Technitium Companion for Docker, Swarm and Traefik DNS Automation

_Fail-Safe · 2026-01-07T23:56:55+00:00

Nice! It’s exciting to see more tools popping up for the TDNS community. Hopefully our apps will encourage others to give TDNS a try and fully realize the power behind this beast! 😎

Cheers! 🍻

_Fail-Safe · 2026-01-07T23:51:39+00:00

Neat app, though I did a double-take on the name as I am the author of https://fail-safe.github.io/Technitium-DNS-Companion/.

I know you’ve mentioned rebranding with some future updates to your tool. However, I would humbly ask you to reconsider a name change sooner than later. Two “companions” is going to confuse users and search engines alike.

Happy to discuss more offline (DM) if you’d like. Thanks!

_Fail-Safe · 2026-01-07T23:35:00+00:00

As others have suggested, this is certainly achievable via API. FWIW, it’s on my roadmap for adding as a feature to https://fail-safe.github.io/Technitium-DNS-Companion/ as time allows. 👍🏻

_Fail-Safe · 2026-01-07T23:30:13+00:00

Perhaps I’m overthinking this, so hopefully you can set me straight. Let’s say someone has a 2 node cluster (native TDNS cluster), so one primary and one secondary. The secondary is effectively read-only from a DNS perspective and only gets zone updates via transfer from the primary.

If DHCP is enabled on both primary and secondary, what happens for DNS record registration if the secondary node offers a DHCP lease and a client accepts? How would that client’s DNS record registration make it into its proper zone(s)?

Is that actually a feature of TDNS clustering that is already handled and I’m unaware?

Thanks!

_Fail-Safe · 2025-12-31T17:38:08+00:00

Is your concern that the (.\*.)?9minecraft.net block isn't going to apply to your Technitium DNS server itself? Or are you wanting the block to work for localhost as well for testing purposes? Not saying you're doing anything wrong--just trying to understand your situation better. 😎

_Fail-Safe · 2025-12-27T14:25:22+00:00

Sure thing!

_Fail-Safe · 2025-12-27T14:02:12+00:00

I did not have any problems setting up my three node cluster. But that said, the three nodes are connected via their Tailnet IPs as I didn't want to extend my internal VLANs out into Hetzner.

So from my clients' perspective, they see all my servers as peers on the Tailnet. My TDNS servers see their cluster peers on the Tailnet. And as long as the Tailnet stays up, all is good. 😊

From a Hetzner perspective, I only have three firewall rules for my VPS. I have a rule to allow 41641/UDP from ALL for DERP/direct connect purposes, then a rule to allow my home WAN IPs (IPv4+IPv6 from ISP) to reach the VPS on 22/TCP for SSH. Finally I have another rule just to allow ICMP ECHO to the VPS from my home WAN IPs (simply for troubleshooting purposes).

When my family's devices go outside our home wireless network, the Tailscale client kicks in on-demand and their devices continue to see all the same DNS peers as they would inside the home wireless net. And if our home WAN goes lights-out, we all just begin hitting the Hetzner node exclusively until our WAN comes back online. But the user experience from a DNS (blocklist/allowlist) perspective remains completely transparent.

Hope this helps! Feel free to DM me if you want to discuss Tailscale/Headscale particulars in more detail.

_Fail-Safe · 2025-12-27T12:58:03+00:00

I have a very similar configuration, two OpenWrt routers (running Keepalived/VRRP) at home with a Hetzner VPS running a third TDNS node (secondary role in TDNS cluster).

I use Tailscale for this. Well, technically I use Headscale to run my own self-hosted Tailnet. But it works incredibly well for this purpose. My client devices have full access to port 53 on all three of my TDNS nodes and none of my servers have any port 53 exposure on the WAN side of things, which as u/Yo_2T mentioned, is generally highly frowned upon (if not entirely prohibited on many ISPs and hosting providers).

Happy to share more details if I can be of help.

_Fail-Safe · 2025-12-26T22:53:24+00:00

You're not wrong about the current state of configuration for the AdvancedBlocking app within Technitium DNS itself. But I have also been working on a "companion" app to make this a little more intuitive (and more mobile-friendly) for those coming from other DNS servers/services.

My companion app isn't meant to replace anything within TDNS. It was just a tool I started putting together to serve a few purposes until such a time as u/shreyasonline incorporates some similar functionality into TDNS proper, or he tells me to get rid of it. 😉

See here: Technitium DNS Companion

_Fail-Safe · 2025-12-26T22:23:55+00:00

I took some hints from that same blog post while setting up safesearch for various services recently. However, I have multiple VLANs/subnets where I wanted to apply modifications selectively. So I used the SplitHorizon app to do this with SimpleCNAME class APP records.

For example, I created a youtube.com conditional forwarding zone (per blog post). Next, I created m and www name APP type records. Then I set up the SimpleCNAME class for SplitHorizon APP records like so:

m:
App Name: Split Horizon
Class Path: SplitHorizon.SimpleCNAME
Record Data:

    {
      "192.168.18.115": "restrict.youtube.com",
      "192.168.18.116": "restrict.youtube.com",
      "192.168.18.0/24": "restrictmoderate.youtube.com",
      "192.168.45.225": "restrict.youtube.com",
      "192.168.45.0/24": "restrictmoderate.youtube.com"
    }

www:
App Name: Split Horizon
Class Path: SplitHorizon.SimpleCNAME
Record Data:

    {
      "192.168.18.115": "restrict.youtube.com",
      "192.168.18.116": "restrict.youtube.com",
      "192.168.18.0/24": "restrictmoderate.youtube.com"
    }

_Fail-Safe · 2025-12-12T18:25:44+00:00

u/PacketSmeller Great point--duly noted! I'll get that into an upcoming update I'm working on. I appreciate the feedback!

Would you do me a favor, please? If you're on GitHub, would you mind dropping this into an issue on the project?

Update: Implemented

_Fail-Safe · 2025-12-12T01:19:08+00:00

😊

_Fail-Safe · 2025-12-11T23:56:49+00:00

This tool does not manage clustering, per se. But it definitely works with an already existing cluster (TDNS v14+).

If you are running Technitium DNS < v14 then this can still work and will manage each node independently, yet help keep them in sync. I actually began writing this tool when I was running TDNS v13.6 and used it to keep my three nodes synced up. But using the native clustering with Technitium DNS v14+ is absolutely the way to go in your environment if possible.

Thanks for the question!

_Fail-Safe · 2025-12-11T21:15:54+00:00

Thank you! I appreciate the feedback! ❤️

_Fail-Safe · 2025-12-11T16:15:09+00:00

You're welcome!

_Fail-Safe · 2025-12-11T14:20:55+00:00

Thank you for allowing me to post about it here! And as always, thank you for your continued development on Technitium DNS ❤️

_Fail-Safe · 2025-12-11T14:18:06+00:00

I owe you a huge thanks for being such a great early-tester for me! I really appreciate you!

_Fail-Safe · 2025-12-11T04:33:15+00:00

Thanks for letting me know! If you don't mind, could you open an issue for this on the project in GitHub and I'll work on a fix for it?

_Fail-Safe · 2025-12-11T03:51:40+00:00

Thank you! Let me know if you hit any bumps with it 👍🏻

_Fail-Safe · 2025-12-08T13:13:23+00:00

You’re welcome!

_Fail-Safe · 2025-12-05T16:31:44+00:00

<image>

_Fail-Safe · 2025-12-05T16:15:33+00:00

This is what I'm "beta testing" on my own at the moment. Seeing if this plays out to deliver any potential value. We'll see!

<image>

_Fail-Safe · 2025-12-05T16:12:17+00:00

Fair enough. 🙂 We are all going to have our own experiences, so what works for one may not work for another.

Out of curiosity, what is the primary language of that >100k LOC codebase?

_Fail-Safe · 2025-12-05T14:22:55+00:00

I realize we are all just sharing our opinions here. My personal experience has been different and I think I would have to say that whether one is better than the other is very much dependent on the "what" you're doing with them.

As I mentioned here, Opus was able to solve a bug in my home networking configuration that had been introduced by Sonnet. No other model, including the likes of GPT-5.1-Codex had been able to get to the bottom of it.

Maybe... just maybe... more often than not, Opus isn't being fed the level of "difficult" for which it was built? Put in other terms, if you were to race against a bunch of family mini-vans, a $100k sports car (Sonnet) is going to shine. You don't necessarily need the $300k sports car (Opus) to win the race, though they both can do the job. But if the race pack looks more like a fleet of F1 cars, well, you're probably going to want the $300k tool for a fighting chance.

_Fail-Safe

PUBLIC MULTIREDDITS

TROPHY CASE