this post was submitted on 12 Jan 2026
13 points (93.3% liked)

Selfhosted

54479 readers
544 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
13
DNS kicking my ass (Technitium and opnsense) (sh.itjust.works)
submitted 21 hours ago* (last edited 12 hours ago) by roundup5381@sh.itjust.works to c/selfhosted@lemmy.world
8 comments fedilink hide all child comments
 

edit: spent all day tryimg to make this work, in the end i got rid of the opnsense services, unbound and dnsmasq, and brought dhcp over to tDNS

I have been trying to set up Technitium DNS server (TDNS hereafter) for its clustering and fail over capabilities, it really does seem to be a one stop shop for DNS capabilities. But I have been hitting a wall so I'm asking if anyone here can see the flaw in my plan.

I have not been using TDNS for DHCP as it lacks ipv6 and router advertisements right now. And I like the idea of DHCP on the firewall router.

I have an opnsense firewall with DNSmasq performing DHCP and DNS forwarding to the Technitium server, which is hosted on proxmox in an lxc. I own my own public domain, example.com for our purposes here.

TDNS is set to "allow recursion only for private networks" this means that if something external tried to resolve using my TDNS they'll be refused, correct? I ask because that could as be interpreted as not forwarding to external dns when needed.

I set NAT rules to force TDNS port 53 routing. TDNS is set to forward to quad9 and cloud flare externally. DNS blocking lists are set in TDNS.

I don't really know what I'm doing with zones but I have a primary zone set with example.com. I set some static hosts records in this zone and enabled reverse lookup, expecting servicehost.example.com

query logs app enabled in TDNS.

Edit: 10.2.0.1 turned out to be my vpn’s dns server (When nslookup google.com from a laptop on this LAN, it returns Server: 10.2.0.1 Address: 10.2.0.1#53

nonauthoritative answer: google.com with ip information repeated.

I don't under stand this return as it's an ip outside my lan net and dhcp provisioning.)

Unable to reach external net when NAT rules active.

It seems the DHCP is handing out the fire wall's ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333. Why not just hand out the TDNS address?

Do I have some setting misconfigured in either DNSmasq/opnsense or TDNS?

top 8 comments
sorted by: hot top controversial new old
[–] Decronym@lemmy.decronym.xyz 4 points 19 hours ago* (last edited 13 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DHCP Dynamic Host Configuration Protocol, automates assignment of IPs when connecting to a network
DNS Domain Name Service/System
HA Home Assistant automation software
~ High Availability

[Thread #998 for this comm, first seen 12th Jan 2026, 19:55] [FAQ] [Full list] [Contact] [Source code]

[–] kumi@feddit.online 3 points 19 hours ago* (last edited 19 hours ago) (1 children)

It seems the DHCP is handing out the fire wall’s ip for DNS server, 100.100.100.1 is that the expected behavior since DNSmasq should be forwarding to TDNS 100.100.100.333. Why not just hand out the TDNS address?

You could and that should work but then it's not called forwarding anymore. It does forwarding because that's what you configured. Both approaches are valid.

I have an opnsense firewall with DNSmasq performing DHCP and DNS forwarding to the Technitium server

[–] roundup5381@sh.itjust.works 1 points 19 hours ago

Thanks, that helps to clarify my understanding

[–] anamethatisnt@sopuli.xyz 2 points 21 hours ago* (last edited 20 hours ago) (1 children)

When nslookup google.com from a laptop on this LAN, it returns Server: 10.2.0.1 Address: 10.2.0.1#53

nonauthoritative answer: google.com with ip information repeated.

I don’t under stand this return as it’s an ip outside my lan net and dhcp provisioning.

I'm unclear on what you're confused about regarding the above quote. Here comes an explanation of nslookup.
The command is nslookup and if dns-server is empty it uses your default. F.e.:

***@fedoragaming:~$ nslookup www.google.com 8.8.8.8

The response starts by telling you which it used for the lookup and which address including port was used:

Server: 8.8.8.8
Address: 8.8.8.8#53

It then gives you the answer on where to find the , once for ipv4 and once for ipv6:

Non-authoritative answer:
Name: www.google.com
Address: 142.251.142.228
Name: www.google.com
Address: 2a00:1450:400f:807::2004

edit: I think I understand your question a bit better now. To check which dns-server you're using do a "cat /etc/resolve.conf"
If you run a distro with systemd then use the command "resolvectl status"

[–] roundup5381@sh.itjust.works 2 points 19 hours ago

Thanks for taking the time to comment.

My confusing was that used for the look up wasnt in my net nor upstream dns.

I turned off my vpn and it resolved as expected, so I suppose that 10.2.0.1 is the dns server for my vpn provider.

[–] Zwuzelmaus@feddit.org 1 points 20 hours ago (2 children)

How many domains do you own when you try to set up so many DNS servers?

[–] kumi@feddit.online 3 points 19 hours ago* (last edited 13 hours ago)

The OP is about hosting forwarding or recursive DNS for lookups, not authoritatative DNS hosting (which would be yet at least one separate server).

I count two servers (one clusterable for HA). How is that a lot for a small LAN?

More would also be normal for serving one domain internally and publicly. Each of these can be separate:

  • Internal authoriative for internal domain
  • Internal resolvers for internal machines
  • Internal source-of-truth for serving your zone publicly (may or may not be an actual DNS server)
  • Public-facing authoritative for your zone serving the above
  • Secondary for the above
  • Recursing resolver of external domains for internal use

Some people then add another forwarding resolver like dnsmasq on each server.

[–] roundup5381@sh.itjust.works 1 points 19 hours ago

Just one domain, I only have dnsmasq forwarding to tdns for recursive resolving, tdns forwards to quad and cloudflare for resolving what isn’t in my local cache. I’m not sure I am understanding your question.