A security-hardened Model Context Protocol (MCP) server for managing Technitium DNS Server via its HTTP API.
Built for use with Claude Code and other MCP-compatible clients.
- 39 tools covering DNS zones, records, blocking, cache, settings, apps, DNSSEC, logs, and diagnostics
- Input validation on all parameters (RFC 1035 domain checks, IP validation, enum allowlists)
- HTTPS enforcement with explicit HTTP opt-in for local networks
- Read-only mode to expose only safe query tools
- Confirmation required for destructive operations (delete zone, delete record, flush cache/allow/block, uninstall app)
- Rate limiting with stricter limits on destructive operations
- Audit logging as structured JSONL to stderr
- Response sanitization to strip tokens, passwords, stack traces, and sensitive paths
- Error sanitization to prevent credential/path leakage in error messages
- Token file support for secure credential storage
- Auth mutex to prevent concurrent authentication races
- POST-only API calls for all mutating operations; zone export uses GET (required by Technitium API) with short-lived session tokens
# Clone and build
git clone https://github.com/rosschurchill/technitium-mcp-secure.git
cd technitium-mcp-secure
npm install
npm run build
# Register with Claude Code (see "Generating an API Token" below first)
claude mcp add technitium-dns \
--env TECHNITIUM_URL=https://your-server-ip:5380 \
--env TECHNITIUM_TOKEN=your-api-token \
-- node /path/to/technitium-mcp-secure/dist/index.jsAll configuration is via environment variables:
| Variable | Required | Description |
|---|---|---|
TECHNITIUM_URL |
Yes | Server URL (e.g. https://192.168.1.100:5380) |
TECHNITIUM_TOKEN |
One of token/password | API token (preferred) |
TECHNITIUM_TOKEN_FILE |
One of token/password | Path to file containing token (must be mode 0600) |
TECHNITIUM_PASSWORD |
One of token/password | Admin password (token is preferred) |
TECHNITIUM_USER |
No | Username (default: admin) |
TECHNITIUM_READONLY |
No | Set true to hide all write tools |
TECHNITIUM_ALLOW_HTTP |
No | Set true to allow insecure HTTP connections |
Authentication priority: TECHNITIUM_TOKEN > TECHNITIUM_TOKEN_FILE > TECHNITIUM_PASSWORD
Sensitive environment variables are cleared from process.env after being read.
| Tool | Description |
|---|---|
dns_health_check |
Server version, uptime, forwarder config, failure rate |
dns_get_stats |
Query statistics with top clients/domains/blocked |
dns_check_update |
Check if a newer server version is available |
dns_resolve |
Test DNS resolution via the server |
dns_list_zones |
List all configured zones |
dns_zone_options |
Zone DNSSEC, transfer, and notify settings |
dns_export_zone |
Export a zone file in BIND format |
dns_list_records |
List records in a zone |
dns_list_blocked |
List blocked domains (hierarchical, supports drill-down) |
dns_list_allowed |
List allowed domains (hierarchical, supports drill-down) |
dns_list_cache |
List cached zones (hierarchical, supports drill-down) |
dns_get_settings |
Full server settings |
dns_query_logs |
Query DNS logs with filters |
dns_list_apps |
List installed DNS apps |
dns_list_app_store |
List available apps from the Technitium app store |
dns_get_app_config |
Get configuration for an installed app |
dns_dnssec_info |
DNSSEC properties for a zone |
dns_get_ds |
DS records for a DNSSEC-signed zone |
| Tool | Description |
|---|---|
dns_create_zone |
Create a new DNS zone |
dns_delete_zone |
Delete a zone (requires confirm: true) |
dns_enable_zone |
Enable a disabled zone |
dns_disable_zone |
Disable a zone (preserves records) |
dns_set_zone_options |
Update zone configuration (notify, transfer ACLs) |
dns_add_record |
Add a DNS record |
dns_update_record |
Update an existing record |
dns_delete_record |
Delete a record (requires confirm: true) |
dns_block_domain |
Block a domain |
dns_remove_blocked |
Remove a domain from the block list |
dns_flush_blocked |
Flush entire custom block list (requires confirm: true) |
dns_allow_domain |
Allow a domain (bypass block lists) |
dns_remove_allowed |
Remove a domain from the allow list |
dns_flush_allowed |
Flush entire allow list (requires confirm: true) |
dns_flush_cache |
Flush DNS cache (requires confirm: true) |
dns_delete_cached |
Delete a specific domain from cache |
dns_set_settings |
Update server settings (forwarders, blocking, etc.) |
dns_update_blocklists |
Force immediate block list update |
dns_temp_disable_blocking |
Temporarily disable blocking (auto re-enables) |
dns_install_app |
Install a DNS app from the app store |
dns_uninstall_app |
Uninstall an app (requires confirm: true) |
An API token is the recommended way to authenticate. Tokens avoid sending your admin password on every request and can be revoked independently.
Option A: Web Admin UI
- Open the Technitium web admin (e.g.
http://your-server-ip:5380) - Log in with your admin credentials
- Go to Administration (gear icon, top right)
- Scroll down to Sessions
- Under Create API Token, enter a name (e.g.
mcp-server) - Click Create
- Copy the token value shown - this is the only time it will be displayed
Option B: API (curl)
# Login first to get a session token
curl -s -X POST 'http://your-server-ip:5380/api/user/login' \
-d 'user=admin&pass=yourpassword' | jq -r '.response.token'
# Then create a non-expiring API token using the session token
curl -s -X POST 'http://your-server-ip:5380/api/user/createToken' \
-d 'user=admin&pass=yourpassword&tokenName=mcp-server' | jq -r '.response.token'Storing the token securely:
# Option 1: Pass directly as env var (simplest)
claude mcp add technitium-dns \
--env TECHNITIUM_TOKEN=your-token-here ...
# Option 2: Use a token file (more secure - keeps token out of shell history)
echo "your-token-here" > ~/.technitium-token
chmod 600 ~/.technitium-token
claude mcp add technitium-dns \
--env TECHNITIUM_TOKEN_FILE=~/.technitium-token ...If your Technitium server doesn't have TLS configured (common for LAN-only setups), you need to explicitly allow HTTP:
claude mcp add technitium-dns \
--env TECHNITIUM_URL=http://your-server-ip:5380 \
--env TECHNITIUM_TOKEN=your-token \
--env TECHNITIUM_ALLOW_HTTP=true \
-- node /path/to/technitium-mcp-secure/dist/index.jsA warning will be logged to stderr reminding you that credentials are sent in plaintext.
For monitoring-only use cases, hide all write tools:
claude mcp add technitium-dns-readonly \
--env TECHNITIUM_URL=http://your-server-ip:5380 \
--env TECHNITIUM_TOKEN=your-token \
--env TECHNITIUM_READONLY=true \
--env TECHNITIUM_ALLOW_HTTP=true \
-- node /path/to/dist/index.js- Global: 100 requests/minute
- Create/mutate operations: 10/minute
- Delete/flush operations: 5/minute
All tool calls are logged as JSONL to stderr with timestamps, tool name, sanitized arguments, result status, and duration. Sensitive values (tokens, passwords) are redacted before logging.
The Technitium API has ~173 endpoints. This MCP server covers the most useful 36. The following categories are available in the API but not yet exposed:
- DHCP management — scopes, leases, reservations (~12 endpoints)
- User & group administration — create/delete users, manage groups, permissions (~15 endpoints)
- Cluster management — multi-server clustering, health, failover (~15 endpoints)
- Zone import/clone/convert — import from file, clone from another server, convert zone types
- DNSSEC signing & key management — sign/unsign zones, rotate keys, algorithm config
- Allowed/blocked zone import/export — bulk import/export from files
- Settings backup/restore — full server config backup and restore
- Log management — log file deletion, log settings changes
If you need any of these, contributions are welcome or open an issue.
Tested against Technitium DNS Server v14.3 on Alpine Linux. All 36 API endpoints verified against the live v14 API.
Note: Technitium's API paths changed between versions. If you see 404 errors, check that your server version is v14+. Earlier versions used different paths (e.g. /api/allowedZones/list instead of /api/allowed/list).
- Node.js >= 18
- Technitium DNS Server v14+
- Add 19 new tools (39 total): remove/flush allowed & blocked, delete cached, enable/disable/configure/export zones, server settings management, temporary blocking disable, block list updates, app store/install/uninstall/config, DNSSEC info, update check
- All 36 API endpoints verified returning 200 against live Technitium v14.3
- Add "Not Yet Implemented" section documenting available API categories
- Fix
dns_resolvemissing requiredserverparameter (now defaults tothis-server) - Fix
dns_query_logsmissingnameandclassPathparams for Query Logs (Sqlite) app - Fix
dns_list_allowed,dns_allow_domainusing wrong API path (/api/allowedZones/*->/api/allowed/*) - Fix
dns_list_blocked,dns_block_domainusing wrong API path (/api/blockedZones/*->/api/blocked/*) - Fix
dns_list_cacheusing wrong API path (/api/cache/zones/list->/api/cache/list) - Fix
dns_allow_domain,dns_block_domainusing wrong param name (zone->domain) - All 17 API endpoints verified returning 200 against live Technitium v14.3
- Security hardening: input validation, audit logging, rate limiting, response sanitization
- HTTPS enforcement with HTTP opt-in, read-only mode, confirmation for destructive ops
- Token file support, auth mutex, POST-only API calls, env var clearing
- Initial release with 20 tools for DNS management
MIT