technitium-mcp-secure

technitium-mcp-secure

A security-hardened MCP server for managing Technitium DNS Server via its HTTP API, offering tools for DNS zones, records, blocking, cache, settings, and diagnostics.

Category
Visit Server

README

technitium-mcp-secure

A security-hardened Model Context Protocol (MCP) server for managing Technitium DNS Server via its HTTP API.

Built for use with Claude Code and other MCP-compatible clients.

Features

  • 39 tools covering DNS zones, records, blocking, cache, settings, apps, DNSSEC, logs, and diagnostics
  • Input validation on all parameters (RFC 1035 domain checks, IP validation, enum allowlists)
  • HTTPS enforcement with explicit HTTP opt-in for local networks
  • Read-only mode to expose only safe query tools
  • Confirmation required for destructive operations (delete zone, delete record, flush cache/allow/block, uninstall app)
  • Rate limiting with stricter limits on destructive operations
  • Audit logging as structured JSONL to stderr
  • Response sanitization to strip tokens, passwords, stack traces, and sensitive paths
  • Error sanitization to prevent credential/path leakage in error messages
  • Token file support for secure credential storage
  • Auth mutex to prevent concurrent authentication races
  • POST-only API calls for all mutating operations; zone export uses GET (required by Technitium API) with short-lived session tokens

Quick Start

# Clone and build
git clone https://github.com/rosschurchill/technitium-mcp-secure.git
cd technitium-mcp-secure
npm install
npm run build

# Register with Claude Code (see "Generating an API Token" below first)
claude mcp add technitium-dns \
  --env TECHNITIUM_URL=https://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-api-token \
  -- node /path/to/technitium-mcp-secure/dist/index.js

Configuration

All configuration is via environment variables:

Variable Required Description
TECHNITIUM_URL Yes Server URL (e.g. https://192.168.1.100:5380)
TECHNITIUM_TOKEN One of token/password API token (preferred)
TECHNITIUM_TOKEN_FILE One of token/password Path to file containing token (must be mode 0600)
TECHNITIUM_PASSWORD One of token/password Admin password (token is preferred)
TECHNITIUM_USER No Username (default: admin)
TECHNITIUM_READONLY No Set true to hide all write tools
TECHNITIUM_ALLOW_HTTP No Set true to allow insecure HTTP connections

Authentication priority: TECHNITIUM_TOKEN > TECHNITIUM_TOKEN_FILE > TECHNITIUM_PASSWORD

Sensitive environment variables are cleared from process.env after being read.

Tools

Read-only (18 tools)

Tool Description
dns_health_check Server version, uptime, forwarder config, failure rate
dns_get_stats Query statistics with top clients/domains/blocked
dns_check_update Check if a newer server version is available
dns_resolve Test DNS resolution via the server
dns_list_zones List all configured zones
dns_zone_options Zone DNSSEC, transfer, and notify settings
dns_export_zone Export a zone file in BIND format
dns_list_records List records in a zone
dns_list_blocked List blocked domains (hierarchical, supports drill-down)
dns_list_allowed List allowed domains (hierarchical, supports drill-down)
dns_list_cache List cached zones (hierarchical, supports drill-down)
dns_get_settings Full server settings
dns_query_logs Query DNS logs with filters
dns_list_apps List installed DNS apps
dns_list_app_store List available apps from the Technitium app store
dns_get_app_config Get configuration for an installed app
dns_dnssec_info DNSSEC properties for a zone
dns_get_ds DS records for a DNSSEC-signed zone

Write (21 tools)

Tool Description
dns_create_zone Create a new DNS zone
dns_delete_zone Delete a zone (requires confirm: true)
dns_enable_zone Enable a disabled zone
dns_disable_zone Disable a zone (preserves records)
dns_set_zone_options Update zone configuration (notify, transfer ACLs)
dns_add_record Add a DNS record
dns_update_record Update an existing record
dns_delete_record Delete a record (requires confirm: true)
dns_block_domain Block a domain
dns_remove_blocked Remove a domain from the block list
dns_flush_blocked Flush entire custom block list (requires confirm: true)
dns_allow_domain Allow a domain (bypass block lists)
dns_remove_allowed Remove a domain from the allow list
dns_flush_allowed Flush entire allow list (requires confirm: true)
dns_flush_cache Flush DNS cache (requires confirm: true)
dns_delete_cached Delete a specific domain from cache
dns_set_settings Update server settings (forwarders, blocking, etc.)
dns_update_blocklists Force immediate block list update
dns_temp_disable_blocking Temporarily disable blocking (auto re-enables)
dns_install_app Install a DNS app from the app store
dns_uninstall_app Uninstall an app (requires confirm: true)

Security

Generating an API Token

An API token is the recommended way to authenticate. Tokens avoid sending your admin password on every request and can be revoked independently.

Option A: Web Admin UI

  1. Open the Technitium web admin (e.g. http://your-server-ip:5380)
  2. Log in with your admin credentials
  3. Go to Administration (gear icon, top right)
  4. Scroll down to Sessions
  5. Under Create API Token, enter a name (e.g. mcp-server)
  6. Click Create
  7. Copy the token value shown - this is the only time it will be displayed

Option B: API (curl)

# Login first to get a session token
curl -s -X POST 'http://your-server-ip:5380/api/user/login' \
  -d 'user=admin&pass=yourpassword' | jq -r '.response.token'

# Then create a non-expiring API token using the session token
curl -s -X POST 'http://your-server-ip:5380/api/user/createToken' \
  -d 'user=admin&pass=yourpassword&tokenName=mcp-server' | jq -r '.response.token'

Storing the token securely:

# Option 1: Pass directly as env var (simplest)
claude mcp add technitium-dns \
  --env TECHNITIUM_TOKEN=your-token-here ...

# Option 2: Use a token file (more secure - keeps token out of shell history)
echo "your-token-here" > ~/.technitium-token
chmod 600 ~/.technitium-token

claude mcp add technitium-dns \
  --env TECHNITIUM_TOKEN_FILE=~/.technitium-token ...

Local Network (HTTP)

If your Technitium server doesn't have TLS configured (common for LAN-only setups), you need to explicitly allow HTTP:

claude mcp add technitium-dns \
  --env TECHNITIUM_URL=http://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-token \
  --env TECHNITIUM_ALLOW_HTTP=true \
  -- node /path/to/technitium-mcp-secure/dist/index.js

A warning will be logged to stderr reminding you that credentials are sent in plaintext.

Read-only Mode

For monitoring-only use cases, hide all write tools:

claude mcp add technitium-dns-readonly \
  --env TECHNITIUM_URL=http://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-token \
  --env TECHNITIUM_READONLY=true \
  --env TECHNITIUM_ALLOW_HTTP=true \
  -- node /path/to/dist/index.js

Rate Limits

  • Global: 100 requests/minute
  • Create/mutate operations: 10/minute
  • Delete/flush operations: 5/minute

Audit Log

All tool calls are logged as JSONL to stderr with timestamps, tool name, sanitized arguments, result status, and duration. Sensitive values (tokens, passwords) are redacted before logging.

Not Yet Implemented

The Technitium API has ~173 endpoints. This MCP server covers the most useful 36. The following categories are available in the API but not yet exposed:

  • DHCP management — scopes, leases, reservations (~12 endpoints)
  • User & group administration — create/delete users, manage groups, permissions (~15 endpoints)
  • Cluster management — multi-server clustering, health, failover (~15 endpoints)
  • Zone import/clone/convert — import from file, clone from another server, convert zone types
  • DNSSEC signing & key management — sign/unsign zones, rotate keys, algorithm config
  • Allowed/blocked zone import/export — bulk import/export from files
  • Settings backup/restore — full server config backup and restore
  • Log management — log file deletion, log settings changes

If you need any of these, contributions are welcome or open an issue.

Compatibility

Tested against Technitium DNS Server v14.3 on Alpine Linux. All 36 API endpoints verified against the live v14 API.

Note: Technitium's API paths changed between versions. If you see 404 errors, check that your server version is v14+. Earlier versions used different paths (e.g. /api/allowedZones/list instead of /api/allowed/list).

Requirements

  • Node.js >= 18
  • Technitium DNS Server v14+

Changelog

v1.2.0

  • Add 19 new tools (39 total): remove/flush allowed & blocked, delete cached, enable/disable/configure/export zones, server settings management, temporary blocking disable, block list updates, app store/install/uninstall/config, DNSSEC info, update check
  • All 36 API endpoints verified returning 200 against live Technitium v14.3
  • Add "Not Yet Implemented" section documenting available API categories

v1.1.1

  • Fix dns_resolve missing required server parameter (now defaults to this-server)
  • Fix dns_query_logs missing name and classPath params for Query Logs (Sqlite) app
  • Fix dns_list_allowed, dns_allow_domain using wrong API path (/api/allowedZones/* -> /api/allowed/*)
  • Fix dns_list_blocked, dns_block_domain using wrong API path (/api/blockedZones/* -> /api/blocked/*)
  • Fix dns_list_cache using wrong API path (/api/cache/zones/list -> /api/cache/list)
  • Fix dns_allow_domain, dns_block_domain using wrong param name (zone -> domain)
  • All 17 API endpoints verified returning 200 against live Technitium v14.3

v1.1.0

  • Security hardening: input validation, audit logging, rate limiting, response sanitization
  • HTTPS enforcement with HTTP opt-in, read-only mode, confirmation for destructive ops
  • Token file support, auth mutex, POST-only API calls, env var clearing

v1.0.0

  • Initial release with 20 tools for DNS management

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured