTP/3 protocol support is not available on all platforms. On Windows, it is available only on Windows 11 (build 22000 and later) and Windows Server 2022 (and later). On Linux, it requires libmsquic to be installed. It also requires IPv6 support on the system to work.

Note! The Web Service will always bind to [::] local address for HTTP/3 protocol since this is how the libmsquic library is designed to work.

Use the following openssl command to convert your TLS certificate that is in PEM format to PKCS #12 certificate (.pfx) format:

openssl pkcs12 -export -out "example.com.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile "chain.pem"

Help: Configuring DNS-over-QUIC and HTTPS/3 For Technitium DNS Server

Optional DNS Server Protocols

Enable EDNS Client Subnet (ECS) Source Address

Enable this option to read the client's source IP address from the EDNS Client Subnet (ECS) option in the DNS requests coming via DNS-over-UDP or DNS-over-TCP protocols. This option allows a DNS proxy to pass the client's source IP address via ECS option to the DNS Server. It is mandatory to configure Reverse Proxy Network ACL below to allow requests coming from your DNS proxy server to work with this option.

Enable DNS-over-UDP-PROXY

Enable this option to accept DNS-over-UDP-PROXY requests. It implements the PROXY Protocol for both version 1 & 2 over UDP datagram. It is mandatory to configure Reverse Proxy Network ACL below to allow requests coming from your reverse proxy server.

Enable DNS-over-TCP-PROXY

Enable this option to accept DNS-over-TCP-PROXY requests. It implements the PROXY Protocol for both version 1 & 2 over TCP connection. It is mandatory to configure Reverse Proxy Network ACL below to allow requests coming from your reverse proxy server.

Enable DNS-over-HTTP

Enable this option to accept DNS-over-HTTP requests. It must be used with a TLS terminating reverse proxy like nginx. It is mandatory to configure Reverse Proxy Network ACL below to allow requests coming from your reverse proxy server. Enabling this option also allows automatic TLS certificate renewal with HTTP challenge (webroot) for DNS-over-HTTPS service when DNS-over-HTTP port is set to 80.

Enable DNS-over-TLS

Enable this option to accept DNS-over-TLS requests.

Enable DNS-over-HTTPS

Enable this option to accept DNS-over-HTTPS requests.

Enable DNS-over-HTTP/3

Enable this option to accept DNS-over-HTTP/3 requests.

Enable DNS-over-QUIC

Enable this option to accept DNS-over-QUIC requests.

DNS-over-UDP-PROXY Port (default 538)

Specify the UDP port number for DNS-over-UDP-PROXY protocol.

DNS-over-TCP-PROXY Port (default 538)

Specify the TCP port number for DNS-over-TCP-PROXY protocol.

DNS-over-HTTP Port (default 80)

Specify the TCP port number for DNS-over-HTTP protocol.

DNS-over-TLS Port (default 853)

Specify the TCP port number for DNS-over-TLS protocol.

DNS-over-HTTPS Port (default 443)

Specify the TCP port number for DNS-over-HTTPS protocol.

DNS-over-QUIC Port (default 853)

Specify the UDP port number for DNS-over-QUIC protocol.

Reverse Proxy Network ACL

Configure the ACL above to allow requests coming from your reverse proxy server for DNS-over-UDP-PROXY, DNS-over-TCP-PROXY, and DNS-over-HTTP protocols. Enter IP addresses or network addresses one below another to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all.

TLS Certificate File Path

Specify a PKCS #12 certificate (.pfx or .p12) file path on the server. The path can be relative to the DNS Server's config folder. The certificate must contain private key.

TLS Certificate Password

Enter the certificate (.pfx) password, if any.

Real IP Header

The HTTP header that must be used to read client's actual IP address when the request comes from a reverse proxy. The specified header will be read only when the request IP address is allowed by the Reverse Proxy Network ACL.

Note! These optional DNS Server protocol changes will be automatically applied and so you do not need to manually restart the main service. The TLS certificate too will be automatically reloaded when the certificate file's date modified property on disk changes. The DNS-over-TLS, DNS-over-QUIC, and DNS-over-HTTPS protocols will be enabled only when a TLS certificate is configured.

These optional DNS Server protocols are used to host these as a service. You do not need to enable these optional protocols to use them with Forwarders or Conditional Forwarder Zones.

For DNS-over-HTTP, use http://localhost:8053/dns-query with a TLS terminating reverse proxy like nginx. For DNS-over-TLS, use tls-certificate-domain:853, for DNS-over-QUIC, use tls-certificate-domain:853, and for DNS-over-HTTPS use https://tls-certificate-domain/dns-query to configure supported DNS clients.

When using a reverse proxy with the DNS-over-HTTP service, you need to add X-Real-IP header to the proxy request with the IP address of the client to allow the DNS Server to know the real IP address of the client originating the request. For example, if you are using nginx as the reverse proxy, you can add proxy_set_header X-Real-IP $remote_addr; to make it work.

DNS-over-QUIC protocol support is not available on all platforms. On Windows, it is available only on Windows 11 (build 22000 and later) and Windows Server 2022 (and later). On Linux, it requires libmsquic to be installed. It also requires IPv6 support on the system to work.

Note! The DNS-over-HTTP/3 protocol will always bind to [::] local address since this is how the libmsquic library is designed to work.

Use the following openssl command to convert your TLS certificate that is in PEM format to PKCS #12 certificate (.pfx) format:

openssl pkcs12 -export -out "example.com.pfx" -inkey "privkey.pem" -in "cert.pem" -certfile "chain.pem"

Help: How To Host Your Own DNS-over-HTTPS, DNS-over-TLS, And DNS-over-QUIC Services

Help: Configuring DNS-over-QUIC and HTTPS/3 For Technitium DNS Server

TSIG Keys

The shared secret can be a base64 string or a literal string. Keep the shared secret empty if you want to auto generate a strong key.

Note! You will need to configure these TSIG keys names for zone transfer in the zone options and in the secondary zone SOA record options separately.

Recursion

Deny Recursion Disables recursion so that this DNS Server works as authoritative only.

Allow Recursion Enables recursion to allow this DNS Server to resolve any domain name.

Allow Recursion Only For Private Networks (default) Select this option if you want to support recursion only on private networks. Any recursive request from a public network will be refused.

Use Specified Network Access Control List (ACL) Select this option to specify networks that must be allowed or denied recursion.

Network Access Control List (ACL) Enter IP addresses or network addresses one below another to allow access. Add ! character at the start to deny access, e.g. !192.168.10.0/24 will deny entire subnet. The ACL is processed in the same order its listed. If no networks match, the default policy is to deny all except loopback.

Note! Disable recursion if you wish this server to act only as authoritative name server for the configured zones.

Note! You need recursion enabled even when you have configured Forwarders in Settings and do not want the DNS Server to do recursive resolution.

Recursive Resolver

Randomize Name

Enables QNAME case randomization when using UDP as the transport protocol to improve security.

QNAME Minimization

Enables QNAME minimization for recursive resolution to improve privacy.

Warning! Enabling the Randomize Name option may cause some domain names to fail to resolve due to their name servers dropping the requests or sending the QNAME in response with a different case causing mismatch. The DNS Server can already detect DNS spoofing attack attempts and switch to TCP protocol automatically so its safe to not use this feature.

Resolver Retries (valid range 1-10; default 2)

The total number of retries the recursive resolver must do per name server.

Resolver Timeout milliseconds (valid range 1000-10000; default 1500)

The amount of time the recursive resolver must wait between retries.

Resolver Concurrency (valid range 1-4; default 2)

The number of concurrent requests that should be sent by the recursive resolver to the name servers.

Resolver Max Stack Count (valid range 10-30; default 16)

The maximum stack count the recursive resolver must use for resolving a domain name.

Note! The DNS Server supports EDNS and thus all outbound recursive resolution requests will have an OPT record for it in the additional section. If a name server does not respond to a request containing OPT record, the recursive resolver will retry again without the OPT record when possible. This means that the number of retries attempted per name server can be Resolver Retries value multiplied by two for certain cases.

Note! The DNS Server uses Epsilon-Greedy machine learning algorithm and will automatically learn which of the name servers are answering faster without errors and will use those name servers most of the time. Since each domain name has a different set of name servers, it may take a while before the algorithm learns about them.

DNS Cache

Save Cache To Disk

Enable this option to save DNS cache on disk when the DNS Server stops. The saved cache will be loaded next time the DNS Server starts.

Note! The DNS Server will attempt to save cache to disk when it stops which may take time depending on the cache size. If the DNS Server takes a lot of time to stop then it may lead to the OS killing the DNS Server process causing an incomplete cache to be stored on disk.

Serve Stale

Enable Serve Stale

Enable the Serve Stale feature to improve resiliency by using expired or stale records in cache to respond when the DNS Server is unable to reach the upstream or authoritative name servers to refresh the expired records before the Max Wait Time configured below.

Serve Stale TTL seconds (recommended 259200/3d)

The TTL value in seconds which should be used for cached records that are expired. When the serve stale TTL too expires for a stale record, it gets removed from the cache. Recommended value is between 1-3 days and maximum supported value is 7 days.

Serve Stale Answer TTL seconds (valid range 0-300/5m; recommended 30)

The TTL value in seconds which should be used for the records in a stale response. This is the TTL value that the client will be using to cache the stale records.

Serve Stale Reset TTL seconds (valid range 10-900/15m; recommended 30)

The TTL value in seconds which should be used to reset the stale record's TTL value in the cache when the resolver fails to refresh the data. The TTL reset causes the stale records to become valid again so that they can be used to serve requests normally. This reset effectively prevents the resolver from attempting to frequently update the stale records.

Serve Stale Max Wait Time milliseconds (valid range 0-1800; default 1800)

The time in milliseconds that the DNS Server must wait for the resolver before serving stale records from the cache. Lower value will ensure faster response at the expense of not getting updated data from the upstream. Setting value to 0 will instantly return stale answer without waiting for the resolver to fetch updates from the upstream.

Cache Maximum Entries (default 10000; set 0 for unlimited entries)

The maximum number of entries that the cache can store. A relevant value should be configured by monitoring the Cache entries value on Dashboard and the server's memory usage to limit the amount of RAM used by the DNS Server. A cache entry is a complete Resource Record Set (RR Set) which is a group of records with the same type for a given domain name. When a value is configured, the DNS Server will trigger a clean up operation every few minutes and remove least recently used entries to maintain the maximum allowed entries in cache.

Cache Minimum TTL seconds (recommended 10)

The minimum TTL value that a record can have in the cache. Set a value to make sure that the records with TTL value less than that stays in cache for a minimum duration.

Cache Maximum TTL seconds (default 604800/1w)

The maximum TTL value that a record can have in the cache. Set a lower value to allow the records to expire early.

Cache Negative TTL seconds (recommended 300/5m)

The negative TTL value to use when there is no SOA MINIMUM value available. Negative caching stores records in cache for NXDOMAIN and NODATA responses.

Cache Failure TTL seconds (recommended 10)

The failure TTL value to be used for caching failure responses. This allows storing failure record in cache and prevent frequent recursive resolution requests to the name servers that are responding with ServerFailure or failing to respond.

Prefetch Eligibility seconds (recommended 2)

The minimum initial TTL value of a record needed to be eligible for prefetching.

Prefetch Trigger seconds (recommended 9; set 0 to disable prefetching & auto prefetching)

A record with TTL value less than trigger value will initiate prefetch operation immediately for itself.

Auto Prefetch Sampling minutes (valid range 1-60; default 5)

The interval to sample eligible domain names from last hour stats for auto prefetch.

Auto Prefetch Eligibility hits/hour (default 30)

Minimum required hits per hour for a domain name to be eligible for auto prefetch.

The DNS Server cache auto prefetch option can keep eligible domain names from last hour stats "hot" in cache. Auto prefetch eligibility value can be decided by keeping an eye on the hits shown for last hour on the dashboard. Experiment with auto prefetch sampling interval and eligibility to get best results.

Blocking

Enable Blocking

Sets the DNS Server to block domain names using Blocked Zone and Block List Zone.

Allow TXT Blocking Report

Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. This option also enables Extended DNS Error blocked domain report in response for requests that support EDNS.

Blocking Temporarily Disabled Till

minutes

Temporary Disable Now

Blocking Bypass List

Enter IP addresses or network addresses one below another that are allowed to bypass blocking.

Blocking Type

ANY Address Uses 0.0.0.0 and :: IP addresses for blocked domain names.

NX Domain (recommended) Uses NX Domain response for blocked domain names.

Custom Address Uses custom IP addresses provided below for blocked domain names.

Custom Blocking Addresses (IP Address)

Blocking Answer TTL seconds (default 30)

The TTL value in seconds that must be used for the records in a blocking response. This is the TTL value that the client will use to cache the blocking response.

Allow / Block List URLs Quick Add

Enter block list URL one below another in the above text field or use the Quick Add list to add known block list URLs.

For directly using block list files saved on this server, use the file:// formatted URL path. For example, on Linux the URL should look like file:///home/folder/myblocklist.txt and on Windows it should look like file:///c:/folder/myblocklist.txt.

Add ! character at the start of an URL to make it an allow list URL. This option must not be used with allow lists that use Adblock Plus format.

Begin a line with # character at the start to use it for comments.

Block List Update Interval hours (valid range 0-168; default 24; set 0 to disable)

The interval in hours to automatically download and update the block lists.

Block List Next Update On Update Now

Click the 'Update Now' button to reset the next update schedule and force download and update of the block lists.

Note! The DNS Server will use the data returned by the block list URLs to update the block list zone automatically. The expected file format is standard hosts file format, plain text file containing list of domains to block, wildcard block list file format, or Adblock Plus file format.

Warning! The DNS Server loads all block lists in memory and thus it is expected that the server is provisioned with sufficient amount of memory to avoid out of memory issues. On average, 1 million domain names in block list take about 300 MB of memory. The block list update process requires additional memory to load the newly downloaded block lists before it replaces the previously loaded block lists in memory.

Note! To customize the Quick Add drop down list, read the instructions given in the www/json/readme.txt file found in the installation folder.

Help: Blocking Internet Ads Using DNS Sinkhole

Network Proxy

No Proxy (default)

HTTP Proxy

SOCKS5 Proxy

Proxy Server Address

Proxy Server Port

Username

Password

Proxy Bypass List

Enter IP addresses, network addresses or domain names to never proxy.

Note! When proxy server is configured, DNS Server will use it for all outbound network requests.

Forwarders Quick Select Enter forwarder DNS Server IP addresses or URLs one below another in above text field or use the Quick Select list to select desired forwarder.

Forwarder Protocol

DNS-over-UDP (default)

DNS-over-TCP

DNS-over-TLS

DNS-over-HTTPS

DNS-over-QUIC

Select a protocol that this DNS Server must use to query the forwarders specified above.

Concurrent Forwarding

Enable Concurrent Forwarding

Enable this option to allow querying two or more forwarders concurrently instead of sequentially querying them in their given order. The DNS Server will automatically select forwarders (based on their average latency) to query and use the fastest response it receives from any of them. If none of the selected forwarders respond in time, the DNS Server will similarly select forwarders from the remaining ones and queries them till all are tried before giving up.

Forwarder Concurrency (valid range 1-10; default 2)

The number of concurrent requests that must be sent when Concurrent Forwarding is enabled for resolving a domain name.

Note! Forwarders are upstream DNS servers which this DNS Server must use to resolve domain names. If no forwarders are configured then the DNS Server will use preconfigured ROOT HINTS to perform recursive resolution to resolve domain names.

Note! The https URL scheme supports only DNS-over-HTTPS/2 and DNS-over-HTTPS/1.1 protocols. For DNS-over-HTTPS/3, use h3 URL scheme instead of https but note that there wont be any protocol fallback if the connection attempt fails.

Note! The DNS Server uses Epsilon-Greedy machine learning algorithm and will automatically learn which of the forwarders are answering faster without errors and will use those forwarders most of the time.

Note! To customize the Quick Select drop down list, read the instructions given in the www/json/readme.txt file found in the installation folder.

Help: Configuring DNS Server For Privacy & Security

Help: Configuring DNS-over-QUIC and HTTPS/3 For Technitium DNS Server

Forwarder Retries (valid range 1-10; default 3)

The total number of retries the forwarder or conditional forwarder resolver must do per upstream DNS Server.

Forwarder Timeout milliseconds (valid range 1000-10000; default 2000)

The amount of time the forwarder or conditional forwarder resolver must wait between retries.

Enable Logging To

None Disables all logging including error logs and audit logs.

File Enables logging errors and audit logs to the log file.

Console Enables logging errors and audit logs to the console.

Both File And Console Enables logging errors and audit logs to both the log file and console.

Logging Options

Ignore Resolver Error Logs

Enable this option to stop logging domain name resolution errors into the log file.

Log All Queries

Enable this option to log every query received by this DNS Server and the corresponding response answers into the log file.

Use Local Time

Enable this option to use local time instead of UTC for logging.

Log Folder Path

The folder path on the server where the log files should be saved. The path can be relative to the DNS Server's config folder.

Max Log File Days days (default 365, set 0 to disable auto delete)

Max number of days to keep the log files. Log files older than the specified number of days will be deleted automatically.

Warning! Enabling query logging will significantly increase the log file size and use up disk space.

Stats

Enable In-Memory Stats

This option will enable in-memory stats and only Last Hour data will be available on Dashboard. No stats data will be stored on disk.

Max Stat File Days days (default 365, set 0 to disable auto delete)

Max number of days to keep the dashboard stats. Stat files older than the specified number of days will be deleted automatically.

Save SettingsFlush Cache

Backup SettingsRestore Settings

Add Scope

Edit Scope

Name

Starting Address

Ending Address

Subnet Mask

Lease Time DaysHoursMinutes

The duration for which the clients should be leased the IP address.

Offer Delay Time milliseconds

The time duration that the DHCP server delays sending an DHCPOFFER message.

Ping Check

Enable Ping Check

Enable this option to allow DHCP server to find out if an IP address is already in use to prevent IP address conflict when some of the devices on the network have manually configured IP addresses.

Ping Check Timeout milliseconds (default 1000)

The timeout interval to wait for an ping reply.

Ping Check Retries (default 2)

The maximum number of ping requests to try.

Warning! Ping check would work as expected only when you make sure that all the client devices with manually configured IP addresses on the network respond to a ping request. Devices running Microsoft Windows by default drop ping requests at host firewall and will cause this ping check to fail to detect in use IP addresses. It is recommended to not rely on this option and instead make sure that you exclude a range of addresses using Exclusions and manually assign IP addresses to your devices only in the excluded range.

Domain Name

The domain name for this network to allow assigning a fully qualified domain name to clients. Use a domain name that you own or that is not in common use like 'home' or 'lan' so that you don't block out an existing domain name. (Option 15)

Domain Search List

The list of domain names that the clients can use as a suffix when searching a domain name. (Option 119)

DNS Updates

Enable DNS Updates

Enable this option to allow the DHCP server to automatically update forward and reverse DNS entries for clients.

Enable DNS Overwrite For Dynamic Lease

Enable this option to allow the DHCP server to overwrite existing DNS A record matching the client domain name for dynamic leases.

DNS TTL seconds (default 900/15m)

The TTL value of the DNS records updated for the above provided domain name.

Router Address

The default gateway IP address to be used by the clients. (Option 3)

DNS Servers

Use This DNS Server

Enable this option to automatically use this DNS Server.

The DNS Server IP addresses to be used by the clients. (Option 6)

WINS Servers

The NBNS/WINS server IP addresses to be used by the clients. (Option 44)

NTP Servers

The Network Time Protocol (NTP) server IP addresses to be used by the clients. (Option 42)

NTP Server Domain Names

Enter NTP server domain names (e.g. pool.ntp.org) above that the DHCP server should automatically resolve and pass the resolved IP addresses to clients as NTP server option. (Option 42)

Static Routes

The static routes to be used by the clients for accessing specified destination networks. (Option 121)

Bootstrap Server Address

The IP address of next server (TFTP) to use in bootstrap by the clients. If not specified, the DHCP server's IP address is used. (siaddr)

Bootstrap Server Host Name

The optional bootstrap server host name to be used by the clients to identify the TFTP server. (sname/Option 66)

Boot File Name

The boot file name stored on the bootstrap TFTP server to be used by the clients. (file/Option 67)

Vendor Specific Information

The Vendor Specific Information (option 43) to be sent to the clients that match the Vendor Class Identifier (option 60) in the request. The Vendor Class Identifier can be empty string to match any identifier, or matched exactly, or match a substring, for example substring(vendor-class-identifier,0,9)=="PXEClient". The Vendor Specific Information must be either a colon (:) separated hex string or a normal hex string, for example 06:01:03:0A:04:00:50:58:45:09:14:00:00:11:52:61:73:70:62:65:72:72:79:20:50:69:20:42:6F:6F:74:FF OR 0601030A0400505845091400001152617370626572727920506920426F6F74FF.

CAPWAP Access Controller Addresses

The Control And Provisioning of Wireless Access Points (CAPWAP) Access Controller IP addresses to be used by Wireless Termination Points to discover the Access Controllers to which it is to connect. (Option 138)

TFTP Server Addresses

The TFTP Server Address or the VoIP Configuration Server Address. (Option 150)

Generic DHCP Options

This feature allows you to define DHCP options that are not yet directly supported. To add an option, use the DHCP option code defined for it and enter the value in either a colon (:) separated hex string or a normal hex string format, for example C0:A8:01:01 OR C0A80101.

Exclusions

The IP address range that must be excluded or not assigned dynamically to any client by the DHCP server.

Note! Make sure to exclude address ranges if you plan to manually assign IP addresses to some of the devices or to assign reserved leases so that these IP addresses are not dynamically allocated in the first place.

Advanced Options

Allow Only Reserved Lease Allocations

Enable this option to stop dynamic IP address allocation and allocate only reserved IP addresses.

Block Locally Administered MAC Addresses

Enable this option to stop dynamic IP address allocation for clients with locally administered MAC addresses. MAC address with 0x02 bit set in the first octet indicate a locally administered MAC address which usually means that the device is not using its original MAC address.

Ignore Client Identifier (Option 61)

This option when enabled will always use the client's MAC address as the identifier to allocate lease instead of the Client Identifier (Option 61) provided by the client in the request. Some Linux distros use a custom Client Identifier instead of the device's MAC Address which can cause issues when the Virtual Machine (VM) in which the OS is installed is cloned causing both the original and cloned clients to get same IP allocated. There can be issues too when the same client changes its Client Identifier and starts getting a different IP address lease. Enabling the Ignore Client Identifier option will fix such issues. Changing this option may cause the existing clients to get a different IP lease on renewal.

Reserved Leases

The reserved IP addresses to be assigned to specific clients based on their MAC address. Set a hostname to override the client's hostname.

SaveCancel

Create Token

Add User

Add Group

Single Sign-On (SSO)

Enable Single Sign-On (SSO)

Enable to allow Single Sign-On (SSO) with OpenID Connect (OIDC).

Authority (Issuer)

The OpenID Connect (OIDC) Authority URL.

Client ID

The OpenID Connect (OIDC) Client ID.

Client Secret

The OpenID Connect (OIDC) Client Secret.

Metadata Address (Optional)

The OpenID Connect (OIDC) metadata discovery URL to be used instead of the default one. Configure this option only if the Single Sign-On (SSO) provider uses a different discovery URL.

Scopes

Enter the scopes to be sent to the Single Sign-On (SSO) provider. The scopes openid and profile are mandatory and will be automatically added if missing. Add the scope email if you want to use email address as the username for all SSO users that sign up for an account.

SSO User Sign Up

Allow New User Sign Up

Enable to allow automatically provisioning of user accounts for new users signing in via Single Sign-On (SSO). Keep this option disabled if you do not expect new SSO users to sign up.

Allow Sign Up Only For Mapped Users

Enable to allow a new user to sign up via Single Sign-On (SSO) only when the user is a member of at least one Remote Group that is mapped to a Local Group in the Group Map option below. This option allows SSO administrators to restrict SSO users to control who can sign up and get access based on their group memberships.

Group Map (Optional)

Map Remote Groups at Single Sign-On (SSO) provider to Local Groups for both new and existing users signed up via Single Sign-On (SSO). A SSO user's group membership will be automatically synced to the mapped Local Groups each time they log in. If your SSO provider does not include group membership claim by default then you will have to add group or roles scope in the Scopes option above as required by the SSO provider.

Note! The Single Sign-On (SSO) uses /sso/callback as the callback path. Thus, your SSO Redirect URI for this DNS Server should be http://localhost:5380/sso/callback which needs to be configure with the SSO provider.

Note! Single Sign-On (SSO) will be enabled only when all of the required parameters are configured correctly. If SSO does not work for any reason, check the Logs section on the panel and search for related error logs.

Note! When a Single Sign-On (SSO) user signs up with the DNS Server, an account for the user is created which uses the email address as the username. If email address is not available, the preferred username is used instead. If you do not wish to use email address as the username, you can remove the email scope from the Scopes option above.

Note! The Single Sign-On (SSO) user's Display Name and Username are managed via the SSO provider and they are automatically synced each time a user logs in.

Note! When Group Map is configured, the Single Sign-On (SSO) user's group membership cannot be managed locally and any group membership changes must be configured at the SSO provider itself. SSO users need to relogin so that any group membership changes made at SSO provider are applied to their user accounts. The Group Map thus allows managing user access centrally via the SSO provider. Keep the Group Map empty if group membership management for SSO users is required to be managed via the DNS Server itself.

Note! The Web Service will be automatically restarted to apply these changes thus there is no need to restart the DNS Server manually.

Note! When using a reverse proxy with the Web Service, you need to add X-Forwarded-Proto and X-Forwarded-Host headers to proxy request to allow the Web Service to correctly form the SSO Redirect URI. If the reverse proxy is setup to use a path prefix then make sure to add the X-Forwarded-Prefix header to proxy request too. For example, if you are using nginx as the reverse proxy with a path prefix of /dns, then you should add the following headers: proxy_set_header X-Forwarded-Proto $scheme;, proxy_set_header X-Forwarded-Host $host;, proxy_set_header X-Forwarded-Prefix /dns;, and proxy_redirect / /dns/;

Warning! All URLs configured above must use https URL scheme for production environments. Using http URL scheme is not secure and should be used only for testing purposes.

Warning! Any DNS related failure may cause Single Sign-On (SSO) to fail to work making it impossible for SSO users to log in to fix the DNS issue due to circular dependency. Thus, it is recommended to maintain a local administrator user account for such scenarios.

Save Config

Initialize

• New Cluster
• Join Cluster

ResyncOptionsLeave ClusterDelete Cluster

20171012

DownloadDelete

App Name

Class Path

Page Number

Logs Per Page102550100250500

OrderAscendingDescending

From

To

Client IP Address

ProtocolUDPTCPTLSHTTPSQUICUDP ProxyTCP Proxy

Response TypeAuthoritativeRecursiveCachedBlockedUpstreamBlockedUpstreamBlockedCached

RCODENo ErrorFormat ErrorServer FailureNX DomainNot ImplementedRefusedYX DomainYX RRSetNX RRSetNot AuthNot Zone

Domain

Type

ClassINCSCHHSNONEANY

QueryExportReset Live Update

Found: 0 logs

Found: 0 logs

|

Technitium DNS Server

Version

Server up since

Copyright (C) 2026 Shreyas Zare ([email protected])
This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions.

Source code available under GNU General Public License v3.0 on GitHub

What's New?

Read the change log to know what's new in this release.

API Documentation

The DNS Server HTTP API allows any 3rd party app or script to configure the DNS Server. The HTTP API is used by this web console and thus all the actions that this web console does can be performed via the API. Read the HTTP API documentation for complete details.

Help Topics

Read the latest online help topics which contains the DNS Server user manual and covers frequently asked questions.

Support

For support, send an email to [email protected].

Follow @[email protected] on Mastodon.
Checkout Technitium Blog.

Join /r/technitium on Reddit.

Donate

Make a contribution to Technitium and help making new software, updates, and features possible.

Donate Now!