How To Host Your Own DNS-over-HTTPS, DNS-over-TLS, And DNS-over-QUIC Services

Updated: 15 Jun 2025

With Technitium DNS Server, you can not just consume DNS-over-HTTPS (DoH), DNS-over-TLS (DoT), or DNS-over-QUIC (DoQ) services using forwarders but you can also host these services yourself. There can be several reasons to host your own DoH, DoT, or DoQ service. You may wish to have better privacy by not sharing your data with public DNS providers. Or your network or ISP blocks popular DoQ, DoT, and DoH services and also interferes with unencrypted DNS traffic.

In this post, we will setup DoQ, DoT, and DoH services on a cloud server and configure a locally running Technitium DNS Server to use the DoH service as a forwarder bypassing any network restrictions that may be in place.

Home Network

In the above home network diagram, the locally running Technitium DNS Server is installed on a desktop PC or a Raspberry Pi that is connected to your WiFi router. The Cloud Linux server will host the DoH service which will be configured as a forwarder in the locally running DNS server on your network.

Once the configuration is complete, all DNS traffic will be encrypted between your locally running DNS server and the DoH server running on the cloud server. This effectively means that all your local DNS traffic will exit from the cloud server and thus wont be visible to your network provider or your ISP.

Requirements

You need a domain name which you can get from any domain name registrar like Name.com (referral link). If you already own a domain name then you can use a sub domain on it for hosting these services. A domain name is required since both these services run over TLS protocol which uses SSL/TLS certificate to work. A domain name will usually cost around $13/yr which depends on the extension. You can check for the pricing here.

You need a Linux server which you can get from any cloud hosting provider like Digital Ocean (referral link). You can get a server for as low as $5/mo with 1GB RAM. I would recommend to create a server with Ubuntu Server as the OS since this blog post will be using the same.

Installation

We will be using Ubuntu server in this blog post but you can choose any distro of your choice and follow similar instructions.

You can install Technitium DNS Server using the single line installation command as shown:

curl -sSL https://download.technitium.com/dns/install.sh | sudo bash

If the above command fails since you do not have curl installed, install it as shown below and try the above command again:

sudo apt update
sudo apt install curl

You can also manually install the DNS server by following the install instructions.

We will be using Let's Encrypt TLS certificate and will be using certbot which does automatic certificate renewal for Let's Encrypt. Run the commands below to install certbot:

sudo apt update
sudo apt install certbot

Configuration

To proceed with the DNS configuration, login to the DNS server web console using the server's IP address and port 5380. For example, if your server's IP address is '1.2.3.4' open http://1.2.3.4:5380/ in your web browser. Chrome, Firefox and Edge web browsers are supported well.

The first configuration to be done is to enable Optional DNS Server Protocol DNS-over-HTTP in the DNS server Settings as shown below. Save the settings by clicking Save Settings button at the bottom. This will start the DoH service on port 80 to allow renewing the TLS certificate with HTTP challenge.

Optional DNS Server Protocols

Since, the DNS server requires the certificate in PKCS #12 (.pfx) format, we need to convert the issued certificate using the openssl command. To do that, we will create a small script file at /etc/letsencrypt/renewal-hooks/post/pkcs12convert.sh using nano editor.

sudo mkdir -p /etc/letsencrypt/renewal-hooks/post/
sudo nano /etc/letsencrypt/renewal-hooks/post/pkcs12convert.sh

Copy the commands as show below in the nano editor. Here, replace 'example.com' with your domain name and 'mypassword' with a password of your choice or keep it blank to generate the pfx file with no password.

#!/bin/sh
openssl pkcs12 -export -out /etc/letsencrypt/live/example.com/example.com.pfx -inkey /etc/letsencrypt/live/example.com/privkey.pem -in /etc/letsencrypt/live/example.com/cert.pem -certfile /etc/letsencrypt/live/example.com/chain.pem -passout pass:mypassword
echo "pkcs#12 generated!"

Save the script by exiting the editor using CTRL+X keys. We need to make this script excutable by using the following command:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/pkcs12convert.sh

This pkcs12convert.sh script will be automatically executed by certbot after renewing the certificate.

Now, we can run certbot command with the webroot plugin to issue the TLS certificate as shown below:

sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /opt/technitium/dns/dohwww -d dns.example.com

Note: Here, replace 'example.com' with your domain name. In this example, we have used 'dns.example.com' in which the sub domain 'dns' gives a good idea that you may be running a DoH service. You may wish to avoid this by not using sub domain names like dns, doh or dot and instead use something which is very common like "mail", or "blog", etc. This will make it difficult for someone on your network to identify if you are using a DoH service by looking at the domain name.

Once the certbot command succeeds, you will see the path of the certificate that was generated in the output which should be in the /etc/letsencrypt/live/<your-domain>/ directory.

Below is the output that you should see if the certbot command succeeds.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for dns.example.com
Using the webroot path /opt/technitium/dns/dohwww for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dns.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dns.example.com/privkey.pem
   Your cert will expire on 2021-01-08. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Since the certificate has been issued for the first time, we need to manually executed our pkcs12convert.sh script once to generate the pfx certificate.

sudo /etc/letsencrypt/renewal-hooks/post/pkcs12convert.sh

We can now configure the DNS server with the pfx certificate file path and enable the DNS-over-TLS, DNS-over-HTTPS, and DNS-over-QUIC protocols (as per your requirements) in the settings as shown below:

Optional DNS Server Protocols With TLS Certificate

Type in the same password that you had used while generating the pkcs12 certificate for the TLS Certificate Password option.

Save the settings by clicking the Save Settings button at the bottom so that the DNS server can start the DoQ, DoT, and DoH services using the newly configured TLS certificate. You may want to check the DNS Server logs from the web console to find out if there were any errors while starting these services.

Testing The Service

For DoQ and DoT service, you need to use the domain name that was used to generate the certificate with port 853. Thus your DoQ or DoT configuration for clients will be tls-certificate-domain:853.

For DoH service, you need to use the domain name that was used to generate the certificate in a URL format. Thus you DoH configuration for clients will be https://tls-certificate-domain/dns-query.

You can test the DoH, DoT, and DoQ services using the DNS Client tool. Put in the DoQ/DoT address tls-certificate-domain:853 or the DoH url https://tls-certificate-domain/dns-query as the Server in the DNS Client, type in a domain name, select an appropriate protocol either QUIC, TLS, or HTTPS and click Resolve to test both the services.

Note: By default, the "Allow Recursion Only For Private Networks" recursive resolver option (as shown below) in the DNS server settings is enabled and thus the DNS server will refuse to respond with an answer (RCODE=Refused) when you test it with the DNS Client. You will need to enable the "Allow Recursion" option to be able to use these services from the public Internet.

Recursive Resolver Options

Once the tests are successful, you can configure your locally running Technitium DNS Server to use these services as a forwarder. Once you have configured the service as a forwarder your local DNS traffic will bypassing all your network or ISP restrictions.

Technitium DNS Server Forwarder Configuration

You can also configure your Firefox web browser directly with the custom DoH URL. This will work only for Firefox and all other applications on your computer will keep using the default DNS server configured in your network settings.

To configure Firefox with custom DoH, go to Options > General and scroll down to find Network Settings. Click on the Settings button and find the DoH option at the bottom as shown below:

Firefox Custom DoH Option

Auto Renewing TLS Certificate

Since, the certificate obtained from Let's Encrypt expires in 90 days, certbot automatically configures a cron job that renews the certificates before they expire. Since we have already configured the pkcs12convert.sh script file earlier, it will get automatically executed by certbot when the certificate is renewed. The Technitium DNS Server will automatically reload the renewed certificate when it detects any changes for the pfx file by looking at its date modified attribute.

To test the certbot renewal process, we can try the dry run command. If there are no errors reported then it means the renewal was successful.

sudo certbot renew --dry-run

Running DoH With Another Web Server

You may have a requirement to run both the DNS server with DoH service and another web server for hosting websites. In such cases since both the DoH service and the web server would require to use ports 80 and 443, it would create a conflict.

A solution in such a scenario is to use the web server as a reverse proxy to the DoH service. You will need to configure the web server with TLS certificate and virtual hosting to reverse proxy to http://127.0.0.1:8053/dns-query and enable only the DNS-over-HTTP optional DNS server protocol with its port set to 8053 as shown below:

Optional DNS Server Protocols With TLS Certificate

You also need to configure the Reverse Proxy Network ACL option below by adding the IP address of your reverse proxy server so that it is allowed to access the DNS-over-HTTP unencrypted service.

With this setup, your web server will terminate TLS and do reverse proxy allowing the DoH service through it. If your web server supports TLS termination for TCP streams then you can point it to 127.0.0.1:53 and also provide DoT service through it.

If you are using nginx as your web server, you can use the snippet below to configure a reverse proxy for the DoH service. For more details, you can refer to the blog post on using nginx as a DoT or DoH gateway.

server {
    listen 80;
    server_name dns.example.com;

    return 301 https://$http_host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name dns.example.com;

    ssl_certificate /etc/letsencrypt/live/dns.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dns.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/dns.example.com/chain.pem;

    access_log /var/log/nginx/dns.example.com-access.log;
    error_log /var/log/nginx/dns.example.com-error.log;

    location / {
        proxy_pass http://127.0.0.1:8053/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Host $http_host;

        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Nginx-Proxy true;

        proxy_redirect off;
    }
}

Conclusion

Using Technitium DNS Server combined with certbot, you can setup DoH, DoT, and DoQ services with automatic TLS certificate renewal and bypass any network restriction on DNS traffic. If you already have a web server like nginx running, you can use it for TLS termination and provide DoH, DoT, and DoQ services on the same server.

If you have any queries do let me know in the comments below or send an email to support@technitium.com.

Technitium Mesh Released!

Technitium Mesh, a successor to the Bit Chat project, has been released and is available to download directly from the Mesh website.

Technitium Mesh

Introduction

Mesh is a secure, anonymous, peer-to-peer (p2p), open source instant messenger that provides end-to-end encryption with Perfect Forward Secrecy (PFS). Mesh can be used on the Internet or on offline private LAN networks for private messaging, group messaging and file transfers. Mesh is based on Bit Chat and retains it core concepts but has some major changes.

Unlike Bit Chat, Mesh does away with centralized user profile registration based on email address. Instead, users now can create multiple local profiles that can be used simultaneously and require to use a generated User Id. This major change was decided based on many people unwilling to disclose their email address or accused Technitium of harvesting email addresses. To be clear, Technitium never used the collected email addresses provided during the profile registration process to even inform existing users that the Bit Chat project is closing its operations.

The generated Mesh User Id is required to be exchanged to initiate private chat and can be changed anytime to avoid previously used User Id from being abused by anyone to stalk or harass you. Even when joining a group chat, a new User Id is generated each time so that the User Id disclosed in group chat cannot be used to initiate a private chat invitation. This makes sure that you are in total control over who is allowed to initiate private chat invitations and when.

The User Id is generated using an algorithm that uses RSA public key linked to the user profile and a random number. This algorithm allows each peer to authenticate the other peer during the peer-to-peer connection process to ensure their identity.

Mesh also removes the use of BitTorrent trackers that were being used by Bit Chat. Using torrent trackers created connectivity issues since many ISPs around the globe use deep packet inspection to block BitTorrent traffic. This also affected Bit Chat since ISPs could not differentiate between both the applications and blocked any traffic that was found using torrent trackers. Instead, Mesh now completely relies on Distributed Hash Tables (DHT).

Mesh now allows creating anonymous profiles that use Tor Network. Mesh includes Tor binaries to allow the app to use Tor Network anytime its necessary. Anonymous profiles and peer-to-peer (p2p) profiles are the two type of profiles that are now available. Both the profiles are interoperable such that a p2p profile user can communicate with anonymous profile user using the built in Tor support. This interoperability means that you can have a group where both p2p users and anonymous users can join together. Anonymous profiles use Tor hidden service to accept inbound connection requests but use a new hidden service onion domain name each time the user logs in to the profile to avoid being tracked using the onion domain name.

Read more technical details on the Frequently Asked Questions (FAQ) page.

Features

• Completely decentralized, peer-to-peer architecture that works even on offline private LAN networks. No centralized profile registration is needed.
• End-to-end encryption with Perfect Forward Secrecy (PFS).
• Allows you to create anonymous profiles that use Tor Network.
• Multiple profile support allows you to create many profiles and use all of them simultaneously.
• Allows creating private chat and group chat with file transfer support.
• User profiles are stored locally using strong encryption protected by passphrase. 
• Works peer-to-peer with IPv4 as well as IPv6 networks.
• Automatic port forwarding using your router's UPnP feature.

Open Source

Mesh is open source and source code is available under GNU General Public License v3 on GitHub. The software code is made open source to increase confidence in the security that we intend to provide.

Alpha Version

Technitium Mesh current release is in alpha version. This means the software is not fully complete and will undergo major changes in its protocol or user interface design. There may be noticeable bugs which will be addressed with an automatic update. You are welcome to report any issues by sending an email to support@technitium.com. For any issues, feedback, or feature request you may create an issue on GitHub.

Further, you may like to read the original concept in this old blog post.

Blocking Internet Ads Using DNS Sinkhole

Technitium DNS Server is an open source software that can be effectively used to block Internet Advertisements (Ads), adware, and malware on your computer or your local network using publicly available block lists.

Combined with DNS-over-TLS and DNS-over-HTTPS, Technitium DNS Server provides a good level security and privacy from network level DNS attacks and from adware. This makes it a must have tool if you are a privacy and security conscious person.

Technitium DNS Server is cross platform and works on Windows, Linux or macOS.

Technitium DNS Server v2.0

How Does It Work?
The Ad blocking feature works using the DNS Sinkhole method. With this feature enabled, for all the blocked domain names, the DNS Server will respond with 0.0.0.0 IPv4 address and :: for IPv6 address making the Ads fail to load making the website you visit free from Ads. This can not only block Ads but also adware, malware, social networks, porn etc. based on the block lists you configure in settings.

On your computer, you need to install the DNS Server and configure your network adapter's DNS settings to use the locally hosted DNS server. Once this is done, you need to configure the Block List URL settings to start blocking Ads. Once the DNS Server loads the block lists, it would respond with 0.0.0.0 IP address for the blocked websites making them fail to load.

You may also install the DNS Server on any spare computer on your network and configure your home or office router with IP address of this spare computer as DNS server in DHCP settings. With this setup, all your computers and devices like mobile phones would use the installed DNS Server blocking Ads and malware domains on all devices without installing any additional software on them.

Configuring Block Lists
To enable Ad blocking, you need to configure Block List URLs in the settings. Known and popular block lists are already listed in the Quick Add drop down list from where you can just click and add those URLs.

Technitium DNS Server Block List Configuration

If you are not sure, just select the Default option from the Quick Add drop down list and a default set of block list URLs would get configured.

Once done, click the Save Settings button at the bottom of the page to save the changes and start the block list download background process. These configured block lists are automatically downloaded every 24 hours to keep the DNS Server blocked zone updated.

If you have the DNS server installed directly on your computer then don't forget to configure your network adapter's DNS server settings to 127.0.0.1 (for IPv4) and ::1 (for IPv6). Without these network configuration changes, the DNS Server wont get any queries to respond to and things wont work as intended.

If you setup the DNS server to be used on the network by all devices then do configure your router's DHCP config and set the IP address of the computer running the DNS server as the DNS for your network. By configuring the router's DHCP, you don't need to manually configure any of your devices on the network.

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

That's It!
Once the configuration is done, just check the Dashboard on the web console after a couple of minutes to see the number of blocked domains in the Blocked Zones widget. If there are too many block list URLs configured, it may take few more minutes for all of them to get downloaded and loaded.

If you have any further queries, do write them below as comments or send an email to support@technitium.com.

Configuring DNS Server For Privacy & Security

Technitium DNS Server is an open source tool that can be used for blocking Internet Ads using DNS Sinkhole, self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

With the release of Technitium DNS Server version 1.3 which adds support for DNS-over-TLS & DNS-over-HTTPS forwarders, it is now a good solution to be used by anyone concerned with privacy & security for domain name resolution on their Internet connection for Windows 10, Linux or macOS.

If you are not clear about what DNS is then read on. Domain Name System (DNS) is a decentralized system that allows you to find out the Internet Protocol (IP) address of any website (like www.technitium.com). So, when you enter a website domain name into your web browser, the web browser uses DNS to find out the IP address of that website. Once the IP address is known, the web browser can then connect to the web server on that IP address using TCP/IP protocols and download webpages and other embedded resources to display on to your screen. DNS servers don't just store IP address records but also store different types of records like mail exchange (MX) records which tell email servers where to deliver email for the recipient user of a given domain.

DNS servers and client use UDP or TCP protocol to exchange requests and responses which are not encrypted. This allows anyone on the network to see those requests and even hijack requests by sending back spoofed responses. There have been many instances reported in media of DNS hijacking done by malware, hacked home wifi routers or even by many Internet Service Providers (ISPs). ISPs in certain places have been found to redirect users to "custom" search pages instead of Google Search or even blatantly injecting Ads on websites that are not using HTTPS security. In some countries, ISPs often use their DNS servers to block websites to enforce government censorship orders.

To mitigate these issues, DNS-over-TLS and DNS-over-HTTPS protocols have been developed and are currently available to be used by a few DNS providers notably Cloudflare, Google and Quad9. But, currently, no operating system, applications or web browsers have built in support for these protocols.

With Technitium DNS Server installed on your computer (or on your network), you can make all your applications indirectly use these DNS providers with the new secure protocols hiding all your DNS traffic from your ISP. Lets see how to configure the DNS Server to use these services to take control and secure domain name resolution on your computer or private networks.

Technitium DNS Server is not configured out-of-the-box with these settings since you have to make a choice yourself of which DNS provider to use. All public DNS providers have their own privacy policies that you must understand before choosing it.

Cloudflare privacy policy promises that DNS query logs are only maintained for 24 hours with not personally identifiable data. They also promise to not sell the data to 3rd parties.

Google's privacy policy claims to maintain a temporary log for 24 to 48 hours which contains user's full IP address details. And a permanent log which redacts the personally identifiable data. There are no details mentioned how this data is used or whom its shared with.

Quad9's privacy policy promises that they do not keep any logs but, only anonymized statistical data on specific domain names which contains things like domain name, timestamp, geolocation, total hits, etc.

Below is a list of DNS providers grouped by the protocol they support. You can configure one or more DNS providers as forwarders but they must use the same protocol.

DNS-over-TLS protocol providers:

• Cloudflare IPv4 {cloudflare-dns.com (1.1.1.1:853), cloudflare-dns.com (1.0.0.1:853)}
• Cloudflare IPv6 {cloudflare-dns.com ([2606:4700:4700::1111]:853), cloudflare-dns.com ([2606:4700:4700::1001]:853)}
• Google IPv4 {dns.google (8.8.8.8:853), dns.google (8.8.4.4:853)}
• Google IPv6 {dns.google ([2001:4860:4860::8888]:853), dns.google ([2001:4860:4860::8844]:853)}
• Quad9 Secure IPv4 {dns.quad9.net (9.9.9.9:853)}
• Quad9 Secure IPv6 {dns.quad9.net ([2620:fe::fe]:853))

DNS-over-HTTPS protocol providers:

• Cloudflare (https://cloudflare-dns.com/dns-query)
• Google (https://dns.google/dns-query)
• Quad9 Secure (https://dns.quad9.net/dns-query)

DNS-over-HTTPS (JSON) protocol providers:

• Cloudflare (https://cloudflare-dns.com/dns-query)
• Google (https://dns.google/resolve)
• Quad9 Secure (https://dns.quad9.net/dns-query)

To make the configuration quick, easy and error free, there is Quick Select drop down list available which lists all the above options. Just selecting the desired option in the Quick Select list will populate the settings automatically for you.

See these examples below to know how the configuration looks like:

DNS-over-TLS Using Cloudflare

DNS-over-TLS Using Quad9 For IPv6 Internet

DNS-over-HTTPS Using Cloudflare

DNS-over-HTTPS (JSON) Using Google

As you may have noticed, Cloudflare provides support for all three protocols. Not only that, it is possible to use Cloudflare DNS over Tor hidden service too! Technitium DNS Server v1.3 adds support for configuring proxy server which can of course be made to use Tor running on your computer and use Cloudflare DNS hidden service because WHY NOT?!

You just need to configure dns4torpnlfs2ifuz2s2yf3fc7rdmsbhm6rw75euj35pac6ap25zgqad.onion hidden service address as forwarder and since all hidden service requests over Tor network are inherently end-to end encrypted, you can use DNS-over-TCP protocol with it. Tor is not included with the software so you will need to install Tor separately and configure it as a SOCKS5 proxy.

This option hides your query from your ISP as well as hides your identity from Cloudflare. But seriously, if you are really that paranoid, just use Tor Browser for all your web browsing.

DNS-over-Tor Config For Cloudflare DNS Hidden Service

Once you have configured forwarders, make use of the DNS Client on the web console to test the setup by making a test query to "this-server". If everything is configured correctly, you will see the IP address for the test domain you entered inside the "Answers" section of the JSON formatted output.

Finally, to make all your computers and applications to use Technitium DNS Server, you need to configure it on your Ethernet or WiFi network adapter. You just need to setup loopback IP address (127.0.0.1 for IPv4 & ::1 for IPv6) as DNS Server in your network adapter settings as shown below:

IPv4 DNS Server Network Configuration

IPv6 DNS Server Network Configuration

For more queries, write comments below or send an email to support@technitium.com.

Technitium DNS Server v1.3 Released!

Technitium DNS Server is an open source tool that can be used for self hosting a local DNS server for privacy & security or, used for experimentation/testing by software developers on their computer. It works out-of-the-box with no or minimal configuration and provides a user friendly web console accessible using any web browser.

Technitium DNS Server v1.3

Version 1.3 adds following awesome new features:

•  DNS-over-TLS and DNS-over-HTTPS forwarder protocol support.
• HTTP and SOCKS5 network proxy support.

The DNS Server is cross platform and can be deployed on Windows 10, Linux or macOS (using .NET Core or Mono Framework). Read this blog post to learn how to run DNS Server on Ubuntu.

Nobody really bothers about domain name resolution since it works automatically behind the scenes and is complex to understand. Most computer software use the operating system's DNS resolver that usually query the configured ISP's DNS server using UDP protocol. This way works well for most people but, your ISP can see and control what website you can visit even when the website employ HTTPS security. Not only that, some ISPs can redirect, block or inject content into non-HTTPS websites you visit even when you use a different DNS provider like Google DNS or Cloudflare DNS. Having Technitium DNS Server configured to use DNS-over-TLS or DNS-over-HTTPS forwarders, these privacy & security issues can be mitigated very effectively.

Developers regularly use the hosts file for configuring an IP address for a domain under testing. However, using the hosts file is cumbersome at times and can only be used to resolve domain name to an IP address. With a fully configurable DNS server running on your local machine, you can configure not just simple A records (for IP address) but, also configure other types of records like CNAME or MX etc. This allow you to have more control and power when you want to do testing that simulates the exact configuration that you have running on production.

Technitium DNS Server is open source and available under GNU General Public Licence (GPL) v3 on GitHub.

Comments and feedback are things that help push new features and improve usability, and thus are most welcome. Send your feedback to support@technitium.com or write your comments below.

How To Configure Bit Chat To Use Tor Network

Bit Chat now has Socks 5 proxy support which can be used to route all the network traffic via Tor network. Tor software provides a Socks 5 proxy service to allow the Tor Browser to access Internet via Tor network which can be used by any application on your computer.

Bit Chat Registration Proxy Option

The Bit Chat registration window allows you to configure a Socks 5 proxy even before creating a profile. To configure Tor, just click on the Enable Proxy check box and you will get a proxy configuration window. Just select Socks 5 Proxy as proxy type, set proxy address as 127.0.0.1 and proxy port as 9150 as shown in the window below. You can click the Check Proxy button to confirm if Bit Chat is able to access the Tor Socks 5 proxy.

Socks 5 Proxy Config for using Tor network

Once you have confirmed the settings, just click OK and proceed with the registration process. Bit Chat will configure the same proxy settings for your profile. If you already have a profile and want to configure Tor, just click the main menu and click Profile Settings. You will find proxy settings which you can use to configure for using Tor.

Profile Settings for using Tor network

You can click the Check Proxy button in Profile Settings window and confirm if Bit Chat is able to access the proxy. Once this is configured, all new network connections will start going through Tor.

Tor network supports only TCP protocol due to which Bit Chat will not be able to use UDP based torrent trackers. You will have to rely only on HTTP based torrent trackers and DHT to find peers.

For any queries write an email to support@bitchat.im or leave a comment below.

Bit Chat Version 3.0 Released With Upgraded Cryptography!

Technitium Bit Chat version 3.0 (alpha) is now available to download from the main website and via automatic update mechanism for existing installations. The software checks for new update automatically with every start but, you can also use the Check For Updates option in the main menu to get an update instantly.

The latest version has protocol level updates which makes it incompatible with the previous versions and thus all peers must use the updated version to be able to chat. You wont notice any changes in the user interface (UI) since the changes are only related to the protocol.

The primary aim of this update is to improve the cryptography implementation used in Bit Chat. The newly added code provides strong cryptography with following features:

• The new protocol (v3) implements Perfect Forward Secrecy (PFS) using Elliptic Curve Diffie-Hellman (ECDHE_RSA 256bits) and Diffie Hellman (DHE_RSA 2048bits) for ephemeral key exchange mechanism with RSA for authentication using certificate (Bit Chat profile certificate). Mono framework doesn't implement ECDHE algorithm and hence Linux version of Bit Chat can use only DHE algorithm while Windows version of Bit Chat is able to use both the algorithms. AES 256bits in CBC mode is used to encrypt the data as it was in previous protocol.
• Key re-negotiation feature is added to protocol to negotiate new ephemeral key for data encryption based on time and data transferred. This allows the encrypted data channel to remain always ON while ensuring the protocol security by using different ephemeral keys.
• Authenticated encryption (Encrypt-then-MAC) is implemented using HMAC-SHA256 to check if the encrypted data was authentic (that is, to check if the encrypted data was modified in any manner while in transit).
• In addition to profile certificate based authentication, pre-shared key is used to establish the encrypted channel. The pre-shared key used here is the Group Chat password that was set while creating the chat. So, using a password for your Group Chat will improve the protocol security.
• The security of encrypted profile file (which is stored on your computer and contains your RSA private key for the profile certificate) is also improved by implementing PBKFD2 using HMAC-SHA256 with 200,000 iterations. This implementation will improve security of the file against password cracking or brute force attacks.

The above features updates are in addition to the existing ones listed below:

• Peer-to-peer architecture similar to how Bittorrent works. Infact, Bit Chat uses Bittorrent trackers to find peers in your group chat. So, you connect directly to peers without any server in the middle! Another advantage is that the data is routed through shortest path, that is, if your friend uses Internet from the same service provider as that of you, then the communication is not going to leave the local network of the service provider. And if your friend is on private LAN network, the communication stays in the private network itself, so you don't even need Internet for private LAN chat!
• A complete end-to-end encryption with digital certificate (profile certificate) based authentication combined with peer-to-peer network means nobody can snoop on your messages and you can ensure the identity of your friends.
• Transfer huge files with ease! All peers in the group that participate in file transfer share the bandwidth. It works similar to how files are shared using Bittorrent but, in a close group of users. Also, files transfered are encrypted just like your messages.

The source code is updated on GitHub and you can inspect the TechnitiumLibrary.Security .Cryptography project for verifying the implementation. And as always, send your feedback to support@bitchat.im.

Technitium Bit Chat Released!

I am happy to announce the release of Technitium Bit Chat which is currently available for both Windows and Linux platforms. Version 2.1 (alpha) can be downloaded from here. You will need Mono Framework to run it on Linux.

Technitium Bit Chat

Introduction

Technitium Bit Chat is a secure, peer-to-peer (p2p), open source instant messenger designed to provide end-to-end encryption. Primary aim of developing this instant messenger is to provide privacy which is achieved using strong cryptography. It can be used over Internet and private LAN networks for instant messaging and file transfer.

The architecture is designed keeping in mind the security principle that everybody is secure or no one is. There is no meta data generated when you use Bit Chat. The only thing that we know, is the email address of the user who registered for a digital certificate. The digital certificate tells that the email address was verified, which is similar, in concept, to any domain validated SSL certificate issued to a website.

Development is still in progress and new features will be made available as an when they are coded. The software has automatic update feature which will keep you updated with latest version available.

Read Frequently Asked Questions (FAQ)

Features

• Provides end-to-end encryption using peer-to-peer technology, designed for privacy, delivered using strong cryptography.
• Many-to-many group chat using peer-to-peer technology, so no servers involved in message delivery!
• Can be used as a LAN chat instant messenger in your private LAN network the same way you can use it on the Internet.
• Allows file transfer which works similar to torrents. File is split in parts and each peer participating the file sharing distributes different parts to each other. This leads to better network bandwidth utilization.
• Each user has to perform a one-time profile registration. A profile digital certificate is issued to each user after email address verification. So, you can make sure that the person on the other side is really your friend by checking the profile email address.
• Profile digital certificate is signed using RSA 4096bit key and SHA-256 hash algorithm.
• Profile data is stored securely on your computer by encrypting with a profile password. So all your settings are encrypted using AES-256 encryption.
• The peer-to-peer connection is completely encrypted using AES-256.
• Automatic port forwarding using UPnP implemented for your home router/access point.
• Automatic software update to keep you updated with the latest version.

The Concept

Since the software architecture is peer-to-peer, the usual concept of having a 'username' and 'password' for authentication and identification doesn't work here. There is no 'log in' or 'log out' here in that sense, due to the fact that there are no centralized servers involved to do the logging! Nobody knows if you left the chat group or you just went offline, unless of course, you tell them that yourself!

To understand this better, just imagine meeting with one or more friends at a place. You call up the people willing to meet and tell them a location and time. Everyone gets to the decided location, have fun and leave.

Bit Chat is exactly the same thing just over Internet. You email or message your friends and ask them to come on Bit Chat and give a chat group name. Everyone starts their client and join a chat with the decided name. The software does its peer-to-peer connectivity and everyone is connected to each other. Then you chat, transfer files, go offline and come back again to same chat group later or leave the chat group.

To make sure the identity of the peer in your group, you can check the email address of the peer. Each peer has to register for a profile certificate which is basically a digital certificate issued after email address verification. So, the email address in the profile certificate helps you make sure that you are chatting with the right person.

A chat group name is converted into an identifier which each peer in group tries to connect to using Bit-torrent trackers. Thus anyone who enters a chat group will get connected to other peers with the same chat group name. To avoid connecting to unintended people on the Internet, you can set an optional password or a shared secret to the chat group. The password will be used to generate the identifier for the chat group and only the people who enter a correct group name and password combination will be able to connect to each other. So, if you suddenly see some unknown people joining your group, don't panic, just leave current chat group and create another group with a different password.

The messenger connects each peer in a chat group in a mesh network topology, that is, a peer is connected to all other peers in that chat group to form a network. To find a peer on the Internet, Bit-torrent trackers are used and to find peers on local network, local peer discovery via UDP broadcast is used. If you are behind a router, you can enable UPnP feature in the router or access point and Bit Chat will do automatic port forwarding for you.

The network strength icon against each person's name indicates the current status of connectivity of that person. If the icon is green, it means, the peer is connected to all other peers in the group. An orange icon will indicate that the peer is not connected to someone in the group. You can click on any of the peers and check to whom they are connected to and to whom they are not.

It is important to note that, for Bit Chat to work successfully, at least one person in your chat group must be able to accept incoming TCP connection. If UPnP feature is available in your router/access point, automatic port forwarding will be performed. Otherwise, you will need to manually configure port forwarding. Bit Chat is designed to allow virtual connections to be made via another peer thus, just one peer able to accept incoming connection will make the entire chat group to work well.

In Windows, automatic firewall configuration feature will add entries for the application to accept incoming connections. For Linux, if there is any firewall configured, you will need to perform manual configuration to allow the software to accept incoming connections.

Features Planned

There are many features that are thought about to be implemented in Bit Chat however, following list gives some of the important features that are planned. There are no timelines for the implementation but they will be made available as soon as the implementation is completed.

• NAT-PMP port mapping support.
• Distributed Hash Tracking (DHT) support to rely less on torrent trackers.
• One-to-one voice chat.
• Emoticons support.
• Alternate display name and profile picture support.
• Store chat messages in the encrypted profile file.
• Android mobile app with all the features.

Open Source

Technitium Bit Chat source code is available under GNU General Public Licence v3 on GitHub. The software code is made open source to increase confidence in the security that we intend to provide.

Alpha Version

Technitium Bit Chat current release is in alpha version. This means the software is not fully complete and will undergo major changes in its protocol or user interface design. There may be noticeable bugs which will be addressed with an automatic update. You are welcome to report any issues by sending an email to support@technitium.com.

Further, you may like to read the original concept in this old blog post.

Privacy And The Internet

There have been a lot of queries about MAC address and privacy on blog comments as well as in emails that I get from many users of TMAC. Reading this post should clear most queries that you have.

MAC Address & Privacy
A website on Internet cannot find your MAC address by any means. Your MAC address stays in the local network you are connected to (like LAN) and so technically only a website hosted on the same LAN network can find the visitor's MAC address.

So changing MAC address would give you privacy only at local network level. Nobody will be able to track your presence on the wifi networks that you connect to with a new MAC address being used every time.

This Website Wants To Know Your Location!

One thing you must note that MAC address of your wifi access point or any other access point that is in your range will be disclosed when your web browser asks to share your location information and you click Share Location.

A web browser will compile a list of all the wifi hotspots in range and read their BSSID (MAC Address of station in an Access Point) with the signal strength and send it over to the website asking for it. The website uses a database of known MAC addresses with their location, combined with your IP address and try to figure out your location based on the signal strength [1][2]. In popular/commercial places the location can be as accurate as 25 meters. You can read more about it in this earlier post.

IP Address Based Location Mapping
IP address is commonly used to find the visitors location. Its pretty straight forward for a website to find a visitor's IP address. Using commercially available databases that map IP address to location, websites can provide region specific services to the visitors or just compile stats for visitor traffic analysis. The database can provide location up to the City the visitor is from. The database can be wrong at times due to IP address blocks being reassigned to another location but in most case, the country can be reliably identified.

If you are more paranoid about your IP address being disclosed, you can use Tor. Tor can be painfully slow at times but it does provide a level of anonymity for free. If you have some cash at hand, you can go for Virtual Private Network (VPN) services. These services will carry all your Internet data through their own network such that your IP address hides behind their data center IP address.

How Are You Being Tracked?
Most common way of tracking users is by storing identification data on user's computer known as Cookies. Web browser accept and store cookies that any website sends back. Cookies can easily be deleted with most web browsers. You can configure your web browser to clear cookies when the browser closes.

Cookies being easy to delete, websites and advertisement networks found new ways to track users. With most Internet connected computers having Adobe Flash installed, it became a new way to restore the deleted cookies. Adobe Flash Player allows to store cookies which cannot be deleted by clearing browser cookies. Users can however delete flash cookies manually by using Flash Player's Website Storage Settings Panel. Obviously, deleting flash cookies is difficult and most users are not even aware of the existence of a separate flash cookie.

Another way is by means of HTTP ETag. ETag was designed to enable smart web caching but can easily be used to track visitors. Each web resource (images, html etc) that browser stored in its cache can be identified by website supplied ETag. The only way to get rid of this is to clear your browser cache just like you clear cookies.

How Do I Protect My Privacy?
I would recommend you to use Firefox web browser and install following add-ons:
1. Better Privacy - It clears flash cookies when browser closes.
2. Certificate Patrol - It can prevent a very rare man in the middle attack on HTTPS websites.
3. HTTPS-Everywhere - It will add "https" automatically to URLs that you enter in browser forcing browser to use HTTPS even when you forget to enter proper https URL (works for popular websites only).
4. NoScript - Recommended only for advance users. It will block javascripts/flash from unauthorized websites. You can decide which sites can use javascript/flash easily.

You can even use Firefox Profile feature. Its possible to create multiple "profiles" in Firefox, each profile being completely separate, having its own cache, cookies, history, add-ons etc. To do so, just go to Run (Start > Run or press Win+R) and enter firefox -p -no-remote and you will see a profile manager window. It can be very convenient to create a shortcut with the mentioned command line parameters for use every time.

Note that for each profile you create, you will need to install all the add-ons mentioned above separately. Using separate profiles, its possible to log in into different Google accounts in same browser without linking them together.

References:
1. Location-Aware Browsing - Mozilla Firefox
2. Location sharing - Google Chrome

Edit:
Read more about Ad networks tracking stats. You are always being tracked (stalked) by multiple Ad networks!

Bit Chat: A Peer-to-Peer Instant Messaging Concept Using BitTorrent Trackers

UPDATE: 5 Jan, 2015
Technitium Bit Chat (alpha version) is now available for download at https://bitchat.im

Bit Chat is a concept that I got while thinking about having a instant messaging (IM) system which would be completely decentralized, peer-to-peer and friend-to-friend and would provide confidentiality and optionally authentication. In this regards, BitChat can be considered a darknet system. BitChat takes many of the BitTorrent concepts and uses them to provide an instant messaging (IM) system instead of file sharing.

The classic problem faced in peer-to-peer system is to find IP address of peers who want to communicate together privately in a group. BitChat concept finds solution for it by using existing BitTorrent trackers and forming a peer-to-peer network by connecting to the nodes which are being tracked by the same infohash. DHT can also be used with trackers.

The current concept allows to use channels (similar to IRC channels) over which peers can communicate. Each channel has its own unique infohash. The topology currently thought is a full mesh network between small number of peers.

Each peer starts with a .chat file (just like a .torrent file) which contains infohash and tracker list. The file can be exchanged by email or any other way (even offline). BitChat client would use this file and get an IP address list of all the peers from the trackers mentioned in the file.

For providing privacy, BitChat would fake user agent info of popular BitTorrent clients so that even tracker servers dont know the intentions of the users. The client then maintains a peer list and connects to each of them in a full mesh.

Every connection to another peer is done with a brief handshake in which each peer exchange their identifiers, public keys and a list of peers that each one of them have (similar to peer exchange). Any new peer found from another peer is immediately connected in order to have a full mesh network. Each connection to a peer can be using TCP if directly feasible or UDP in case of client being behind NAT. UDP would punch holes in NAT allowing direct communication between peers possible. The client will have to implement a TCP like retransmission mechanism to solve problems with dropped UDP packets.

A client behind a http proxy can be supported such that it creates outbound connections to rest of the peers. Two peers behind http proxy will not have a direct link in such case and messages between them will have to be routed through other willing peers.

Authentication can be done with the help of public key cryptographic algorithms like RSA. The public key of peers can be exchanged online/offline and a small address book be maintained by BitChat clients to identify friends. The public key exchanged during peer-to-peer handshake will be matched with the address book to verify identity of known contacts.

A channel can be open ended or invite only. If the channel is only for closed group, the BitChat client can reject peer request from unknown contacts. In any case, only users who have the .chat file (or the infohash) can join the network in first place.

Confidentiality can be achieved by using public key cryptography. The public key of each peer will be used to do a key exchange for an agreed upon symmetric key algorithm. Each connection to a peer will have a separate key and it can be renewed with a handshake at regular intervals.

The system would allow for a common chat for all peers in a channel as well as private one-to-one chat. A group chat with only selected peers can be made with the group chat initiator deciding on whom to invite from the peers.

A simple client would implement text chat with a simple one-to-one file sharing. While, clients which can support voice and video chat can be developed.

Security issues which affect BitTorrent also apply to BitChat. The IP address of all peers is open to anyone knowing the infohash being used. Mitigation can be done by use of VPN or proxy services.

There are lot of peer-to-peer projects already being developed and used. BitChat concept is about using an existing infrastructure provided by BitTorrent and using it for a secure, private and user friendly instant messaging system.

The protocol specification is under development and will be made public so that anyone can make their own BitChat client. Any inputs and queries are most welcomed. Post comments or send an email to me (shreyas at technitium dot com).