DNS Firewalling with MISP and Technitium DNS Server

Postedabout 1 month agoActiveabout 1 month ago

feldrim

1 points

1 comments

zaferbalkan.comTech Discussionstory

informativepositive

Debate

20/100

DNS SecurityMispTechnitium DNS

Key topics

DNS Security

Misp

Technitium DNS

Discussion Activity

Moderate engagement

First comment

N/A

Peak period

0-12h

Avg / period

2.4

Key moments

01Story posted
Nov 27, 2025 at 2:38 AM EST
about 1 month ago
Step 01
02First comment
Nov 27, 2025 at 2:38 AM EST
0s after posting
Step 02
03Peak activity
8 comments in 0-12h
Hottest window of the conversation
Step 03
04Latest activity
Dec 3, 2025 at 5:44 AM EST
about 1 month ago
Step 04

Generating AI Summary...

Analyzing up to 500 comments to identify key contributors and discussion patterns

Discussion (1 comments)

Showing 22 comments

avhception

about 1 month ago

2 replies

When I read "PDNS", I will probably always think "PowerDNS".

feldrimAuthor

about 1 month ago

1 reply

Yes. That's why I put the footnote there.

avhception

about 1 month ago

1 reply

Well, I read that footnote, but I'm not sure if overloading the acronym is the best idea, is what I'm trying to say.

feldrimAuthor

about 1 month ago

I agree with you there. But the term does not belong to me buy yo CISA and other organisations. But it's not as bad as Cyber Security Awareness Month acronym at least

walletdrainer

about 1 month ago

“PDNS” also often refers to “Passive DNS”, never heard of “protective dns” before.

Milpotel

about 1 month ago

2 replies

Don't get too exited - Technitium has a bus factor of one, a very small user base and no previous auditing.

esseph

about 1 month ago

1 reply

And yet here I am deploying it in production

Milpotel

about 1 month ago

1 reply

You are a brave fellow!

esseph

about 1 month ago

Not so much, just old enough to do proper risk analysis and have safeguards in place.

johnea

about 1 month ago

3 replies

Yea, I often wonder when I see this type of article, why don't they just use bind9?

No other DNS resolver is going to come close to it's number of deployment*years in operation.

I didn't read the article though, since I'm not going to enable javasript and cookies just to read someone's blag post 8-/

HTML much?

feldrimAuthor

about 1 month ago

1 reply

The only problem there is for GDPR consent thingy. You can disable and proceed. I don't use any telemetry except for the consent banners.

When it comes to Technitium, well, it's written in the blog.

johnea

about 1 month ago

If my browser is blocking cookies, you don't need my consent, because you're not going to set any cookies.

GDPR preempted...

Milpotel

about 1 month ago

1 reply

> why don't they just use bind9?

Because bind9 is not a dns server but a collection of all available CVE types for further studying.

johnea

about 1 month ago

2 replies

I guess wikipedia doesn't agree with you:

"BIND is the de facto standard DNS server"

https://en.wikipedia.org/wiki/Comparison_of_DNS_server_softw...

9 just being the currently deployed version.

A non-wikipedia reference:

https://dn.org/a-comprehensive-comparison-of-popular-dns-ser...

Although this article does state that bind's "configuration files and options require careful attention to detail".

So, maybe it's not appropriate for the modern hype-cycle s/w development model?

In general, I don't think I'm disagreeing with you, so I'm not sure what message the reply is intended to convey.

Technitium seems like another one of those: "My weekend hobby project was to reinvent fire, and the wheel" sort of things, that seem popular on the HN feed.

My favorite feature of bind is "split views". This allows the same service to provide DNS on the local LAN, as well as authoritative DNS to the internet.

Milpotel

about 1 month ago

1 reply

> I guess wikipedia doesn't agree with you:

Are you kidding? Bind has been the de facto standard for DNS servers for ages but it's just a badly engineered piece of software and had braindead vulnerabilities for decades:

https://www.cvedetails.com/vulnerability-list/vendor_id-64/p...

Already 20 years ago it was common knowledge to never use software that Paul Vixie had touched (bind, vixie-cron, ...) and we used alternatives such as djbdns. Good old times...

johnea

about 1 month ago

1 reply

After just a short search to try to come up with some numbers, I find that between 60% and 90% of internet DNS servers are running bind.

And yet somehow, the internet has much bigger problems...

Milpotel

about 1 month ago

Bold statement just one month after the last cache poisoning vulnerability. Bind is the Microsoft of DNS servers - a lot of users and bugs nonetheless the go-to for many admins because that's what they are most familiar with. And similar to MS, the internet mostly relies on others - none of the big companies (Meta, Cloudflare, Google, MS, Amazon, Netflix, Twitter...) use bind and neither do most hobbyists. It's just for the plethora of mid-sized companies with unmotivated admins.

feldrimAuthor

about 1 month ago

I am fan of Technitium, because I like to build and I built two plugins for it to fit my use case. But at work, we use Windows DNS and Bind in parallel. So, this is also a hobby of mine. The hook for me is that it is built with dotnet, and I have experience in that stack. Other features are secondary actually.

I am curious though, what would TDNS do so that you can replace BIND with TDNS in your homelab/workplace or wherever it is used? I genuinely ask for it so that I can help the original developer with some PRs.

ignoramous

about 1 month ago

> I didn't read the article though, since I'm not going to enable javasript and cookies just to read someone's blag post 8-/

mirror: https://archive.vn/8BCBn

mfro

about 1 month ago

1 reply

I love Technitium DNS and have run it for several years now. Thanks for the contributions.

feldrimAuthor

about 1 month ago

I only made two plugins. I have two half baked ones in the making. Both Shreyas and me have day jobs and this is a side quest. Overall, my contributions are about 1% of all the code, so I accept the 1% of the thanks. Kudos to Shreyas.

feldrimAuthor

about 1 month ago

I've played with threat intelligence to build a simple, on premises PDNS out of a privacy-focused DNS server.

View full discussion on Hacker News

ID: 46066736Type: storyLast synced: 11/27/2025, 7:40:07 AM

Want the full context?

Jump to the original sources

Read the primary article or dive into the live Hacker News thread when you're ready.

Open link View on HN