Analyzing DNS-over-HTTPS And DNS-over-TLS Privacy and Security Claims

DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) are two new protocol options available for secure DNS transport. Of which DoH has been pretty controversial with strong opposition from notable people in the DNS community. There have been questions raised for even the existence of IETF DoH standard when DoT standard was already an option.

Firefox has builtin DoH support with Cloudflare DNS configured that is being rolled out as a default for all users in the USA. This has consequences of subverting local network policies of organizations or private networks. Firefox has announced a canary domain name that can be blocked locally to prevent Firefox to use DoH by default making the entire effort vulnerable to downgrade attacks.

There have been serious concerns raised about DoH as a means for centralization of the DNS infrastructure. There are only a few public DoH and DoT service providers and thus it attempts to centralize the DNS infrastructure. Sending a handful of DNS providers all your DNS traffic does not really improve your overall privacy. It is a trade-off that each user needs to decide on his/her own.

DNS is one important control planes in a network. It essentially allows network administrators to block content based on domain names making it quite useful tool in the arsenal. It is being widely used to provide content filtering services, parental controls, and to block known malware command and control. Its so popular that a lot of people install a locally running DNS server on their home networks to block Internet Ads using block lists.

Applications or devices using DoH by default will bypass all the local control measures configured by the network administrator. The argument for applications to use DoH is that it allows users to bypass censorship, and provide security and privacy. However, this might not be what the user expects without a consent.

But, are users of DoT or DoH really being protected? Lets first understand the default DNS-over-UDP/TCP (Do53), DoH and DoT protocols in technical terms.

Do53 is the core protocol that is used by the entire DNS infrastructure. By default all DNS queries use UDP protocol since it is more efficient for simple request/response queries. TCP is usually used only when the response is expected to be large enough to not be suitable for UDP. Do53 does not provide any security or privacy as anyone on network path can see all DNS requests and even manipulate responses essentially doing a man-in-the-middle attack. This has been exploited in many malware attacks that compromise routers and change DNS settings to use attacker's DNS server to spread further or to compromise users further. Many ISPs have also tried to hijack DNS to show advertisements when user enters a non-existent domain name in the web browser.

DoT protocol is really just DNS-over-TCP tunneled inside TLS. Thus it provides all the features from the core protocol with addition of on path security and privacy. DoT uses default TCP 853 port and thus is easy to block with any network firewall.

DoH uses HTTPS protocol to send and receive DNS data in wire format. This means that DoH server is really a standard web server with a back end web application reading the DNS requests and proxying them to a configured DNS server. DoH can also be directly supported by a DNS server using a built in web server. DoH, just like DoT, also provides on path security and privacy. Since DoH uses the same TCP 443 port that HTTPS uses, it becomes almost impossible to block it with a network firewall since firewall cannot distinguish between normal HTTPS traffic and DoH.

Since both DoT and DoH use TLS for security, they essentially look similar over network. In fact, if DoT is configured on port 443 instead of its default port 853, it too would become difficult to block with a network firewall. Thus the only benefit of DoH seems to be that it allows the service to be hosted using a standard web server where the same IP address and port is shared with multiple other HTTPS websites.

Even though both DoT and DoH claim to provide security and privacy there are multiple catches. Both DoT and DoH provide security only from client to the recursive DNS server thus they do not provide any end-to-end security. Client is essentially trusting a configured recursive DNS server.

Even when DNS requests are encrypted, you are still leaking domain names of website you visit due to TLS Server Name Indication (SNI) extension. SNI essentially allows a web server running on a single IP address to host multiple HTTPS websites. SNI extension includes the domain name of the website you visit so that the web server can use correct SSL/TLS certificate that is configured for that domain name. SNI thus can reliably be used as an option to block websites combined with DNS based filtering.

SNI extension is being upgraded to Encrypted SNI (ESNI) that will encrypt the entire SNI extension in the TLS request. But practically speaking, even when ESNI becomes generally available on all web servers and web browsers, it will take many many years before significant amount of HTTPS websites configure ESNI for their domain name. Its been more than 3 year now that free SSL/TLS certificates are available to be used by any website but still there are a lot of websites that do not have HTTPS deployed (link requires login).

Even when DNS request are encrypted and TLS ESNI extension is used, most websites can still be identified by the IP address they are hosted on. Thus privacy provided by all these measures is still inadequate.

What about DNSSEC? DNSSEC is designed to provide security such that a recursive DNS server can validate responses before responding to client requests. It does not provide end-to-end security as clients never really perform validations and rely totally on the configured recursive DNS server. Another issue with DNSSEC is that its not widely deployed with only a small percentage of domain names have it configured. Most popular websites on the internet still do not have DNSSEC deployed making DNSSEC not really useful for most end users.

With all these technical issues in mind, its clear that both DoT and DoH are not really safe to be used by people to bypass censorship. Anyone with serious concerns with privacy is better off using Tor Browser or use a decent VPN service.

DoT and DoH are still useful as they protect users from man-in-the-middle attacks by on path network attackers. DoH however is really designed with an aim to bypass local network policies. Both are capable from hiding your DNS traffic on private network or from ISP.

A better way for many people is to run their own local DNS server that does recursive resolution. Locally running recursive DNS server will cache most common name servers records which usually have long TTL values configured in days and only query them when records are required or expired. This prevents DNS queries from going to centralized networks and avoid getting logged on ISP DNS server. Having authoritative DNS servers support DoT by default will add much value to running recursive DNS servers as it will dramatically improve security and privacy over the network.

All major ISPs deploying DoT and major Operating Systems (OS) supporting DoT will significantly help improve privacy and security as well as maintain the decentralization. Newer Android mobile devices have already started supporting DoT. Once the entire ecosystem supports and deploys DoT, it will improve the current state that DNS is in.

Turn Raspberry Pi Into Network Wide DNS Server

Turn your Raspberry Pi into a network wide DNS server for security, privacy and blocking Internet Ads on your private network!

Raspberry Pi 3 Model B+

With Technitium DNS Server version 2.2 release, it is now possible to run it on Raspberry Pi (Raspbian Stretch) using .NET Core and we have a single line automatic installer ready to make it easy to get it running.

Install DNS Server

Just connect to your Raspberry Pi using SSH and run the command below to install the DNS server:

curl -sSL https://download.technitium.com/dns/install-raspi.sh | sudo bash

You can install the software manually too if you do not wish to directly run the install script. You will need to first manually install .NET Core on your Raspberry Pi and then use these steps to install the DNS Server.

Once the installation is complete, open the DNS Server web console to view the dashboard and customize the settings.

Technitium DNS Server web console on Raspberry Pi 3 Model B+

Configure Your Router

To use it as a network wide DNS server, you need to configure your network router's DHCP settings and add your Raspberry Pi's IP address as a custom DNS server. You may also need to configure the WAN settings to override the default ISP provided DNS servers with your Raspberry Pi one. Check your router's manual for the configuration details.

Do make sure that your Raspberry Pi has a static IP address so that it does not change later causing issues with failed domain resolutions on the entire network. Also make sure to install heat sinks for your Raspberry Pi to prevent overheating issues since you will be running it round the clock.

If you have any queries or feedback, do comment below to let me know. You can also email your queries to support@technitium.com.

Quick And Easy Guide To Install .NET Core On Raspberry Pi

.NET Core is a cross-platform runtime available for x64 and ARM processors that can be used to run ASP.NET Core web applications and standalone .NET Core console applications on Windows, Linux and macOS.

Installing .NET Core is straight forward for most Desktop platforms with clear instructions available on the download website. However, many would find it trickier to install it on something like Raspberry Pi which uses ARM based processor. So, here is a quick and easy guide to install .NET Core 2.2 on Raspberry Pi 3 Model B+ with the latest Raspbian that is based on Debian 9 (Stretch).

Connect to your Raspberry Pi using SSH and get started!

Raspberry Pi 3 Model B+

Installing Dependencies

First you need to install a few dependencies required by the .NET Core runtime:

sudo apt-get -y update
sudo apt-get -y install curl libunwind8 gettext apt-transport-https

Installing .NET Core

Go to the .NET Core download page and download the Linux ARM32 runtime. Or you could just copy the download URL from there to use with wget like I did and follow these steps:

wget https://download.visualstudio.microsoft.com/download/pr/860e937d-aa99-4047-b957-63b4cba047de/da5ed8a5e7c1ac3b4f3d59469789adac/aspnetcore-runtime-2.2.0-linux-arm.tar.gz
sudo mkdir -p /opt/dotnet
sudo tar -zxf aspnetcore-runtime-2.2.0-linux-arm.tar.gz -C /opt/dotnet
sudo ln -s /opt/dotnet/dotnet /usr/bin

Now just enter dotnet on the command line to confirm.

Its Done!

Now you are ready to run ASP.NET Core or .NET Core console apps on your Raspberry Pi!

Configuring DNS-over-TLS and DNS-over-HTTPS with any DNS Server

The new DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH) protocols are available for enabling end user's privacy and security given the fact that most DNS clients use UDP or TCP protocols which are prone to eavesdropping, vulnerable to Man-in-the-Middle (MitM) attacks and, are frequently abused by ISPs in many countries with Internet censorship.

Public DNS providers like Cloudflare & Quad9, have already deployed these protocols and web browsers like Mozilla Firefox has built in DoH support. However, most operating systems and applications do not support them but, end users can still use these protocols on their computer by installing Technitium DNS Server locally and configuring any DoT or DoH provider as a forwarder to bypass ISP's control over DNS.

Both these protocols are IETF standards and are equally secure considering the fact that HTTPS itself runs over TLS. However, both protocols have slightly different ideas and there are a lot of arguments between engineers over the reason why DoH protocol exists in first place when a superior DoT protocol exists that implements RFC 7766 guidelines. The argument of having DoH is more political since DNS requests over DoH look just like normal HTTPS traffic over port 443 and thus hard to stop unlike DoT running on port 853. This makes DoH protocol desirable to users in countries with Internet censorship.

In this post we will explore configuring both these protocols for any DNS server that you already have running on your network. Both these services require SSL certificates which can be obtained for free using Let's Encrypt certificate authority which is trusted by all major web browsers. You can configure Certbot for automatic Let's Encrypt certificate renewal or manually generate one using Get HTTPS For Free utility.

DNS-over-TLS (DoT)

DNS-over-TLS standard is specified in RFC 7858 which is very straight forward to implement. Essentially, the standard specifies to use the existing DNS-over-TCP protocol support, that most DNS servers already have and, add TLS to it. DoT support can be available as a addon feature in your DNS server software or you can use Nginx web server to enable it.

Nginx supports SSL termination for TCP upstream which I will be using to enable DoT to use with Technitium DNS Server. I am using Ubuntu Server 18.04 LTS for this setup but, you should be able to do similar config on any Linux distro.

First install the nginx web server:

sudo apt-get -y install nginx

Now all you need to configure DoT is to copy the following stream config block in your /etc/nginx/nginx.conf file and save the certificate and key files to path given as in the config. Don't forget to update the upstream DNS server IP addresses to your existing DNS servers.

stream {
    upstream dns-servers {
        server    10.10.1.5:53;
        server    10.10.1.6:53;
    }

    server {
        listen 853 ssl;
        proxy_pass dns-servers;

        ssl_certificate            /etc/nginx/ssl/dot-server.crt;
        ssl_certificate_key        /etc/nginx/ssl/dot-server.key;

        ssl_protocols        TLSv1.2;
        ssl_ciphers          HIGH:!aNULL:!MD5;
        
        ssl_handshake_timeout    10s;
        ssl_session_cache        shared:SSL:20m;
        ssl_session_timeout      4h;
    }
}

Once done, reload nginx web server to finish the configuration:

sudo service nginx reload

DNS-over-HTTPS (DoH)

DNS-over-HTTPS standard is specified in RFC 8484 and is a bit different to implement since it uses HTTP protocol. The DNS queries are send in wire format as a HTTP POST method or as a base64 encoded HTTP GET parameter. Using GET method allows caching of the response which may be undesirable considering that the DNS protocol controls expiry using TTL values which may get overridden by a HTTP based cache server.

Technitium has released DNS-over-HTTPS (DoH) open source web application that can be used with any DNS server. The web application can be deployed on Windows IIS Web Server or the cross-platform .NET Core version can be deployed on any supported platforms (Windows/macOS/Linux).

Installation on Windows IIS Web Server is as simple as deploying any other website. Just create the website from the IIS console, download the DNS-over-HTTPS ASP.NET web application zip file and extract it to the website root folder. Configure SSL certificate for IIS just like you would do for any website. Finally, you will need to configure the Web.config file's application settings, shown in the snippet below, to point the web app to your DNS server. You can use any of the supported protocols (Udp, Tcp, Tls or Https) to connect to the specified DNS server.

<applicationSettings>
    <DNS_over_HTTPS.Properties.Settings>
      <setting name="DnsServerProtocol" serializeAs="String">
        <value>Udp</value>
      </setting>
      <setting name="DnsTimeout" serializeAs="String">
        <value>2000</value>
      </setting>
      <setting name="DnsServer" serializeAs="String">
        <value>127.0.0.1</value>
      </setting>
    </DNS_over_HTTPS.Properties.Settings>
</applicationSettings> 

The DoH cross-platform web app runs using ASP.NET Core and can be deployed on Windows, Linux or macOS. I am using Ubuntu Server 18.04 LTS to deploy this web app but, you can follow similar steps on any other Linux distro. ASP.NET Core Web Applications run as a separate process with its own built in web server. We would need to combine nginx for SSL termination for this web app to support HTTPS protocol.

To deploy the DoH ASP.NET Core app, you would first need to install the latest .NET Core Runtime. Once this is done, follow these steps below to install the DoH web app.

sudo mkdir -p /var/aspnetcore/doh
cd /var/aspnetcore/doh
sudo wget https://download.technitium.com/doh/doh-aspnetcore.zip
sudo apt-get -y install unzip
sudo unzip doh-aspnetcore.zip

Edit the appsettings.json app settings config file to specify your DNS server and supported protocol. You can use any of the supported protocols (Udp, Tcp, Tls or Https) to connect to the specified DNS server.

sudo nano appsettings.json

Install the DoH web app as a systemd service:

sudo cp systemd.service /etc/systemd/system/doh.service
sudo systemctl enable doh.service
sudo systemctl start doh.service

Or, if your distro does not support systemd then you can use supervisor instead:

sudo apt-get -y install supervisor
sudo cp supervisor.conf /etc/supervisor/conf.d/doh.conf
sudo service supervisor restart

You can now confirm if the DoH web app is running on port 8053:

sudo netstat -nlpt | grep ":8053"

If the DoH web app is not running with systemd, run the following command to get details:

journalctl --unit doh --follow

The final step is to configure nginx web server for SSL termination. First install the nginx web server:

sudo apt-get -y install nginx

Create a config file for your domain name at /etc/nginx/sites-enabled/doh.example.com with the config shown below. Save the certificate and key files to path given as in the config.

server {
    listen 443 ssl;
    server_name doh.example.com;

    ssl_certificate /etc/nginx/ssl/doh-server.crt;
    ssl_certificate_key /etc/nginx/ssl/doh-server.key;

    location / {
        proxy_pass http://127.0.0.1:8053;
    }
}

Reload nginx web server to finish the configuration:

sudo service nginx reload

And Its Ready!

You can now use the DoT service (dot.example.com:853) or DoH service (https://doh.example.com/dns-query) with any supported DNS client or as a forwarder with Technitium DNS Server.

If you have any queries or feedback, do comment below to let me know. You can also email your queries to support@technitium.com.

Blocking Internet Ads Using DNS Sinkhole

Technitium DNS Server is an open source software that can be effectively used to block Internet Advertisements (Ads), adware, and malware on your computer or your local network using publicly available block lists.

Combined with DNS-over-TLS and DNS-over-HTTPS, Technitium DNS Server provides a good level security and privacy from network level DNS attacks and from adware. This makes it a must have tool if you are a privacy and security conscious person.

Technitium DNS Server is cross platform and works on Windows, Linux or macOS.

Technitium DNS Server v2.0

How Does It Work?
The Ad blocking feature works using the DNS Sinkhole method. With this feature enabled, for all the blocked domain names, the DNS Server will respond with 0.0.0.0 IPv4 address and :: for IPv6 address making the Ads fail to load making the website you visit free from Ads. This can not only block Ads but also adware, malware, social networks, porn etc. based on the block lists you configure in settings.

On your computer, you need to install the DNS Server and configure your network adapter's DNS settings to use the locally hosted DNS server. Once this is done, you need to configure the Block List URL settings to start blocking Ads. Once the DNS Server loads the block lists, it would respond with 0.0.0.0 IP address for the blocked websites making them fail to load.

You may also install the DNS Server on any spare computer on your network and configure your home or office router with IP address of this spare computer as DNS server in DHCP settings. With this setup, all your computers and devices like mobile phones would use the installed DNS Server blocking Ads and malware domains on all devices without installing any additional software on them.

Configuring Block Lists
To enable Ad blocking, you need to configure Block List URLs in the settings. Known and popular block lists are already listed in the Quick Add drop down list from where you can just click and add those URLs.

Technitium DNS Server Block List Configuration

If you are not sure, just select the Default option from the Quick Add drop down list and a default set of block list URLs would get configured.

Once done, click the Save Settings button at the bottom of the page to save the changes and start the block list download background process. These configured block lists are automatically downloaded every 24 hours to keep the DNS Server blocked zone updated.

Don't forget to configure your network adapter's DNS server settings to 127.0.0.1 (for IPv4) and ::1 (for IPv6). Without these network configuration changes, the DNS Server wont get any queries to respond to and things wont work as intended.

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

That's It!
Once the configuration is done, just check the Dashboard on the web console after a couple of minutes to see the number of blocked domains in the Blocked Zones widget. If there are too many block list URLs configured, it may take few more minutes for all of them to get downloaded and loaded.

If you have any further queries, do write them below as comments or send an email to support@technitium.com.

Configuring DNS Server For Privacy & Security

Technitium DNS Server is an open source tool that can be used for blocking Internet Ads using DNS Sinkhole, self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

With the release of Technitium DNS Server version 1.3 which adds support for DNS-over-TLS & DNS-over-HTTPS forwarders, it is now a good solution to be used by anyone concerned with privacy & security for domain name resolution on their Internet connection for Windows 10, Linux or macOS.

If you are not clear about what DNS is then read on. Domain Name System (DNS) is a decentralized system that allows you to find out the Internet Protocol (IP) address of any website (like www.technitium.com). So, when you enter a website domain name into your web browser, the web browser uses DNS to find out the IP address of that website. Once the IP address is known, the web browser can then connect to the web server on that IP address using TCP/IP protocols and download webpages and other embedded resources to display on to your screen. DNS servers don't just store IP address records but also store different types of records like mail exchange (MX) records which tell email servers where to deliver email for the recipient user of a given domain.

DNS servers and client use UDP or TCP protocol to exchange requests and responses which are not encrypted. This allows anyone on the network to see those requests and even hijack requests by sending back spoofed responses. There have been many instances reported in media of DNS hijacking done by malware, hacked home wifi routers or even by many Internet Service Providers (ISPs). ISPs in certain places have been found to redirect users to "custom" search pages instead of Google Search or even blatantly injecting Ads on websites that are not using HTTPS security. In some countries, ISPs often use their DNS servers to block websites to enforce government censorship orders.

To mitigate these issues, DNS-over-TLS and DNS-over-HTTPS protocols have been developed and are currently available to be used by a few DNS providers notably Cloudflare, Google and Quad9. But, currently, no operating system, applications or web browsers have built in support for these protocols.

With Technitium DNS Server installed on your computer (or on your network), you can make all your applications indirectly use these DNS providers with the new secure protocols hiding all your DNS traffic from your ISP. Lets see how to configure the DNS Server to use these services to take control and secure domain name resolution on your computer or private networks.

Technitium DNS Server is not configured out-of-the-box with these settings since you have to make a choice yourself of which DNS provider to use. All public DNS providers have their own privacy policies that you must understand before choosing it.

Cloudflare privacy policy promises that DNS query logs are only maintained for 24 hours with not personally identifiable data. They also promise to not sell the data to 3rd parties.

Google's privacy policy claims to maintain a temporary log for 24 to 48 hours which contains user's full IP address details. And a permanent log which redacts the personally identifiable data. There are no details mentioned how this data is used or whom its shared with.

Quad9's privacy policy promises that they do not keep any logs but, only anonymized statistical data on specific domain names which contains things like domain name, timestamp, geolocation, total hits, etc.

Below is a list of DNS providers grouped by the protocol they support. You can configure one or more DNS providers as forwarders but they must use the same protocol.

DNS-over-TLS protocol providers:

• Cloudflare IPv4 {cloudflare-dns.com (1.1.1.1:853), cloudflare-dns.com (1.0.0.1:853)}
• Cloudflare IPv6 {cloudflare-dns.com ([2606:4700:4700::1111]:853), cloudflare-dns.com ([2606:4700:4700::1001]:853)}
• Google IPv4 {dns.google (8.8.8.8:853), dns.google (8.8.4.4:853)}
• Google IPv6 {dns.google ([2001:4860:4860::8888]:853), dns.google ([2001:4860:4860::8844]:853)}
• Quad9 Secure IPv4 {dns.quad9.net (9.9.9.9:853)}
• Quad9 Secure IPv6 {dns.quad9.net ([2620:fe::fe]:853))

DNS-over-HTTPS protocol providers:

• Cloudflare (https://cloudflare-dns.com/dns-query)
• Google (https://dns.google/dns-query)
• Quad9 Secure (https://dns.quad9.net/dns-query)

DNS-over-HTTPS (JSON) protocol providers:

• Cloudflare (https://cloudflare-dns.com/dns-query)
• Google (https://dns.google/resolve)
• Quad9 Secure (https://dns.quad9.net/dns-query)

To make the configuration quick, easy and error free, there is Quick Select drop down list available which lists all the above options. Just selecting the desired option in the Quick Select list will populate the settings automatically for you.

See these examples below to know how the configuration looks like:

DNS-over-TLS Using Cloudflare

DNS-over-TLS Using Quad9 For IPv6 Internet

DNS-over-HTTPS Using Cloudflare

DNS-over-HTTPS (JSON) Using Google

As you may have noticed, Cloudflare provides support for all three protocols. Not only that, it is possible to use Cloudflare DNS over Tor hidden service too! Technitium DNS Server v1.3 adds support for configuring proxy server which can of course be made to use Tor running on your computer and use Cloudflare DNS hidden service because WHY NOT?!

You just need to configure dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion hidden service address as forwarder and since all hidden service requests over Tor network are inherently end-to end encrypted, you can use DNS-over-TCP protocol with it. Tor is not included with the software so you will need to install Tor separately and configure it as a SOCKS5 proxy.

This option hides your query from your ISP as well as hides your identity from Cloudflare. But seriously, if you are really that paranoid, just use Tor Browser for all your web browsing.

DNS-over-Tor Config For Cloudflare DNS Hidden Service

Once you have configured forwarders, make use of the DNS Client on the web console to test the setup by making a test query to "this-server". If everything is configured correctly, you will see the IP address for the test domain you entered inside the "Answers" section of the JSON formatted output.

Finally, to make all your computers and applications to use Technitium DNS Server, you need to configure it on your Ethernet or WiFi network adapter. You just need to setup loopback IP address (127.0.0.1 for IPv4 & ::1 for IPv6) as DNS Server in your network adapter settings as shown below:

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

For more queries, write comments below or send an email to support@technitium.com.

Technitium DNS Server v1.3 Released!

Technitium DNS Server is an open source tool that can be used for self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

Technitium DNS Server v1.3

Version 1.3 adds following awesome new features:

•  DNS-over-TLS and DNS-over-HTTPS forwarder protocol support.
• HTTP and SOCKS5 network proxy support.

The DNS Server is cross platform and can be deployed on Windows 10, Linux or macOS (using .NET Core or Mono Framework). Read this blog post to learn how to run DNS Server on Ubuntu.

Nobody really bothers about domain name resolution since it works automatically behind the scenes and is complex to understand. Most computer software use the operating system's DNS resolver that usually query the configured ISP's DNS server using UDP protocol. This way works well for most people but, your ISP can see and control what website you can visit even when the website employ HTTPS security. Not only that, some ISPs can redirect, block or inject content into non-HTTPS websites you visit even when you use a different DNS provider like Google DNS or Cloudflare DNS. Having Technitium DNS Server configured to use DNS-over-TLS or DNS-over-HTTPS forwarders, these privacy & security issues can be mitigated very effectively.

Developers regularly use the hosts file for configuring an IP address for a domain under testing. However, using the hosts file is cumbersome at times and can only be used to resolve domain name to an IP address. With a fully configurable DNS server running on your local machine, you can configure not just simple A records (for IP address) but, also configure other types of records like CNAME or MX etc. This allow you to have more control and power when you want to do testing that simulates the exact configuration that you have running on production.

Technitium DNS Server is open source and available under GNU General Public Licence (GPL) v3 on GitHub.

Comments and feedback are things that help push new features and improve usability, and thus are most welcome. Send your feedback to support@technitium.com or write your comments below.

Running Technitium DNS Server on Ubuntu Linux

Technitium DNS Server is build to be cross platform using the .NET Standard 2.0. You can run the DNS Server Portable App on Linux or macOS by using .NET Core 2.2. This post is written for Ubuntu Linux but, you can easily follow similar steps on your favorite distro.

This blog post is updated regularly to provide latest instructions to install the DNS Server. So, refer it when you are about to do a fresh installation.

Using Automated Installer / Updater

Automated installer script can be used to install or update the DNS Server. Automated installer script is available for following distros:

• Ubuntu Server

  curl -sSL https://download.technitium.com/dns/install-ubuntu.sh | sudo bash
  

• Raspbian (Stretch) for Raspberry Pi

  curl -sSL https://download.technitium.com/dns/install-raspi.sh | sudo bash
  

Installing DNS Server Manually

Install the latest .NET Core runtime from here. Start Terminal and follow the steps below to install DNS Server on Ubuntu:

1. Download DNS Server portable app using wget and extract it.

   wget https://download.technitium.com/dns/DnsServerPortable.tar.gz
   sudo mkdir -p /etc/dns/
   sudo tar -zxf DnsServerPortable.tar.gz -C /etc/dns/
   

2. You can now run the DNS Server directly from console as a standalone app.

   cd /etc/dns/
   sudo ./start.sh
   

3. Or, if your distro uses systemd, follow these steps to install it as a daemon.

   sudo cp /etc/dns/systemd.service /etc/systemd/system/dns.service
   sudo systemctl enable dns.service
   sudo systemctl start dns.service
   

   You may want to check the systemd log entries to find issue if the daemon fails to start:

   journalctl --unit dns --follow
   

4. Or, if your distro does not support systemd, follow these steps to run it as a daemon using supervisor.

   sudo apt-get -y install supervisor
   sudo cp /etc/dns/supervisor.conf /etc/supervisor/conf.d/dns.conf
   sudo service supervisor restart
   

   You may want to check the log file to find issue if the daemon fails to start:

   cat /var/log/dns.err.log
   

5. Open the url http://localhost:5380/ to access the web console.

Updating DNS Server Manually

Make sure you got the latest .NET Core runtime from here. Start Terminal and follow the steps below to update DNS Server on Ubuntu:

1. Download DNS Server portable app using wget and extract it.

   wget https://download.technitium.com/dns/DnsServerPortable.tar.gz
   sudo tar -zxf DnsServerPortable.tar.gz -C /etc/dns/
   

2. If your distro uses systemd, follow these steps to restart the DNS Server daemon.

   sudo systemctl restart dns.service
   

   You may want to check the systemd log entries to find issue if the daemon fails to start:

   journalctl --unit dns --follow
   

3. Or, if your distro does not support systemd, follow these steps to restart the DNS Server using supervisor.

   sudo service supervisor restart
   

   You may want to check the log file to find issue if the daemon fails to start:

   cat /var/log/dns.err.log
   

4. Open the url http://localhost:5380/ to access the web console.

Common Issue With Ubuntu

If you are using Ubuntu Desktop, you may find dnsmasq or systemd-resolved daemon already running on UDP port 53 preventing the DNS Server to listen on the same port. You can check the DNS Server log file from the web console to confirm the issue by finding this error:

[2019-01-01 07:30:59 UTC] [0.0.0.0:53] System.Net.Sockets.SocketException (98): Address already in use
   at System.Net.Sockets.Socket.UpdateStatusAfterSocketErrorAndThrowException(SocketError error, String callerName)
   at System.Net.Sockets.Socket.DoBind(EndPoint endPointSnapshot, SocketAddress socketAddress)
   at System.Net.Sockets.Socket.Bind(EndPoint localEP)
   at DnsServerCore.DnsServer.Start() in Z:\Technitium\Projects\DnsServer\DnsServerCore\DnsServer.cs:line 811

You may confirm if its dnsmasq or systemd-resolved by running sudo netstat -nlpu command.

Follow these steps below to disable the dnsmasq service:

1. Edit the NetworkManager.conf file to disable dnsmasq service:

   sudo nano /etc/NetworkManager/NetworkManager.conf
   

   Comment out the dns=dnsmasq line by adding # character at the beginning like this #dns=dnsmasq and exit the editor by pressing CTRL+X and enter y to save the file.
2. Restart the computer to apply changes as shown below:

   sudo reboot now
   

3. After system reboot, open Terminal and check DNS Server logs again from the web console.

Follow these steps below to disable the systemd-resolved service:

1. Disable the systemd-resolved service and stop it:

   sudo systemctl disable systemd-resolved
   sudo systemctl stop systemd-resolved
   

2. Edit your /etc/resolv.conf using nano:

   sudo nano /etc/resolv.conf
   

   Edit the existing nameserver entry to the one shown below in your /etc/resolv.conf

   nameserver 127.0.0.1
   

3. Edit your /etc/NetworkManager/NetworkManager.conf using nano:

   sudo nano /etc/NetworkManager/NetworkManager.conf
   

   Put the following line in the [main] section of your /etc/NetworkManager/NetworkManager.conf as shown below:

   [main]
   dns=default
   

4. Restart network-manager:

   sudo service network-manager restart
   

5. Now restart the DNS Server and check logs again from the web console.

   sudo systemctl restart dns.service
   

That's it!

The DNS Server is running and you can configure your network with the IP address of this computer for DNS resolution.

Check out the web console to create zone, check cached zones, access DNS client tool and configure server settings.

The DNS Server creates a folder named config in the current folder which contains the server config and zone files. Make sure you copy this folder while moving the DNS server folder if you want all the zone files and config to persist.

For any related queries, feel free to comment on this post.

Technitium DNS Server Released!

Technitium DNS Server is an open source tool that allows anyone to run DNS server on their computer or local network. Its aimed towards software developers who like to simulate live production scenarios on their laptop or local network setup for testing or debugging purposes. However, it can be used for any DNS related requirement. Applications of using your own local DNS server is limited only by the your imagination!

Technitium DNS Server Web Console

The DNS server is cross platform and can be deployed on Windows, Linux or macOS (using Mono Framework or .NET Core). The DNS portable console app allows running the service instantly with zero initial configuration, just run the executable and its ready. The DNS server provides web console access that allows it to be accessible over network.

A unique feature available with this server is to enable/disable hosted zones with a single click allowing switching between staging/testing setup to live production setup instantly. Once a zone is disabled, the DNS server will start recursively resolving the domain and use cached results. When the zone is enabled, the records hosted on the server override the cached results. This reduces a lot of efforts when trying to achieve similar thing using hosts file. Hosted records can be set with low TTL values to force the operating system DNS client to re-query.

The DNS server has many standard features like recursion, caching, wildcard sub domains, forwarders, IPv6 support etc. A very useful and frequently used feature is the DNS Client tool included with the web console. This DNS Client tool is a general purpose DNS resolver that can be used to query any name server accessible over the network. The DNS Client can also perform recursive query on its own and display results from the authoritative name server for the given domain. The recursive query feature saves time by automatically finding out the authoritative name servers via the root servers. DNS Client is also available as a separate online tool at dnsclient.net website.

Apart from just resolving queries, the DNS Client also provides a very useful feature to import records from the output of the query into the local DNS. This feature is really useful when you quickly want to copy existing records for a given domain. You can query with type ANY which would list out all possible records or use specific type needed, and import them in one go into the local server zone. You may then edit a few records with value that you need for testing and its ready to use. With query type ANY, its advised to use TCP protocol since the UDP protocol may not accommodate all the records resulting in a truncated response.

Technitium DNS Server include following features:

• Fully manageable local DNS server.
• Wildcard sub domain support.
• Disable/Enable hosted zones for quick switching between staging & production.
• DNS Client tool for resolving queries.
• Import records feature allows to import records of live domain using DNS Client.
• Recursive querying support.
• Web console for allowing access over network.
• DNS caching with cache viewer interface in web console.
• Forwarders setup to allow chaining other DNS server to reduce response time.
• IPv6 network support in DNS server core for querying.
• Built-in system logs and query logs.
• Cross platform implementation for running on Linux or macOS using Mono Framework or .NET Core.

There are many applications of having a self hosted local DNS server. Some of them are:

• Software developers or web developers can simulate live setup without need to use hosts file.
• Security researchers can use it in their lab setups for spoofing domain names while performing experiments.
• Users can keep watch on domain being used by various applications using the Cached Zone listing.
• Block certain domains to partially or fully fail a website/application feature. User can block domain by creating an empty zone such that the application/website using that domain can no longer get the right IP address to the server failing all requests.

It must be noted that this DNS server is not suitable to be used for production or any critical application. The software is released as alpha version denoting that its not yet stable and may have bugs.

Technitium DNS Server is open source and available under GNU General Public Licence (GPL) v3 on GitHub.

Comments and feedback are things that help push new features and improve usability, and thus are most welcome. Send your feedback to support@technitium.com or leave your comments below.

Bit Chat 4.6 Released

Technitium Bit Chat is a secure, peer-to-peer (p2p), open source instant messenger designed to provide end-to-end encryption. Primary aim of developing this instant messenger is to provide privacy which is achieved using strong cryptography. It can be used over Internet and private LAN networks for instant messaging and file transfer.

Bit Chat v4.6

Technitium Bit Chat version 4.6 (alpha) is available to download from the main website and via automatic update mechanism for existing installations. The software checks for new update automatically with every start but, you can also use the Check For Updates option in the main menu to get an update instantly.

Bit Chat v4.6 Released

The latest update has some protocol level changes that are not compatible with previous versions. Due to this, all peers will need to update to the latest version to be able to chat.

This update adds TCP based DHT protocol and removed UDP support totally. DHT over UDP faced issues with networks where inbound UDP packets are blocked over Internet. The Bit Chat protocol also adds a decoy HTTP GET requests to bypass application firewalls.

Know more about Bit Chat by reading Frequently Asked Questions (FAQ) and Bit Chat whitepaper. You can also view Bit Chat source code on GitHub and compile Bit Chat client yourself.

And as always, send your feedback to support@bitchat.im or write your comments below.