Hi folks,
After tested for a few week. I hosted Technitium DNS Server | An Open Source DNS Server For Privacy & Security as a container to replace vyos dns forwarder build in battery. I found that the technitium dns has better performance. So will you think about it to replace the currently vyos dns forwarder with technitium?
Better performance how?
The performance difference is most likely due to how the DNS resolver is configured.
Also when it comes to DNS there is both the resolver AND authoritive part.
Looking at technitiums page it seems that its only for resolving?
Looking at CVE history their main issue seems to be DDoS-related vulnerabilities:
https://www.cvedetails.com/vendor/26782/
So in general terms before something should be replaced the replacement should not be on pair whats being replaced but also better than the current solution.
Other than that dont forget to file this as a feature request at https://vyos.dev along with why it would be better in terms of security, compatability and performance.
Something thats performant but have shitty security and compatability (I havent looked at if this is the case for technitium) is not an option IMHO (to be used by default, you still have the option to use it as a container as you do today).
When I setup mosdns in lan as the upstream dns server for vyos dns forwarder, when setup vyos as the dns server. even in lan only 1 laptop to access like google.com, each time, there will be not found ,then refresh the twice then I can access the web, it seem like a performance issue for dns forward build in vyos, but directly use mosdns are fine. So I avoid to use vyos as the dns server. And I directly use mosdns as the dns server. Untill recently days, I tested technitum as the dns server. it works perfect as I expected.
most time. I usually host dns forwarder in LAN.
Seems like you might have some other shittery going on - does your client using a Linux distro that uses systemd perhaps?
Because systemd is wellknown to screw up things on its own.
Another popular issue is if the IP your client uses (from the server point of view since there might be NAT along the road) is missing a PTR-record.
When you have the “first request fails, second succeeds” its often due to the default timeout of 2 seconds for a DNS query to complete. This is common for when connecting to a SSH-server who by default will attempt a reverse lookup (PTR-record) before sending you the loginprompt. If the server have like 3 DNS-resolvers configured it can take 3 x 2 = 6 seconds before a loginprompt shows up when using SSH and your client is missing a PTR-record.
So you should perhaps look through tcpdump or such wtf is actually happening on the wire in your case?
Like is it really that your client dont get a DNS reply or is it rather that the server refuse to answer on your first request?
1 Like
Something is wrong with your setup. There is no way the VyOS project would consider results like those to be normal. I use the built in DNS cache service and don’t see issues like this. You might have a MTU misconfiguration or an IPv6 misconfiguration problem.
But the default DNS cache service isn’t broken by default.
1 Like
As others have said, something is very clearly wrong in your setup. I haven’t been able to reproduce the issue you describe with any of the rolling releases I’ve used in the past year or two, including ones I’ve compiled myself that haven’t gone through any automated regression testing.
VyOS uses tried and true DHCP and DNS servers and clients, as they should. Switching to some implementation most people have never even heard of isn’t reasonable.
Digging some more Technitium seems to have been around for some time and have a public repo at:
It seems to be a one man show, at least thats the impression I get from their About us page.
However looking at the stats regarding CVE’s its seems to be a better option than what ISC is releasing.
So I have filed this as a feature request to add Technitium DNS Server as a authoritive DNS server in VyOS and perhaps also replace current DNS resolver and DHCP server since Technitium includes these features aswell:
A workaround in the meantime is to add it as a container from technitium/dns-server - Docker Image
1 Like
CVE stats don’t necessarily tell you much. The number of projects/companies/people using the ISC code is likely several orders of magnitude higher. The number of people looking for vulnerabilities in it is therefore naturally significantly higher.
Replacing a well established piece of software that is actively maintained with one that few people have ever heard of and that is maintained by a single person is very ill-advised in my opinion. Honestly, I think it’s a very bad idea.
But at the same time ISC have some kind of record of security vulnerabilities in their software and Technitium seems to have been around for some time without any major flaws (so far).
Also the fact that ISC just abandon software without any clear replacement gets at least me somewhat frustrated at them.
There are alot of people using Microsoft and Adobes software - personally I would only recommend my enemy to use their software based on the amount of security vulnerabilities they got =)
And even if Technitium would show up in rolling releases it would be disabled by default (as with any other service available in VyOS) along with it would take some time before it would end up in a LTS release.
Also there is currently no authoritive DNS server in VyOS as it seems so there is no case of “we know what we got but not what we will move to” since we currently have nothing in terms of authoritive DNS in VyOS.
Isn’t that what you are searching for?
vyos@r14# set service dns forwarding authoritative-domain local records
Possible completions:
+> a A record
+> aaaa AAAA record
+> cname CNAME record
+> mx MX record
+> naptr NAPTR record
+> ns NS record
+> ptr PTR record
+> spf SPF record
+> srv SRV record
+> txt TXT record
1 Like
Dunno how I missed that, perhaps since the documenation entry is named “DNS forwarding” which is a different thing in the DNS world 
Thanks!
Read what I said again.
Kea was a replacement, if that’s what you’re talking about.
Technitium has dhcp and dns function. Plus it can build in HA mode. if 2 vyos work in vrrp mode. with technitium, we can perfect solve the dynamic dns update issue. the default vyos dns forwarder at now is really has performance issue.
This has not been determined yet. I still find it much more likely that your setup/configuration is simply wrong.
A broken replacement which ISC admits themselves when I contacted them.
FYI: we are not considering to replace DHCP or DNS server to something else at the moment.
You can still use containers for your goal.
2 Likes
No it doesn’t - unless you can provide evidence otherwise please stop making blanket statements that are untrue.
1 Like
@echowings Would it be possible for you to provide tcpdump where you compare the wire traffic when using the builtin DNS resolver of VyOS vs using technitium as container in the same VyOS box?
There are for example EDNS and such that can tell the replying server if it should answer using UDP or switch to TCP. In theory there could be some difference here between the two options.
Or as I mentioned previously if the delay is between client and DNS resolver or if the delay is on how the server replies (example wtih missing PTR-records).
1 Like
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.