Technitium DNS Server (TDNS) has gotten a new release with many awesome features: TOTP authentication, an upgraded .NET library, and many security and performance fixes.
But most important of all, it now supports clustering. A long-awaited feature, this allows Technitium to sync DNS zones and configurations across multiple nodes, without needing an external orchestrator like Kubernetes, or an out-of-band method to replicate underlying data. For selfhosters, this would enable resilience for many use cases, such as internal homelab adblocks or even selfhosting your public domains.
From a discussion with the developer and his sneak peek on Reddit, it is now known that the cluster is set up as a single-primary/multiple-secondary topology. They communicate via good-old REST API calls, and transported via HTTPS for on-the-wire encryption.
To sync DNS zones (i.e. domains), the primary server provisions the "catalog" of domains, for secondary ones to dynamically update records in a method known as Zone Transfers. This feature, standardized as Catalog Zones (RFC9432), were actually supported since the previous v13 release as groundwork for the current implementation.
As an interesting result, nodes can sync to a cluster's catalog zone, as well as define their own zones and even employs other catalog zones from outside the cluster. This would allow setups where, for example, some domains are shared between all nodes, and some others only between a subset of servers.
To sync the rest of the data such as blocklists, allowlists, and installed apps, the software simply sends over incremental backups to secondaries. The admin UI panel is also revamped to improve multi-node management: it now allows logging in to other cluster nodes, as well as collating some aggregated statistics for the central Dashboard. Lastly, a secondary node can be promoted to primary in case of failures, with signing keys also managed within for a seamless transition of DNSSEC signed zones.
More details about configuring clusters is to be provided in a blogpost in the upcoming days. It is important to note that this feature only supports DNS stuff, and not DHCP just yet (Technitium is also a DHCP server). This, along with DHCPv6 and auto-promotion rules for secondaries, is planned for the upcoming major release(s) later on.
As a single-person copyleft project, the growth of this absolute gem of a software has been tremendous, and can only get better from here. I personally can't wait to try it out soon
Disclaimer: I'm just a user, not the maintainer of the project. Information here may be updated for correctness and you can repost this to whatever
Have you solved your problem? It seems like there are some issues with your setup:
Correct. It only accept recursion queries from private networks and can make outbound requests to the internet as normal
On the computer, you're also using your VPN's DNS service accessible within the VPN tunnel (hence the weird IP address). If you wanna use Technitium you should disable such service
If you're forcing every device to talk to TDNS, then your TDNS server is also talking to itself and cannot make queries to Cloudflare/Quad9 on port 53. You can either:
Yes it's expected, if you're telling your clients to forward their queries to dnsmasq, and then let dnsmasq forward those queries to Technitium. If you want clients to talk directly to TDNS instead, set the DHCP option to advertise its address and don't use your firewall's address as a forwarder. I prefer the second option as it'll give you correct client IPs in query logs and save some round trips.
If you can query the zone and its reverse PTR record in Technitium's DNS client, then you've properly set it up. Remember you'll have to tick the PTR options when setting up said record. Also you can open an issue on Technitium's Github or their subreddit for assistance.