Technitium MCP Secure

Technitium MCP Secure

A security-hardened MCP server for managing Technitium DNS Server via its HTTP API. It provides 20 tools for DNS zone management, record configuration, and server diagnostics with built-in protections like rate limiting and read-only modes.

Category
Visit Server

README

technitium-mcp-secure

A security-hardened Model Context Protocol (MCP) server for managing Technitium DNS Server via its HTTP API.

Built for use with Claude Code and other MCP-compatible clients.

Features

  • 20 tools covering DNS zones, records, blocking, cache, settings, logs, and diagnostics
  • Input validation on all parameters (RFC 1035 domain checks, IP validation, enum allowlists)
  • HTTPS enforcement with explicit HTTP opt-in for local networks
  • Read-only mode to expose only safe query tools
  • Confirmation required for destructive operations (delete zone, delete record, flush cache)
  • Rate limiting with stricter limits on destructive operations
  • Audit logging as structured JSONL to stderr
  • Response sanitization to strip tokens, passwords, stack traces, and sensitive paths
  • Error sanitization to prevent credential/path leakage in error messages
  • Token file support for secure credential storage
  • Auth mutex to prevent concurrent authentication races
  • POST-only API calls to keep tokens out of query strings and server logs

Quick Start

# Clone and build
git clone https://github.com/rosschurchill/technitium-mcp-secure.git
cd technitium-mcp-secure
npm install
npm run build

# Register with Claude Code (see "Generating an API Token" below first)
claude mcp add technitium-dns \
  --env TECHNITIUM_URL=https://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-api-token \
  -- node /path/to/technitium-mcp-secure/dist/index.js

Configuration

All configuration is via environment variables:

Variable Required Description
TECHNITIUM_URL Yes Server URL (e.g. https://192.168.1.100:5380)
TECHNITIUM_TOKEN One of token/password API token (preferred)
TECHNITIUM_TOKEN_FILE One of token/password Path to file containing token (must be mode 0600)
TECHNITIUM_PASSWORD One of token/password Admin password (token is preferred)
TECHNITIUM_USER No Username (default: admin)
TECHNITIUM_READONLY No Set true to hide all write tools
TECHNITIUM_ALLOW_HTTP No Set true to allow insecure HTTP connections

Authentication priority: TECHNITIUM_TOKEN > TECHNITIUM_TOKEN_FILE > TECHNITIUM_PASSWORD

Sensitive environment variables are cleared from process.env after being read.

Tools

Read-only (12 tools)

Tool Description
dns_health_check Server version, uptime, forwarder config, failure rate
dns_get_stats Query statistics with top clients/domains/blocked
dns_resolve Test DNS resolution via the server
dns_list_zones List all configured zones
dns_zone_options Zone DNSSEC, transfer, and notify settings
dns_list_records List records in a zone
dns_list_blocked List blocked domains
dns_list_allowed List allowed (whitelisted) domains
dns_list_cache List cached zones
dns_get_settings Full server settings
dns_query_logs Query DNS logs with filters
dns_list_apps List installed DNS apps

Write (8 tools)

Tool Description
dns_create_zone Create a new DNS zone
dns_delete_zone Delete a zone (requires confirm: true)
dns_add_record Add a DNS record
dns_update_record Update an existing record
dns_delete_record Delete a record (requires confirm: true)
dns_block_domain Block a domain
dns_allow_domain Allow a domain (bypass block lists)
dns_flush_cache Flush DNS cache (requires confirm: true)

Security

Generating an API Token

An API token is the recommended way to authenticate. Tokens avoid sending your admin password on every request and can be revoked independently.

Option A: Web Admin UI

  1. Open the Technitium web admin (e.g. http://your-server-ip:5380)
  2. Log in with your admin credentials
  3. Go to Administration (gear icon, top right)
  4. Scroll down to Sessions
  5. Under Create API Token, enter a name (e.g. mcp-server)
  6. Click Create
  7. Copy the token value shown - this is the only time it will be displayed

Option B: API (curl)

# Login first to get a session token
curl -s -X POST 'http://your-server-ip:5380/api/user/login' \
  -d 'user=admin&pass=yourpassword' | jq -r '.response.token'

# Then create a non-expiring API token using the session token
curl -s -X POST 'http://your-server-ip:5380/api/user/createToken' \
  -d 'user=admin&pass=yourpassword&tokenName=mcp-server' | jq -r '.response.token'

Storing the token securely:

# Option 1: Pass directly as env var (simplest)
claude mcp add technitium-dns \
  --env TECHNITIUM_TOKEN=your-token-here ...

# Option 2: Use a token file (more secure - keeps token out of shell history)
echo "your-token-here" > ~/.technitium-token
chmod 600 ~/.technitium-token

claude mcp add technitium-dns \
  --env TECHNITIUM_TOKEN_FILE=~/.technitium-token ...

Local Network (HTTP)

If your Technitium server doesn't have TLS configured (common for LAN-only setups), you need to explicitly allow HTTP:

claude mcp add technitium-dns \
  --env TECHNITIUM_URL=http://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-token \
  --env TECHNITIUM_ALLOW_HTTP=true \
  -- node /path/to/technitium-mcp-secure/dist/index.js

A warning will be logged to stderr reminding you that credentials are sent in plaintext.

Read-only Mode

For monitoring-only use cases, hide all write tools:

claude mcp add technitium-dns-readonly \
  --env TECHNITIUM_URL=http://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-token \
  --env TECHNITIUM_READONLY=true \
  --env TECHNITIUM_ALLOW_HTTP=true \
  -- node /path/to/dist/index.js

Rate Limits

  • Global: 100 requests/minute
  • Create/mutate operations: 10/minute
  • Delete/flush operations: 5/minute

Audit Log

All tool calls are logged as JSONL to stderr with timestamps, tool name, sanitized arguments, result status, and duration. Sensitive values (tokens, passwords) are redacted before logging.

Requirements

  • Node.js >= 18
  • Technitium DNS Server v14+

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured