The Perfect Pi Hole Upgrade - Technitium Recursive DNS Server Tutorial

Quite a few years ago, I wrote a tutorial about how to get the most out of Pi Hole by using it as both an ad blocker and a recursive DNS server. You might have seen that one. That video was focused primarily around adding a touch of privacy to the otherwise awesome ad blocking you already get with Pi Hole. But what if you don't need the ad blocking component? What if you just need a solid recursive DNS server for your business or your home lab? Or the ability to be an authoritative domain server for your own hosts along with fine grain local DNS control? Today we're going to take a look at Technicia, another open source DNS server with a focus on privacy, features, and customization. Welcome back to Craft Computing, everyone. As always, I'm Jeff. Like I said, today we're going to take a look at Technicium, a fully open- source and free DNS server that you can run at home for business or for hosting, and go over some of the options for deploying it depending on your needs. Quite a few years ago, I published a tutorial on the self-hosted ad blocking extraordinaire that is Pi Hole and how you can turn it into a self-hosted recursive DNS server. And while that is a fantastic solution, there were some problems with that exact setup. While it all functions well, adding recursive DNS as a service to Pi Hole is a bit of a workaround in my opinion, as those DNS queries aren't actually running through Pi Hole, but rather through another service running on your server called Unbound. Essentially, when you make a DNS request in Pi Hole, it will compare your request against a list of known blocked advertisers. Thus, the ad blocking capability and then any approved requests are sent on to a forwarder DNS service. In normal operation, this would be a DNS server set up by your ISP or a publicly accessible one like Google, Cloudflare, Open DNS, or Quad9. If you're running Unbound to make Pi Hole a recursive DNS server, the requests are forwarded from Pi Hole onto Unbound, where Unbound then tracks down the authoritative DNS server for the requested domain. Once that domain is verified, Unbound will add it to a cache for future use. The result is longer initial lookup times, but you are guaranteed to get accurate results along with faster lookup times for all subsequent requests. But because Unbound isn't running as part of Pi Hole, you get no analytics or control of requests once the ads have been stripped out. That's actually fine for most deployments as DNS lookup doesn't need much babysitting once it's set up. But I like data in analytics, but only for myself. I don't need my ISP spying on my internet traffic or worse, redirecting my DNS requests to other sites or delivering ads into my browsing. If you're running a publicly accessible Wi-Fi or a business with multiple employees, keeping a log of DNS requests can help troubleshoot service problems. Because let's face it, if a critical service goes down, it's usually DNS. For the past few months, I've been looking for DNS services that were less one-trick pony like Pi Hole for ad blocking and more of a multifatured, fullyfeatured open DNS server that I can run at home. And that's when I discovered Technicium. Out of the box, it is a self-hosted recursive DNS server and has the ability to add on nearly any other DNS feature you'd ever need. Things like DNS level ad blocking, per domain rules, a DHCP server, automatic and customizable local DNS, authoritative DNS for service hosting, and even more. All of it open source, and all of it for free. So, let's get Technician installed and show you just how easy it is to get set up and running. But before we get started, I want to tell you about the sponsor of today's video, Meter. While I enjoy tinkering on my home lab, discovering new services, and playing with my networking equipment, if you run a business, you've probably got better things to do with your time. And that's where Meter comes in. Meter delivers an all-in-one networking stack that bundles everything you need into a single package, including high-speed wired and wireless networking, power delivery, firewall, and routing, and even cellular, all in a single integrated solution that's built for performance and scalability. Meter handles everything from designing a custom network for your business and even negotiating with your local ISP to get you the best rates on internet connectivity. All of that shows up in a single cloud-based dashboard, giving you clear visibility into every layer of your network. You get the connectivity your business needs, offer a predictable monthly cost. Meter ships you the hardware you need today and will automatically upgrade your hardware as time goes on, ensuring your users and your business always have the tools and connectivity they need. Whether you're starting a new business, expanding to new locations, or simply modernizing an aging network, let me Meter take care of the hassle for you. Visit meter.com/craftcomputing to book a demo today and see how they can help your business. Again, that's me.com/craftcomputing. And a huge thanks to Meter for sponsoring today's video. Getting Technician up and running could not be easier. It's available for basically any OS and any hardware platform that you want to run it on, including Linux, Mac, Windows, and running on x86 or ARM hardware. There's even a Docker image for those heathens among you. I'll be installing today inside of Proxmox as a virtual machine running on one of my super micro microcloud nodes. The VMI setup is pretty lightweight with just two CPU threads and 4 GB of memory. Although even that turned out to be overkill as the server when it's running only uses about 600 megabytes of total memory, including the Ubuntu VM. So you could easily get away with just 1 GB if you want. When it comes to storage though, we are essentially writing cache and history 24 hours a day. And you might not want to run this on a consumer SSD or an SD card as those aren't well suited for constant writes. I'd recommend either storing files on a hard drive or snagging a proper enterprise SSD designed for high write endurance like the Sun F80 drives I covered quite a few years ago. This 800 GB drive has a 23 pabyte write endurance, so constant rewrites aren't going to kill this drive anytime soon. As technician runs on just about anything, you can pick and choose your hardware and your DRO to your own satisfaction. For today, we're going to go with good old Ubuntu server. During the install, go ahead and set up a manual IP address as you'll need that for your clients to connect to. And once you have Abuntu installed, go ahead and run an update and upgrade to make sure everything is up to date. And we can go ahead and get started. Installing Technic is just as straightforward as installing Pi Hole. For Linux, there is a single line that you copy and paste that downloads the installer script and then executes it. The whole process, even on this 12-year-old node server with only two virtual CPUs, ran in less than 20 seconds. Just like Pi Hole, Technician has a web server for all of its settings, accessible through the IP address that you gave the server earlier and accessed through port 5380. On your first login, you'll be asked to set up a new administrator password. Once you reach the dashboard, the hard work is done. As by default, Technician runs as a fully recursive DNS server accessible to machines on your local LAN. If that's what you're after for this tutorial, you're literally done. Simply point your clients to the server, or better yet, configure it as the default DNS server on your router and you're good to go. You can start using this as a fully recursive DNS server and it just works. However, while a recursive DNS server is worlds better than using the one from your ISP, if privacy is your goal, you might want to keep watching. See, while most of the web's traffic runs fully encrypted these days, with everything from banks and emails to this very video that you're watching on YouTube, every bit of internet traffic is fully encrypted through HTTPS. That is, except for every DNS request that you send out. See, while DNS can't reveal the specific web pages or content of any website that you visit, it can only reveal the web domains that you're browsing to, that is information you still may not want visible. Most DNS requests still run on port 53 and are completely in plain text, meaning that any switch point between you and your DNS server can see any web domain that you request and any web domain that you visit. There are starting to be rollouts of secure DNS or DNS SEC, but it's been fairly slowgoing and unencrypted DNS requests can be both read by anyone downstream or even manipulated to redirect traffic at the ISP or the switch level. It doesn't happen often, but I have seen instances of hijacking ad network DNS via injection or DNS poisoning to deliver alternative or malicious web pages to your browser. If you want a bit more security than a recursive DNS server, seeking out the DNS authoritative server for answers, but doing all of that over plain text, forcing all requests over DNS SEC might just be your ticket. Making the switch in Technicium does disable the recursive feature as we'll be instead using a DNS forwarder. But all of the DNS traffic leaving your local network will now be encrypted and unreadable by anyone but you. And while enabling a DNS forwarder stops full recursive lookups, Technician is still acting as a DNS cache. So subsequent lookup times will still be improved locally. To force DNS sec, we're going to go to the dashboard, click on the settings tab, and then go to proxy and forwarders. Under the forwarder section, there is a quick select drop-own menu showing some of the most common public DNS servers. DNS is typically done over UDP protocol via port 53 and is fully unencrypted in plain text. But since we're looking to add a bit more privacy, we're interested in either DNS over TLS or DNS over HTTPS. Both of these methods are fully encrypted, and you can choose whichever server that you're most happy with. And that's all there is for option number two of making your DNS lookups a little bit more private and more secure. I told you this was dead simple to set up and use. And all you've done so far is install a copy of Abuntu, copy and paste a single command, set a password, and then select a DNS server from a drop-own list. And that last one isn't even necessary if you just want a fully recursive DNS server because that's how Technicium runs by default. Now, on a side note, I was actually looking at adding one more layer of security between me and my DNS lookups, and that is tunneling technicium through a VPN tunnel, completely bypassing my ISP through a fully encrypted gateway and obuscating any geoloccation entirely. However, that didn't go fully to plan and I was pretty irritated about it until I did a bit more research. Let me explain. My original plan was to run Technic in full recursive mode. So directly contacting authoritative DNS servers and having that traffic only be routed through a VPN tunnel through NordVPN. But when I installed Technic and routed through the VPN tunnel, it failed any and all DNS lookup requests that I sent to it. On the dashboard, I got nothing but server warnings about every single DNS request, saying technician was unable to contact an authoritative server. But this only happened when routing through NordVPN, which only means one thing. Nord is obviously manipulating my DNS traffic. They're obviously violating my privacy, injecting ads into my browsing, or just straight up spying on me, right? Well, no. As I discovered, they're actually denying DNS lookups to authoritative domain servers to preserve your privacy. See, a DNS forwarder, like your ISP or Google, strips out your origin IP address as part of the DNS request. They receive a request from you, then seek out the domain information independently before replying to you with the answer that they received. The authoritative server they contact never knows the request comes from you, only that a request has been made. But as we've already established, DNS is an unencrypted protocol, and contacting an authoritative DNS server with some possibly personally identifiable information may expose you even though you're going through a VPN tunnel. In the world of privacy, this is obviously a bad thing. So rather than letting you breach your VPN protection by stupidly broadcasting your origin IP to every single DNS server that will listen, Nord blocks DNS requests to help protect your identity. Now, you can still pass your DNS through a VPN tunnel if you want to use a DNS forwarder, which is exactly the way that I have Technician set up right now. Technician accesses the internet exclusively through my VPN tunnel set up through NordVPN, which I have a full tutorial on how to set that up, link down in the video description. Technician is set up to access Quad 9 via HTTPS, so my DNS requests are fully encrypted all the way to Quad 9 and are passed through an encrypted tunnel on the way to get there. Plus, I get all the benefits of running a local DNS server with potential performance increases in seek time as well as troubleshooting and customization if I ever need it. Now, if you're currently running a Pi Hole, a lot of this might sound pretty tempting. But what if you don't want to give up the networkwide ad blocking capabilities? Well, good news, as Technicium supports ad blocking via public lists as well, just like Pi Hole does. And setting that up is just as easy as everything else that we've done today. From the dashboard, go to settings and then click on blocking. Make sure the checkbox is set to enable blocking and then scroll down to the allow and block list URL field. Under that is a quick drop-own menu just like the DNS forwarder menu we accessed a couple minutes ago. Dignition comes with access to some of the most popular block lists out there. You can select the type of content you'd like to block from basic ad filtering to contentbased filters for adult content, social media, propaganda, newly registered domains, and more. And you can even mix and match as you'd like by selecting multiple lists. These lists are automatically kept up to date. And you can select the interval at which you download updates in the field below. The default is 24 hours, and that's a pretty good setting for typical block lists like ads and adult content. For security-minded block lists like malware and newly created domains, though, I'd suggest dropping this down to an hourly interval to make sure you have the most up-to-date lists available. Overall, Technicium is exactly what I like seeing out of self-hosted software. It is both insanely powerful and super simple to use. And like I mentioned in the intro, there are a ton of other DNS tools that you can use here, like running an authoritative DNS server for your own hosted domains, local DNS lookups for internal services, and more. But those are a bit outside the scope of this video, where I wanted to focus primarily on performance and privacy. And so, I think that's a good place to call this one a wrap. But what do you think of Technician? Have you used it before? And is there anything that you'd like to see me dive into that I didn't talk about today? Let me know down in the comments below. If you're interested in learning more about my current home server, that is the 8 node super micro microcloud that cost me just $399, I'll leave a link to those videos down in the video description as well. If you like tutorials like this and want to help support the channel, head on over to patreon.com/craftcomputing to get access to my exclusive Discord server where you can chat with myself as well as the other hosts from Talking Heads. And that's going to do it for me in this one. Thank you all so much for watching and as always, I will see you in the next video. Cheers everyone. Beer for today is from Livinghouse Beer Company right here in Portland, Oregon. It is the Orville Smoked Hell's Logger. A smoked Hell's Logger. Uh, clocking in at 5.1%. This beer is so clear. does an awesome job at showing off the nucleation that you get. There we go. Yeah, [laughter] that is the uh laser etching on the bottom of the glass doing some work. Get your own nucleiated pint glass over at craftcomputing.store. So, unfortunately, my memory card ran out of space while I was recording, so I missed the beer review and the second half of the video, which I'm recording now, but I figured I would do the beer review since I just got done doing that. This is the uh Beer House Living House Beer Co. Orville Smoked Hells. I have had a number of Vienna style loggers before. That is a a deep smoked German logger. This one very light, very subdued level of smoke. Um, I really like this. It's It's not this super intense flavor. And in fact, it's so subdued I had this entire pint and I kind of want more. Usually with the heavy smoked beers, 4 ounces is more than enough and that's all you taste. It's like biting into a barbecue brickette. This is really pleasant. right about there. You take the drink in and it's just a really good logger and then you swallow and you sit there for a second and then it just kind of goes barbecue just just enough to know that it's there. And I really like that. It's not overbearing. It's it's the right flavor. It's the right mix, but it's not going to kill your taste buds. In fact, I feel like I need a burger or some fries or a pizza or barbecue wings or bar food or pretzels, something here in front of me to pair with this to make it even better. I also need a glass of water because this is sucking every last bit of moisture out of my mouth. But I really like this one.

Thanks to Meter for sponsoring today's episode. If you're interested in learning more about how Meter can help with your IT Infrastructure, go to https://meter.com/craftcomputing to book a demo today. Grab yourself an Insulated Coffee Tumbler at https://craftcomputing.store Follow me on Bluesky @CraftComputing.bsky.social Years ago, I wrote a tutorial around getting Pi Hole to work as a Recursive DNS server using Unbound. It was an easy way to add a bit of privacy and security into PiHole's already awesome feature set. But because it used Unbound on the backend, there was no way to monitor or troubleshoot DNS once it left Pi Hole. Technitium is another Open-Source DNS Server, but with a much more robust feature set for all things DNS. Do you need a fully Recursive DNS server? How about a Local DNS Server for internal services? An Authoritative DNS Server for hosted services? DNS-Level Ad Blocking? Technitium offers all of that and more, all in a lightweight package that can run on literally any hardware. But first... What am I drinking??? Living Haus Beer Co (Portland, OR) Orville Smoked Helles (5.1%) Download Technitium DNS Server here: https://technitium.com/dns/ VPN Gateway Tutorial: https://youtu.be/OzN8oqNMWDc *Links to items below may be affiliate links for which I may be compensated* Check out the Supermicro 5037MR-H8TRF on eBay: https://ebay.us/gA6OCD *Recommended for Cache Servers like Technitium* Sun F80 Warpdrive 800GB (4x200GB) SSD: https://ebay.us/xZ96ux Supermicro "X99" Node X10SRD-F: https://ebay.us/IlrkDW Supermicro Xeon-D X10SDD-F: https://ebay.us/xC94cD Sliding Rails for Microcloud: https://ebay.us/vLWdHx Intel Xeon E5-2651v2 12-Core (10-Pack): https://ebay.us/e9ydi8 Intel Xeon E5-2667 v2 8-Core 4.0GHz: https://ebay.us/CQE67Q Nvidia Tesla P4 can be found here: https://ebay.us/DLxAEj Sparkle Intel Arc A310: https://amzn.to/4rn5JzZ Supermicro AOC-CTG-L1S 10Gb SFP+ Adapter: https://ebay.us/KzjwcY Dual m.2 SATA PCIe Controller: https://amzn.to/49VG9vY Seagate 8TB Ironwolf Pro SATA HDD: https://amzn.to/3NpiXO0 Support me on Patreon and get access to my exclusive Discord server. Chat with myself and the other hosts on Talking Heads all week long. https://www.patreon.com/CraftComputing Timestamps 0:00 - Intro + PiHole Comparison 3:28 - Sponsor - Meter.com 4:41 - Technitium Installation - Recursive DNS 7:13 - DNS-SEC and DNS over HTTPS 9:50 - DNS over VPN??? 12:28 - What about Ad Blocking? 14:56 - Living Haus Beer Co - Orville Smoked Helles