this post was submitted on 09 Nov 2025
88 points (98.9% liked)

Selfhosted

53228 readers
1857 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
88
Technitium DNS v14 is released with support for clustering (github.com)
submitted 2 weeks ago by stratself@lemdro.id to c/selfhosted@lemmy.world
22 comments fedilink hide all child comments
 

Technitium DNS Server (TDNS) has gotten a new release with many awesome features: TOTP authentication, an upgraded .NET library, and many security and performance fixes.

But most important of all, it now supports clustering. A long-awaited feature, this allows Technitium to sync DNS zones and configurations across multiple nodes, without needing an external orchestrator like Kubernetes, or an out-of-band method to replicate underlying data. For selfhosters, this would enable resilience for many use cases, such as internal homelab adblocks or even selfhosting your public domains.

From a discussion with the developer and his sneak peek on Reddit, it is now known that the cluster is set up as a single-primary/multiple-secondary topology. They communicate via good-old REST API calls, and transported via HTTPS for on-the-wire encryption.

To sync DNS zones (i.e. domains), the primary server provisions the "catalog" of domains, for secondary ones to dynamically update records in a method known as Zone Transfers. This feature, standardized as Catalog Zones (RFC9432), were actually supported since the previous v13 release as groundwork for the current implementation.

As an interesting result, nodes can sync to a cluster's catalog zone, as well as define their own zones and even employs other catalog zones from outside the cluster. This would allow setups where, for example, some domains are shared between all nodes, and some others only between a subset of servers.

To sync the rest of the data such as blocklists, allowlists, and installed apps, the software simply sends over incremental backups to secondaries. The admin UI panel is also revamped to improve multi-node management: it now allows logging in to other cluster nodes, as well as collating some aggregated statistics for the central Dashboard. Lastly, a secondary node can be promoted to primary in case of failures, with signing keys also managed within for a seamless transition of DNSSEC signed zones.

More details about configuring clusters is to be provided in a blogpost in the upcoming days. It is important to note that this feature only supports DNS stuff, and not DHCP just yet (Technitium is also a DHCP server). This, along with DHCPv6 and auto-promotion rules for secondaries, is planned for the upcoming major release(s) later on.

As a single-person copyleft project, the growth of this absolute gem of a software has been tremendous, and can only get better from here. I personally can't wait to try it out soon

Disclaimer: I'm just a user, not the maintainer of the project. Information here may be updated for correctness and you can repost this to whatever

top 22 comments
sorted by: hot top controversial new old
[–] zwerg@feddit.org 7 points 2 weeks ago (2 children)

How is this better/differentthan pihole?

[–] stratself@lemdro.id 30 points 2 weeks ago (1 children)

Off the top of my head:

  • Allows using DoH/DoT/DoQUIC/recursive upstreams without installing extra packages (unbound, cloudflared, etc)
  • Allows acting as a DoH/DoH3/DoT/DoQUIC server alongside normal DNS over UDP and TCP
  • Allows configuring SOCKS/HTTP proxies for forwarders
  • Act as authoritative zone server with DNSSEC signing
  • Allows custom responses via plugins (e.g. conditional responses based on client's IP addresses)
  • Accept PROXY Protocol to forward client IPs from trusted load balancers
  • All the clustering and zone transfers magic
  • DNS64

It really dives deep into the inner workings of DNS and does pretty much anything Pi-Hole does, with many more security and QoL features. Although the UI may feel a bit dated, I'd recommend it to anyone running their own homelab infrastructure beyond just adblocking

[–] fightforlife@lemmy.world 10 points 2 weeks ago (1 children)

The feature list sounds even better than adguard home. I might give this a try!

[–] Courantdair@jlai.lu 3 points 2 weeks ago

Proxy protocol is the one thing I'm missing from adguard, nice that it has it!

[–] comrade_twisty@feddit.org 5 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

One big advantage is that you don’t need to run unbound in addition to free yourself from (commercial/non-profit) upstream dns providers completely.

[–] besmtt@lemmy.world 3 points 2 weeks ago (1 children)

Is this done by keeping recursion set to the default and leaving Forwarders blank?

[–] tux0r@feddit.org 2 points 2 weeks ago (1 children)

Yes

[–] KlavKalashj@lemmy.world 1 points 2 weeks ago (1 children)

I dont get it. With these settings, dns just stops working and requests are timing out.

[–] tux0r@feddit.org 1 points 2 weeks ago (1 children)

You mean, by not setting them?

[–] besmtt@lemmy.world 6 points 2 weeks ago (3 children)

I'd love to hear from anyone has used this, especially if you moved from Pi-hole to Technitium. I run Pi-hole in an LXC and on a Pi3b and it's mildly annoying to make changes or updates, so clustering has piqued my curiosity.

[–] arcayne@lemmy.today 6 points 2 weeks ago

I tried out Pi-hole many years ago, found it a bit too dumbed down and limited for my taste. I've been running Technitium for 5-ish years in my homelab, it's been rock solid and very pleasant work with. I've even deployed it at work for a few projects as well. Been waiting for the clustering feature for a while now, super stoked to see this release.

[–] BarbecueCowboy@lemmy.dbzer0.com 4 points 2 weeks ago

Plus side, the increase in functionality with technitium is drastic. Down side, the increase in functionality is drastic...

You can do everything you'd want to do with pihole with technitium instead, but there's a lot of additional advanced features that will have you reading a lot of documentation.

[–] non_burglar@lemmy.world 3 points 2 weeks ago

I moved from pihole to technitium roughly two years ago. I was tired of pihole not doing "adult" DNS things, like zone transfers. Technitium is a real DNS server, pihole is just a resolver. You can create actual soa and srv records with technitium.

[–] non_burglar@lemmy.world 6 points 2 weeks ago

It already could sync zones, I've been doing primary -> secondary zone transfers for at least two years.

It didn't sync lists and other configs, though. That's new.

[–] clb92@feddit.dk 3 points 2 weeks ago

I am about to install a second Technitium instance, so this is great timing.

[–] sem@lemmy.blahaj.zone 3 points 2 weeks ago

What does it do?

[–] xavier666@lemmy.umucat.day 3 points 2 weeks ago

This looks really cool. And I just setup Pihole 😐

[–] ohshit604@sh.itjust.works 2 points 2 weeks ago (1 children)

If only reverse proxying Technitium wasn’t a pain in the ass to do I would actually use it. Maybe one day they’ll fix the login issues until then PiHole works.

[–] stratself@lemdro.id 2 points 2 weeks ago (1 children)

What issues did you have reverse-proxying? For me it was just as simple as pointing to port 5380. Other ports like 53 could be passed on with a layer-4 router

What about the login issues? I'd hope they'll be integrating with OIDC or some other auth mechanism, but for now managing 2FA creds should make do

[–] ohshit604@sh.itjust.works 2 points 2 weeks ago (1 children)

This was a while ago so the details are fuzzy, I gave it Traefiks docker labels on port :5380 but that didn’t seem to work then I read an a bug report saying give Traefik :8053 so I tried that and again didn’t work so I went back to :5380 and all of a sudden it reverse proxied but my login wouldn’t work even though it worked when going to the LAN IP+Port didn’t find much in terms of troubleshooting and documentation so I eventually gave up on it.

I have had terrible experiences with recursive DNS resolvers, PiHole+Unbound worked for maybe an hour then would completely kill my internet access, the same essentially went with OpenSense, I had hope for Technitium but alas didn’t feel the need to spend hours troubleshooting something that PiHole alone did with ease.

[–] stratself@lemdro.id 2 points 2 weeks ago

Ah, I see. Well I'm glad you found PiHole useful and stick to using it anyhow!