I don't know if the original video was deleted but it's still nice to see a technitium video. I've used it for a couple of years now. Thanks for the video!
It was. was trying to redact my details, but I apparently suck at it because they are still here. Luckily I'm moving soon, so please don;t bother the new owners.
@@AwesomeOpenSource You can use TH-cam Studio editor no need to re-upload... It has a Blurring feature.. It takes a while to show the blur on the actual video but is something.
Great video! Pro tip, when you're setting assigning the users permissions, you can skip the second Brian, (if you just have `chmod -R brian: ` it will assume the second Brian, however, don't forget the colon ( : )
I really enjoyed your video, but it would be good to have a second video to point to about hardening your digital ocean server afterwards.. (Hardening ssh, enabling firewall, etc)
Indeed. On my production system, I added both name servers to my Netbird VPN, then setup a firewall on DO to block everything but port 53 (as this is where ns requests run). I access 80, 443, and 22 through Reveerse proxy over the VPN.
Wouldn't the connection between the proxy manager and technitium still be unenecrypted? Unless they are running on the same computer (or at least same datacenter) all that traffic is being deencrypted after it passes through nginx and is just plaintext as it passes in the backend there.
It would, and apologies, I explained in another comment as well, but on my production system I proxy through my VPN, so only the proxy is exposed on port 80 and 443, and the Name Servers are only exposing port 53 to the internet.
You are right. I should have said, I setup my proxy to route to my production DNS servers over my Wireguard VPN. So you hit the proxy through the internet, then it proxies that traffic over the VPN to the server's WebGUI. I only left port 53 exposed to the internet so it can function as a Name Server properly.
@@AwesomeOpenSource I know that you will probably think that I am trying to rip on your videos, but I promise that I love your content. You should probably show or explain the VPN in your video. The way you describe this in your video makes it sound like your connection to the name server is magically encrypted. If someone didn't know better they would think they have a secure/encrypted connection because their local browser says so. In this example you even pointed your NPM to the public IP of your DigitalOcean VPS servers. If someone followed this as a guide they would have their Authoritative DNS exposed for anyone to grab their credentials.
can someone please show me how you would point traffic to a domain controller in your environment? Having issues with Conditional Forwarders not working.
You could put something like Authentik in frong of it, but then you'd have 2 logins for it, first Authentik with 2FA, then NPM. That's the only way that I know of.
Great video! Thanks mate. I got one question. Do you as the owner of ns1 ans ns2 have any control over the requests that arrive from the Internet in terms of load balancing? Suppose I'd like to serve 80% of all the DNS requests via ns1 and the rest via ns2 - or is it entirely up to the Internet forwarders (like google, cloudflare, quad9, etc.) which auth dns they choose to forward the request to?
I actually haven't looked into it from that perspective. I'd think if ns1 was unavailable, due to load or otherwise, the fallback would be ns2 automatically, and so on.
Thank you very much for that video, always good content on your channel! May I ask, I use Namecheap and can t find IDP on the DNS section. Can I continu without it for the ns2?
If you were just looking at my list, those are just subdomains I personally have setup for my domain, you could have any subdomains like wiki.yourdomain.com, or specialmedia.yourdomain.com. You probably won't have one called IDP unless you followed one of my other videos and created it off of that.
No, you can use anyone you want. If you have a static public IP on your own internet connection, you can fun it there as well, but you'll need to open port 53 on your firewall and forward it to the server running Technitium. Additionally, if you only run it on 1 IP, then you lose redundancy.
I've looked for this for a while. The closest I found was to register my own domain with a registrar that has an API and a docker container for updating the public IP. Register your domain, go through the setup for the docker container and run it locally in your network. It will then update your public IP if it changes using the registrar's API.
Adguard Home, but not all of them but it does has significant reduction. Many people recommend PiHole but I have tried both and not sure what's the secret but Ad Guard does a better job.
I don't think DNS blocking really helps with TH-cam ads. I believe there are browser plugins that can help, but Google is working to get around those as well.
Dear @AwesomeOpenSource I have a question probably (very loosely) not much related with DNS. I have few students from time I taught IT in school in Africa and some of them want (well one of them) to open the grocery store but can't pay for windows Accounting/Inventory apps... so i though of FOSS and just wanted to ask if you might know any app that I can recommend and show them... or just to mix couple of previously mentioned like Invoice Ninja and... can't remember any other but will try to find. Thx and sorry for constant barrage of questions.
Sure there are several Open Source Point of Sale solutions, or POS. Definitely check into those. They'll likely have one that would fit their needs nicely.
@@AwesomeOpenSource Thank you so much. Mostly I needed the proper name to start researching. It has been ages since I've volunteered there and once ex student has reached out, I couldn't remember anything other than I had found some windows "shop app" (well, now I know it's POS) that fell from some Pirate ship sailing Tanganyika Lake. It was time in my life I didn't even use Linux on daily basis and FOSS could have been an exotic animal as far as my knowledge went. Again, thx for all your help and - thx for the video... goes without mentioning.
I enjoyed the video! I still didn’t like the last part where you advised the reverse proxy to point to your dns servers for the management. You mentioned using reverse proxy with encryption to make sure no sniffing is happening between client and server which is completely correct! But still useless. The fact that the reverse proxy rules are advised to point to http plain text on the other servers is dangerous! You will also need to have at least self signed certificates between your servers or simply use internal networking! If you are going to use the open network with public IPs between server and proxy ! Don’t make it as done in the video without a VPN, https or internal networking ! It’s a going to be dangerous otherwise, which will allow man in the middle attack.
I should have been more clear with that. I set that up on my production systems inside my VPN, so my reverse proxy only uses my VPN network to reach the DNS servers. Still encrypted.
@@AwesomeOpenSource hurts my soul that people will take advantage of that information when you're simply trying to educate us for free. Thank you for everything Brian.
I feel like ti performs quite well. Have only tried Vultr and SSDNodes, but DO and Vultr seemed comparable to me, and DO was much faster than SSDNodes. I think it's the type of VM they are setting up.
I don't know if the original video was deleted but it's still nice to see a technitium video. I've used it for a couple of years now. Thanks for the video!
It was. was trying to redact my details, but I apparently suck at it because they are still here. Luckily I'm moving soon, so please don;t bother the new owners.
@@AwesomeOpenSource You can use TH-cam Studio editor no need to re-upload... It has a Blurring feature.. It takes a while to show the blur on the actual video but is something.
Great video!
Pro tip, when you're setting assigning the users permissions, you can skip the second Brian, (if you just have `chmod -R brian: ` it will assume the second Brian, however, don't forget the colon ( : )
Great tip!
chmod -R brian. works
I really enjoyed your video, but it would be good to have a second video to point to about hardening your digital ocean server afterwards..
(Hardening ssh, enabling firewall, etc)
Indeed. On my production system, I added both name servers to my Netbird VPN, then setup a firewall on DO to block everything but port 53 (as this is where ns requests run). I access 80, 443, and 22 through Reveerse proxy over the VPN.
@@AwesomeOpenSourcedo you have an explainer video showing how to replicate this? 🙃
Cool! And thanks for the show notes for reference.
No problem!
Wouldn't the connection between the proxy manager and technitium still be unenecrypted? Unless they are running on the same computer (or at least same datacenter) all that traffic is being deencrypted after it passes through nginx and is just plaintext as it passes in the backend there.
Exactly why I came to the comments.
It would, and apologies, I explained in another comment as well, but on my production system I proxy through my VPN, so only the proxy is exposed on port 80 and 443, and the Name Servers are only exposing port 53 to the internet.
Great product that I use even when on move thanks to DoH
Good stuff
Your proxy is still going out over the internet with normal http to your ns1. You only added ssl to your proxy not to the actual server...
You are right. I should have said, I setup my proxy to route to my production DNS servers over my Wireguard VPN. So you hit the proxy through the internet, then it proxies that traffic over the VPN to the server's WebGUI. I only left port 53 exposed to the internet so it can function as a Name Server properly.
@@AwesomeOpenSource I know that you will probably think that I am trying to rip on your videos, but I promise that I love your content. You should probably show or explain the VPN in your video. The way you describe this in your video makes it sound like your connection to the name server is magically encrypted. If someone didn't know better they would think they have a secure/encrypted connection because their local browser says so. In this example you even pointed your NPM to the public IP of your DigitalOcean VPS servers. If someone followed this as a guide they would have their Authoritative DNS exposed for anyone to grab their credentials.
can someone please show me how you would point traffic to a domain controller in your environment? Having issues with Conditional Forwarders not working.
hey Brian / Others .. does anyone know how we can add 2FA to nginx NPM homepage ? cheers and thanks
You could put something like Authentik in frong of it, but then you'd have 2 logins for it, first Authentik with 2FA, then NPM. That's the only way that I know of.
3:09 unblurred personal details
1:16
Maybe fixed now.
@@AwesomeOpenSource 1:16 has personal information still
Great video! Thanks mate. I got one question. Do you as the owner of ns1 ans ns2 have any control over the requests that arrive from the Internet in terms of load balancing? Suppose I'd like to serve 80% of all the DNS requests via ns1 and the rest via ns2 - or is it entirely up to the Internet forwarders (like google, cloudflare, quad9, etc.) which auth dns they choose to forward the request to?
I actually haven't looked into it from that perspective. I'd think if ns1 was unavailable, due to load or otherwise, the fallback would be ns2 automatically, and so on.
Is ipv6 a must have?
I found it to work better for my setup with IPv6 Enabled, but you're welcome to give it a shot without it.
Thank you very much for that video, always good content on your channel!
May I ask, I use Namecheap and can t find IDP on the DNS section. Can I continu without it for the ns2?
If you were just looking at my list, those are just subdomains I personally have setup for my domain, you could have any subdomains like wiki.yourdomain.com, or specialmedia.yourdomain.com. You probably won't have one called IDP unless you followed one of my other videos and created it off of that.
@@AwesomeOpenSource oh okay thank you sir!
Do you need droplet service for this to work?
No, you can use anyone you want. If you have a static public IP on your own internet connection, you can fun it there as well, but you'll need to open port 53 on your firewall and forward it to the server running Technitium. Additionally, if you only run it on 1 IP, then you lose redundancy.
Do you know of any DDNS self hosted solution?
I've looked for this for a while. The closest I found was to register my own domain with a registrar that has an API and a docker container for updating the public IP. Register your domain, go through the setup for the docker container and run it locally in your network. It will then update your public IP if it changes using the registrar's API.
Will this block TH-cam ads, if not what software does
Have you checked Adguard Home docker ?
@@ramanshaan7566 can you run it on opnsense
@@ramanshaan7566 it says DNS level blocking can't block TH-cam ads it says to use a content blocking proxy
Adguard Home, but not all of them but it does has significant reduction. Many people recommend PiHole but I have tried both and not sure what's the secret but Ad Guard does a better job.
I don't think DNS blocking really helps with TH-cam ads. I believe there are browser plugins that can help, but Google is working to get around those as well.
Dear @AwesomeOpenSource I have a question probably (very loosely) not much related with DNS. I have few students from time I taught IT in school in Africa and some of them want (well one of them) to open the grocery store but can't pay for windows Accounting/Inventory apps... so i though of FOSS and just wanted to ask if you might know any app that I can recommend and show them... or just to mix couple of previously mentioned like Invoice Ninja and... can't remember any other but will try to find. Thx and sorry for constant barrage of questions.
Sure there are several Open Source Point of Sale solutions, or POS. Definitely check into those. They'll likely have one that would fit their needs nicely.
@@AwesomeOpenSource Thank you so much. Mostly I needed the proper name to start researching. It has been ages since I've volunteered there and once ex student has reached out, I couldn't remember anything other than I had found some windows "shop app" (well, now I know it's POS) that fell from some Pirate ship sailing Tanganyika Lake. It was time in my life I didn't even use Linux on daily basis and FOSS could have been an exotic animal as far as my knowledge went. Again, thx for all your help and - thx for the video... goes without mentioning.
Thank you.
You're welcome!
I enjoyed the video! I still didn’t like the last part where you advised the reverse proxy to point to your dns servers for the management.
You mentioned using reverse proxy with encryption to make sure no sniffing is happening between client and server which is completely correct! But still useless.
The fact that the reverse proxy rules are advised to point to http plain text on the other servers is dangerous!
You will also need to have at least self signed certificates between your servers or simply use internal networking!
If you are going to use the open network with public IPs between server and proxy ! Don’t make it as done in the video without a VPN, https or internal networking ! It’s a going to be dangerous otherwise, which will allow man in the middle attack.
I should have been more clear with that. I set that up on my production systems inside my VPN, so my reverse proxy only uses my VPN network to reach the DNS servers. Still encrypted.
This should be explained in the video, too 👍
You left your personal info unblurred at 3:08
@@doomalsodoom3605 thanks. I’m obviously terrible at this.
@@AwesomeOpenSource hurts my soul that people will take advantage of that information when you're simply trying to educate us for free. Thank you for everything Brian.
@@AwesomeOpenSourceyou're actually great at this man! Mistakes happen tho appreciate your content and do what you need to be safe!
DO is a bit slow on the CPU. Just an opinion.
I feel like ti performs quite well. Have only tried Vultr and SSDNodes, but DO and Vultr seemed comparable to me, and DO was much faster than SSDNodes. I think it's the type of VM they are setting up.
@@AwesomeOpenSource Thanks for that information. I will use it to make decisions later. This show has really helped me beef up my home lab. Thanks
Thank You.
My pleasure.