Technitium is the Pi-hole replacement I didn't know I needed

While the popularity of using Pi-hole to block ads and malware at the DNS level highlights the broken nature of the modern internet experience, I find it equally irritating for different reasons. Sometimes updates break the system, and the only fix is to reinstall it, which thankfully doesn't take long, but it's annoying. Being able to generate DNS overrides for local resolution of self-hosted services is handy, but sometimes it doesn't always work, and my Apple devices complain that Pi-hole doesn't let Private Relay work on the network.

Perhaps that's me wanting too much from one tool, because Pi-hole was designed for network-wide blocking of ads and trackers at the DNS level. While it can create custom DNS entries, that's not its primary strength. It also forwards any DNS requests out, and unless you add Unbound or another recursive DNS resolver, the Pi-hole is only caching your DNS queries, which doesn't improve your security in the way you'd want.

I'm also a big believer in using the right tool for the job, and not trying to bend services to my will. That's why I was so excited when I heard about Technitium, because while it can perform all the DNS blocking that Pi-hole is known for, it's also a fully featured, authoritative, and recursive DNS server. You could even self-host nameservers on it if you wanted.

What is Technitium, and why would you use it?

This authoritative and recursive DNS server is private, secure, and incredibly powerful

While some tools allow you to block malware and ads at the DNS level, others enable you to create local domains, serve as recursive DNS servers, and set up caching and forwarding. However, there aren't many that offer comprehensive functionality while supporting encrypted DNS out of the box. Except Technitium, despite the awkward-to-type name, can do all of these and more.

It's a comprehensive open-source DNS server that you can self-host, and comes with a core of powerful features:

• Encrypt DNS queries for privacy
• Block ads at the DNS level
• Control your DNS instead of using Google or Cloudflare
• Manage local devices with custom DNS names
• Set up conditional DNS forwarding if local domain names aren't resolved

But it can do so much more, because it has support for Zones, and more domain records other than A and CNAME, which are the only two most common tools that enable local domain names let you set up. You can set up PTR records for reverse DNS lookups, a vital part of self-hosting email servers. Or TXT, MX, AAAA, NS, and a bunch more, giving you similar control over local DNS as you would by using Cloudflare or other providers.

It's honestly fantastic, and has made my home network more responsive, safer, and private, while enabling my home lab shenanigans without needing to set up reverse proxies. But because it also allows conditional forwarding, I can set up local domain resolution that will forward to my reverse proxy's external IP address if I haven't set up a local domain yet, and still access the same services completely transparently while using them.

It's more powerful than Pi-hole for one reason

Technitium isn't only able to create local DNS entries for IP addresses on your home network. It's also a recursive DNS server and an authoritative one. That means I can set up local domain names and have them be resolved properly, but also that my browsing is more private, as the server queries the DNS root servers directly (just like how Unbound does), so that Google, my ISP, and whoever else don't know what I'm browsing. It also means that any DNS overrides I set up will resolve first, so I could set domains I don't own, like Google.com, to point at my self-hosted SearXNG instance instead.

But that's not the reason. I've multiple Apple devices at home, and I've come to appreciate Apple Private Relay, which provides me and my family with the privacy we need. Pi-hole doesn't allow DNS resolution for some Apple domains (even if whitelisted), effectively rendering Apple's well-designed security feature unusable. It supports Safari, DNS resolution queries, and insecure HTTP app traffic, effectively shielding a large percentage of tracking that could be happening on my devices. It also breaks multicast sometimes for Apple devices and services like AirPrint, and I rely on those too much to take risks of them not working.

Technitium gives me a local domain registrar

Okay, it does a ton of other things too, but that one is important to me

The first thing I did once Technitium was running was to change the web GUI to use HTTPS for access, shortly followed by adding a couple of the blocklists to the block section. That cuts out ads, malware, and other junk before it even hits my network, and all the devices I own are safer because of it. Then I changed the DNS servers on a few devices to point at Technitium to test it out, because I wasn't about to let my DHCP server hand out a DNS resolver without testing it first.

While I let the dashboard fill with query data, I explored the advanced features and quickly discovered their power. I can set up local domains, and the server will automatically create NS and SOA records, allowing me to easily add subdomains for self-hosted services. But I could go one step further, and self-host my own domain name, removing the domain name registrar from the equation when it comes to nameservers. That's the best way to learn how DNS works from the inside. However, I'd caution against doing so if you're hosting anything critical, because DNS is a complex system, and any misconfiguration could be disastrous.

Alternatively, I could keep my local domains on my OPNsense router and set up DNS forwarding in Technitium, allowing it to still resolve those DNS records. If used Active Directory, I could do the same thing, leaving me to manage my domains and devices as I wish, while still having one point of contact for DNS resolution.

I can use DNS-over-TLS, or over-HTTPS, or over-QUIC if I wanted to, with DNSSEC validation support, persistent machine, CNAME cloaking, QNAME minimization support, and the ability to use APP records to have certain services use custom DNS apps for resolving. Plus tons of other things that wouldn't be out of place in an enterprise DNS server that has to handle multiple sites, zones, splits, and Geolocation tasks. It's a lot, and I'm only scratching the surface here because my needs aren't that deep.

Technitium was really easy to install

Because Technitium runs on .NET, it's open-source and has packages for Linux, Windows, macOS, and Raspberry Pi. There's also a Docker image on Docker Hub for container fans. There isn't a native FreeBSD package for OPNsense users, but it's relatively quick to build from source and get running as a package.

I opted to install it as a system service on my Proxmox server, because I know that it'll be plugged in and accessible to my network at all times. I could have used an LXC container, but I think what I'll do is pull my Technitium settings into a Docker container on my NAS, and then set up Keepalived to ensure both DNS servers are reachable from a single virtual IP with high availability. To install it on Proxmox, all I needed was one line in the terminal:

curl -sSL https://download.technitium.com/dns/install.sh | bash

That's it; then I could access Technitium from the Proxmox server's IP address on port 5380, and all I needed to do was change some DNS records on my devices to point to the Proxmox IP address. It took minutes, and I could already notice speedier browsing.

Technitium brings the domain registrar home

I have to admit, when I first saw Technitium, I had doubts about whether it would live up to its promises and if it was the right fit for my network. I'm now planning which servers to add additional instances with Keepalived to ensure it's always available, so I guess you could say those misgivings are gone. I'll probably install it on my OPNsense router as well, because I prefer having network-related tools installed on the same box, and it'll give me some more practice building for FreeBSD in the process. I might even set up an instance on my VPS so it's always available from anywhere, and then I won't have to worry about power outages or other disruptions.