Advanced Forwarding: different Forwarder + Proxy configuration for different clients #1584
Replies: 1 comment 2 replies
-
|
Thanks for sharing this here. If possible, do post it on reddit.com/r/technitium so that it helps the community there. |
Beta Was this translation helpful? Give feedback.
-
|
Update: After some testing, it seems custom dns port is supported. I didn't end up spinning up a second Technitium server just for a few CNAME records to enforce safe search and restricted youtube for the kids. What I did was spin up an unbound container with the the CNAME records, only due to the low memory footprint. ~13mb. Would still be good to understand whether avoiding a second container to achieve this is possible. @ShreyasZare, Hope I can ask here as it kind of relates to For I assume I can use a custom port in If that's all good, then I assume when I forward to the kids technitium server, all client ip's will come from the same IP across multiple devices e.g. I will not be able to differentiate which client is the kids client. So I was thinking instead of forwarding to the container port 53, forward to the Proxy Protocol port 538 to kids server. Will the primary technitium server forward with Proxy Protocol with the request? Is there a way to enable that? |
Beta Was this translation helpful? Give feedback.
-
|
@seanob86 Thanks for asking. Yes, the conditional forwarder zone for safe-search is global on the DNS server and thus running a separate instance on a different port is the only option to achieve it. The Advanced Forwarding app can be used to forward the specific client IP or network addresses to this second DNS server instance. The other option you have there is to configure a second IP address on your server and then make the second DNS instance bind only on that second IP address for port 53. You can then assign this IP address as the DNS server for the client devices you wish to have safe search enabled. This can be done using a DHCP Scope which has reserved lease for those clients and set this DNS IP address for them. But it requires having a reserved lease for each client so using the Advanced Forwarding app should be a bit better to manage. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Just leaving notes here for a quick reference. Suppose you have 3 clients of your Technitium DNS Server, that you want to route their queries to 3 different proxy + forwarder combinations:
The Advanced Forwarding app should help you. After installing it, the app JSON needs to be edited as such:
JSON
{ "appPreference": 0, "enableForwarding": true, "proxyServers": [ { "name": "proxy-x", "type": "socks5", "proxyAddress": "192.168.0.1", "proxyPort": 1080, "proxyUsername": null, "proxyPassword": null }, { "name": "proxy-y", "type": "socks5", "proxyAddress": "192.168.0.2", "proxyPort": 1080, "proxyUsername": null, "proxyPassword": null }, { "name": "proxy-z", "type": "socks5", "proxyAddress": "192.168.0.3", "proxyPort": 1080, "proxyUsername": null, "proxyPassword": null } ], "forwarders": [ { "name": "forwarder-1", "proxy": "proxy-x", "dnssecValidation": true, "forwarderProtocol": "Tcp", "forwarderAddresses": [ "1.1.1.1" ] }, { "name": "forwarder-2", "proxy": "proxy-y", "dnssecValidation": true, "forwarderProtocol": "Tcp", "forwarderAddresses": [ "2.2.2.2" ] }, { "name": "forwarder-3", "proxy": "proxy-z", "dnssecValidation": true, "forwarderProtocol": "Tcp", "forwarderAddresses": [ "3.3.3.3" ] } ], "networkGroupMap": { "<client-a-ip-range>": "rule1", "<client-b-ip-range>": "rule2", "<client-c-ip-range>": "rule3", }, "groups": [ { "name": "rule1", "enableForwarding": true, "forwardings": [ { "forwarders": [ "forwarder-1" ], "domains": [ "*" ] } ] }, { "name": "rule2", "enableForwarding": true, "forwardings": [ { "forwarders": [ "forwarder-2" ], "domains": [ "*" ] } ] }, { "name": "rule3", "enableForwarding": true, "forwardings": [ { "forwarders": [ "forwarder-3" ], "domains": [ "*" ] } ] } ] }The file is very self-explanatory - each
networkGroupMaprepresent a rule for a set of IP addresses (or clients) to use a certainforwarder. And eachforwardercan be configured to use aproxyfrom theproxyServerssetup. There are few notes:"forwarderProtocol": "Tcp"or DoT/DoH, as many SOCKS5 (and HTTP) proxies do not support UDP"appPreference": 0for this app's rules to take precedence over other DNS resolutionsWhen is this helpful?
I have some exit nodes (using
tswg) in my Tailscale network that also double as SOCKS5 proxies. When using them alongside my Technitium DNS for adblocking, I want my requests to be routed from their public IPs, to prevent leaking the original DNS server and receiving suboptimal geolocated IPs.As DNS queries are made from these exit nodes too, the exit nodes' addresses can be used as both the
networkGroupMapandproxyAddressto essentially "loop back" queries to themselves.sequenceDiagram participant client participant technitium participant exit-node participant internet client->>exit-node: connect to exit node exit-node->>technitium: DNS query technitium->>exit-node: use socks5://exit-node:1080 exit-node->>internet: forward DNS query to internet internet->>technitium: receive DNS response technitium->>exit-node: relay to exit node exit-node->>client: respond to client client->>internet: connect to website with "correct" geo-IP address (via exit node)This setup helps achieve DNS geolocation without having to set up many Technitium instances on these endpoints. However it does add some latency since DNS is now going back-and-forth many times.
Beta Was this translation helpful? Give feedback.
All reactions