technitiumsoftware / dnsserver Goto Github PK

I have added our local IP 127.0.0.1 and even tried the direct IP and Windows will not resolve the DNS.

It will resolve using your internal DNS client test for UDP only.

I am using the Windows Version.

PS. Great software by the way. Exactly what we need for dev environment.

First of all, thanks for your impressive work!

I would like to suggest you some improvements. I'm using this to monitor-block undesired connections, so using for a single client, I watch all queries and block the zones I don't like.
Would be great if I had a "trusted list" and a list where all the "untrusted" domains where listed. If it had an "add to blocked zone" link would be fantastic.

Bonus: Block zones allow regex
Bonus 2: In the log when "log all queries" flag blocked zones as "blocked". It shows the query with QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [0.0.0.0]

I see code like this in quite a few places:

BincodingDecoder decoder = new BincodingDecoder(s, "DS");

And I don't understand why you've done this, even the updater uses a strange encoding method, so firstly, what is the point of this?

Secondly, it would make it much easier for developers if you just stuck with json configuration files.

I'm half tempted to fork what you've done and fix all these niggly issues under a separate project but I don't want to as I think we could produce something better together as you clearly know a lot about DNS.

Hi,

It would be nice to be able to have a tray icon for the app. It would allow the following functionality:

1. Open admin console (in default web browser)
2. Start / Stop the service
3. Allow for the selected NIC to have its TCP/IP DNS server settings changed to 127.0.0.1 (and optionally reset to what it was originally)

All of the above would make using the server for developers a heap easier rather than having to do all of the above in a web browser / services.msc / adapter settings.

I've been using this for about 6 months and now need to be able to create many custom zones for testing. Unfortunately, each one defaults to using my server device name instead of an IP (I'd like to be able to expose this over the Internet so the device name will be useless). It also requires me to manually assign the A and AAAA records for each.

I'd like to be able to quickly type (or paste) example.com, click Add, then have the IP address pre-filled with either the last IP I used for that DNS Type or a default assigned at Settings. This would accelerate the process drastically.

Alternatively, could you provide a sample using automation as you've mentioned in the past? I dug through the code and found a way to trigger the changes via Node.js but I'd really like to have my changes be as lightweight as possible for the best performance.

The DNS Server service supports the ability to add single-label named zones. Bind does not support this as far as I'm aware and this was a reason I was attracted to this project. It would be worth adding this information to your website so that others are aware of this feature.

dnscrypt has linux (and android) binary support, i hope this one will have it too.

with dns-over-tls and host blacklist, and easy management via web console, it's a perfect replacement for dnscrypt and the commercial adguard.

I propose changing the following:
const int TCP_SOCKET_SEND_TIMEOUT = 10000;
const int TCP_SOCKET_RECV_TIMEOUT = 60000;

to:
const int TCP_SOCKET_SEND_TIMEOUT = 2000;
const int TCP_SOCKET_RECV_TIMEOUT = 2000;

to prevent attacks that are aimed at exhausting resources on the dns server.

Bind itself actually uses 2 seconds as an appropriate timeout also, and Bind is considered the defacto standard in DNS server software.

I've created a PR to remove the lock on this for the LogManager.

#23

We can give toggle option to enable or disable IPv4 and IPv6 protocols, forcefully.

Before installing .NET, you'll need to register the Microsoft key, register the product repository, and install required dependencies. This only needs to be done once per machine.

Can you explain what "only" here means?

It's a gross tedious hoop-jumping operation bound to fail 90% of the time, so what do they usually do when they do not have rather modest demands ONLY.

Currently the "Blocked Zone" section is almost impossible to navigate if you have blocklists in use because the number of entries is very large.

if I want to inspect shady.example.com I have to click on com first, which takes ages to load because there are thousands of entries in it.

It would be great if there was a button next to the "Block" button that would just navigate to entry that was entered.

A handy feature would be that as you create the forward zone the server offers to manage the reverse zone for you.

It is useful in some scenarios to set a custom port number for forwarder servers.

For example let the user set forwarders to use UDP port number 5353 like this: 1.2.3.4@5353 (or 1.2.3.4:5353 which one you like better)

Another useful feature is to support TCP, DNS-over-TLS, etc. for forwarders.

Please consider adding links for "restart" and "shutdown" within the web UI.

I have been using Technitium in our development environment for months now and I think it is just to buggy for real use.

There are Constant Lockups. For example, right now I came to my computer in the morning and DnsService is running at 15% with over 3Gb of memory.

Most of the time you can not even kill the task in TaskMan. The DnsService.exe is very difficult to kill when it has bugged out.

It requires Admin CMD prompt and a taskkill /f with the PID.

For some reason I get ERR_CONNECTION_REFUSED when try the web admin panel.

The Log:

[2019-05-26 04:34:33 UTC] Logging started.
[2019-05-26 04:34:33 UTC] DNS Server config file was loaded: C:\Program Files (x86)\Technitium\DNS Server\config\dns.config
[2019-05-26 04:34:33 UTC] Loaded zone file: C:\Program Files (x86)\Technitium\DNS Server\config\1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa.zone
[2019-05-26 04:34:33 UTC] Loaded zone file: C:\Program Files (x86)\Technitium\DNS Server\config\1.0.0.127.in-addr.arpa.zone
[2019-05-26 04:34:33 UTC] DNS Server is loading allowed zone file: C:\Program Files (x86)\Technitium\DNS Server\config\allowed.config
[2019-05-26 04:34:33 UTC] [127.0.0.1:53] [UDP] DNS Server was bound successfully.
[2019-05-26 04:34:33 UTC] [127.0.0.1:53] [TCP] DNS Server was bound successfully.
[2019-05-26 04:34:33 UTC] [[::1]:53] [UDP] DNS Server was bound successfully.
[2019-05-26 04:34:33 UTC] [[::1]:53] [TCP] DNS Server was bound successfully.
[2019-05-26 04:34:33 UTC] DNS Server is loading custom blocked zone file: C:\Program Files (x86)\Technitium\DNS Server\config\custom-blocked.config
[2019-05-26 04:34:33 UTC] DNS Server custom blocked zone file was loaded: C:\Program Files (x86)\Technitium\DNS Server\config\custom-blocked.config
[2019-05-26 04:34:33 UTC] DNS Server blocked zone loading finished successfully.
[2019-05-26 04:34:33 UTC] [0.0.0.0:5380] DNS Web Service (v3.3.0.0) was started successfully.

Windows Filtering Platform is used by adguard to intercept dns request, users doesnt need to made adjustment/change to every (multiple) network interface on their pc/laptop.

it will be nice if you can implement the feature so it will be fully automatically ready to use on get go.

in zones menu on the list of domain can add groups if you have alot dns is better have a groups

Is is possible to make it validate DNSSEC signatures when in DNS-over-UDP/Recursive mode?

We have many domains that we need to test in our local environment and would ike to add these automatically with PHP from our database?

I see you seem to use JSON in a few places. Is there a way to pass JSON to set up the DNS entry?

Or possibly another method?

After restart the service I see an empty cache. Is this normal behavior? Maybe better to keep cache?

Would it be possible to allow the 0.0.0.0 returned for blocked zones to be configurable? I would like to display a "Blocked" message for the user HTTP requests.

When we open zone page, say .com zone from Blocked Zone page, as that zone is highly populated, web page goes non-responsive for more than 40-50sec rendering the page. (see below image)

After some time web page changes as follows..

Web page remains as in above image for more than 2-3 mins.
Meanwhile, until page becomes responsive again, server doesn't serve any DNS queries.

Seems server process overloads server system resources rendering zone contents on web page.

We may solve this issue by offering page-number-wise display (prev-next) (say, only 50 contents per page) for zone contents.

Test server - Windows 10 pro, i5-7th gen, 16gb RAM

If the DNS server is to be used as a replacement for WINS, as well as a DNS server for websites, the server will be vulnerable to footprinting.

Footprinting is the process by which DNS zone data is obtained by an attacker to provide the attacker with the DNS domain names, computer names, and IP addresses for sensitive network resources. An attacker commonly begins an attack by using this DNS data to diagram, or "footprint," a network. DNS domain and computer names usually indicate the function or location of a domain or computer to help users remember and identify domains and computers more easily. An attacker takes advantage of the same DNS principle to learn the function or location of domains and computers in the network.

By allowing zones to be created for private networks only, footprinting can be prevented.

This would set your server apart from all others in that you can create zones for the private network, which will provide a great alternative to WINS.

This is the most feature rich DNS server I've found, but while it is able to consume DNS-over-TLS from other providers, it is not yet able to receive and respond in kind.

I know it's a big ask, but this would be a huge improvement to be able to assign my own TLS certificate (or better yet, integrate Let's Encrypt) in order to be able to provide DNS-over-TLS (and DNS-over-HTTPS).

On Dashboard, How to show Client Queries Blocked Domain?
I want know clients queries Blocked Domain.

Hi, Is there any way that i can set the server listen on specified IPs?

When I try to delete a cached zone, the zone do not delete. The returned message it's OK, but nothing happen.
I´m using Technitium DNS Server Version 3.3

Thanks

I know the focus at the moment is to improve stability, but something I'd like to suggest is that a DHCP server is added to your group of projects under the TechnitiumSoftware umbrella.

Then at some point create another project that incorporates the DNS server and DHCP server together, so that people can choose to use one or the other, or both.

The benefit of this is that if a router does not allow the changing of DNS settings, the DHCP server can be used to achieve the same result.

Feature request to directly support importing/linking static and dynamic blacklists containing wild cards and REGEX rather than simply manually creating A records with black hole addressing.

As far as clear development goals, the minimum request here would be to first add at least an easy way to import/link a static list of A records that can be used for black hole addressing. The complete feature goal would be total support for importing/linking blacklists containing wild cards and REGEX.

I would also say the open-source Privoxy project offers a lot in the way of ready-to-go REGEX blocking. Since Privoxy is a proxy server and not a DNS server, it obviously has full URL path REGEX, but those REGEX strings applying to only fully qualified domain names can be easily filtered out and would be a good place to start.

I'll also plug Steven Black's Hosts repo as a good example for static blocking, which is used by Paul Vixie, one of the authors to the DNS RPZ standard (StevenBlack/hosts#451 ):
https://github.com/StevenBlack/hosts
The hosts file format is simply the oldest and most common format accepted by the widest range of software and devices, but the project can be easily converted to other formats, as well, including, hopefully, a format that works best with the Technitium DNS server:
https://scripttiger.github.io/alts/

I'm using DNS-over-TLS Cloudflare forwarder, but sometimes hosts cannot be resolved and in log I see

[2019-03-25 07:08:21 UTC] [10.10.10.100:49258] QNAME: aidigo-shop.ru; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: []

...

[2019-03-25 07:09:04 UTC] [10.10.10.100:58766] QNAME: www.aidigo-shop.ru; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [91.226.82.243]

[2019-03-25 07:09:04 UTC] [10.10.10.100:61236] QNAME: www.aidigo-shop.ru; QTYPE: A; QCLASS: IN; RCODE: NoError; ANSWER: [91.226.82.243]

[2019-03-25 07:09:04 UTC] [10.10.10.100:56931] QNAME: www.aidigo-shop.ru; QTYPE: AAAA; QCLASS: IN; RCODE: NoError; ANSWER: []

After some digging:
1.1.1.1 and 1.0.0.1 used as main DNS in network config reply with server IP on first query.
Using Tor as DNS reply with server IP on first query.

What's wrong?

I know that right now , it is not implemented , but there are some servers supporting dns over quic . One is google. Also I want to have my own server so that I can test that. So can we have dns over quic support ? I read that it is fast, with low latency . It is basically dns over udp, but secure, encrypted. So for a pure theoratical purposes or testing purposes .Thank you in advance.

When released in 2017, the release notes stated:

It must be noted that this DNS server is not suitable to be used for production or any critical application. The software is released as alpha version denoting that its not yet stable and may have bugs.

So I would like to start a discussion on what we can do to make the DNS server production ready.

I presume we need to consider things such as DNS Flood protection, but is there anything else we need to consider, such as security?

Maybe it's better to move these folders from config folder because it's not config related content?

Using 2.3.1

It would be great if there were a way to identify which blocklist(s) were responsible for sinkholing a domain I'm getting "0.0.0.0" for. This information would be ideal within the DNS Client tab.

The GC2 heap gradually climbs up to 1.5GB then reduces every few hours. This is an enormous memory footprint for a DNS service.

On dashboard, we can see Top Domains or Top Blocked Domains which are served by server.
There should be option of blocking particular domain from Top Domain list or of whitelisting particular domain from Top Blocked Domains list.

Also, the list is truncated to only limited number (seems only 10). We can give iframe scrollbar interface for it so that, we can see complete served list.

Also, we can show which exact query was served (like A, AAAA, MX, PTR or other) with detail.
Currently, dashboard only shows a pie chart.

have moth no problem today service fail StartUp
No se puede iniciar el servicio. System.NullReferenceException: Referencia a objeto no establecida como instancia de un objeto.
en DnsServerCore.StatsManager.LoadLastHourStats()
en DnsServerCore.StatsManager..ctor(String statsFolder, LogManager log)
en DnsServerCore.DnsWebService..ctor(String configFolder, Uri updateCheckUri)
en DnsService.DnsService.OnStart(String[] args)
en System.ServiceProcess.ServiceBase.ServiceQueuedMainCallback(Object state)

Stop using buffered streams, you are just making the library more complex than it needs to be, ie:

using (BufferedStream bS = new BufferedStream(new FileStream(hourlyStatsFile, FileMode.Create, FileAccess.Write)))

Read up about this at:
https://blogs.msdn.microsoft.com/brada/2004/04/15/filestream-and-bufferedstream/

In graphs I see local time but in logs I see an UTC time. I cannot change this because no option for this available at this time.

Provide a better dashboard to protect against DNS tunneling, something along the line of:

Based on the work already done I don't think it would be too much effort to achieve this level of detail in the reports on the dashboard.

Today I found records listed below in cache. What's this?

[
  {
    "name": "zyzurjxdrbkn",
    "type": "A",
    "ttl": 0,
    "rData": {}
  }
]

and many more(see screenshot).

PS! I use no proxy and cloudflare forwarder.

please add an option to have ipv4 only request answered and cached.

having an options to disable/remove ipv6 answer for ipv4 client will increase browsing performance.

Can we have inbuilt HTTPS support for server (self signed and/or third party) ?
This will help to serve admin dashboard over HTTPS, and can also have onboard DoH/DoT support.

At the moment, logging takes place on the same thread as the server itself, which means that the DNS server is constantly being blocked by logs that are being written to file. I think using NLog rather than your own logging solution will serve to provide better performance.

About 1 or 2 times a day the DNS Service will stop and we need to restart the service.

Any ideas how to track down the problem and solve?

We have a student computer lab that we're attempting to deploy website blocking for, and we were considering this tool to do DNS level blocking.
But I'm concerned over the service process privilege and user management elements.
Running the installer on my windows 10 laptop, it appears that the dnsserver.exe process runs with system level permissions. Is this necessary? i realize that it needs to write to the C:\Program File(x86)\ Folder, but maybe relocating to C:\Technitium\Config and creating a user with just permissions for that folder would be better? I'd prefer to run web services with the least privilege principal.
And from quick glancing over the web interface, the only user that can login is admin?
I realize that it may be beyond the scope of this project, and maybe something a enterprise product would do. So maybe simplicity would be best, even if its compromising.

But the DNS over HTTPS/TLS features are really cool and modern, and i think this program has a very small footprint over all, so it's pretty fitting for our environment aside the issues above.
Thank you for your time.

See

https://stackoverflow.com/questions/26028746/visual-studio-vdproj-is-incompatible

I'm trying to import domain.com.

A domain.com zone is created with 2 records: SOA and A.

Then I'm trying to import www.domain.com (a CNAME record)

domain.com zone is not updated.

Expected result: domain.com zone should contain 3 records.