How do I use Technitium MCP Secure?

1. Click on "Install Server". 2. Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state. 3. In the chat, type @ followed by the MCP server name and your instructions, e.g., "@Technitium MCP Secure list the DNS records for the home.lab zone" That's it! The server will respond to your query, and you can continue using it as needed. Here is a step-by-step guide with screenshots.

technitium-mcp-secure

A security-hardened Model Context Protocol (MCP) server for managing Technitium DNS Server via its HTTP API.

Built for use with Claude Code and other MCP-compatible clients.

Features

20 tools covering DNS zones, records, blocking, cache, settings, logs, and diagnostics
Input validation on all parameters (RFC 1035 domain checks, IP validation, enum allowlists)
HTTPS enforcement with explicit HTTP opt-in for local networks
Read-only mode to expose only safe query tools
Confirmation required for destructive operations (delete zone, delete record, flush cache)
Rate limiting with stricter limits on destructive operations
Audit logging as structured JSONL to stderr
Response sanitization to strip tokens, passwords, stack traces, and sensitive paths
Error sanitization to prevent credential/path leakage in error messages
Token file support for secure credential storage
Auth mutex to prevent concurrent authentication races
POST-only API calls to keep tokens out of query strings and server logs

Quick Start

# Clone and build git clone https://github.com/rosschurchill/technitium-mcp-secure.git cd technitium-mcp-secure npm install npm run build # Register with Claude Code (see "Generating an API Token" below first) claude mcp add technitium-dns \ --env TECHNITIUM_URL=https://your-server-ip:5380 \ --env TECHNITIUM_TOKEN=your-api-token \ -- node /path/to/technitium-mcp-secure/dist/index.js

Configuration

All configuration is via environment variables:

Variable	Required	Description
`TECHNITIUM_URL`	Yes	Server URL (e.g. `https://192.168.1.100:5380`)
`TECHNITIUM_TOKEN`	One of token/password	API token (preferred)
`TECHNITIUM_TOKEN_FILE`	One of token/password	Path to file containing token (must be mode 0600)
`TECHNITIUM_PASSWORD`	One of token/password	Admin password (token is preferred)
`TECHNITIUM_USER`	No	Username (default: `admin`)
`TECHNITIUM_READONLY`	No	Set `true` to hide all write tools
`TECHNITIUM_ALLOW_HTTP`	No	Set `true` to allow insecure HTTP connections

Authentication priority: TECHNITIUM_TOKEN > TECHNITIUM_TOKEN_FILE > TECHNITIUM_PASSWORD

Sensitive environment variables are cleared from process.env after being read.

Tools

Read-only (12 tools)

Tool	Description
`dns_health_check`	Server version, uptime, forwarder config, failure rate
`dns_get_stats`	Query statistics with top clients/domains/blocked
`dns_resolve`	Test DNS resolution via the server
`dns_list_zones`	List all configured zones
`dns_zone_options`	Zone DNSSEC, transfer, and notify settings
`dns_list_records`	List records in a zone
`dns_list_blocked`	List blocked domains
`dns_list_allowed`	List allowed (whitelisted) domains
`dns_list_cache`	List cached zones
`dns_get_settings`	Full server settings
`dns_query_logs`	Query DNS logs with filters
`dns_list_apps`	List installed DNS apps

Write (8 tools)

Tool	Description
`dns_create_zone`	Create a new DNS zone
`dns_delete_zone`	Delete a zone (requires `confirm: true`)
`dns_add_record`	Add a DNS record
`dns_update_record`	Update an existing record
`dns_delete_record`	Delete a record (requires `confirm: true`)
`dns_block_domain`	Block a domain
`dns_allow_domain`	Allow a domain (bypass block lists)
`dns_flush_cache`	Flush DNS cache (requires `confirm: true`)

Security

Generating an API Token

An API token is the recommended way to authenticate. Tokens avoid sending your admin password on every request and can be revoked independently.

Option A: Web Admin UI

Open the Technitium web admin (e.g. http://your-server-ip:5380)
Log in with your admin credentials
Go to Administration (gear icon, top right)
Scroll down to Sessions
Under Create API Token, enter a name (e.g. mcp-server)
Click Create
Copy the token value shown - this is the only time it will be displayed

Option B: API (curl)

# Login first to get a session token curl -s -X POST 'http://your-server-ip:5380/api/user/login' \ -d 'user=admin&pass=yourpassword' | jq -r '.response.token' # Then create a non-expiring API token using the session token curl -s -X POST 'http://your-server-ip:5380/api/user/createToken' \ -d 'user=admin&pass=yourpassword&tokenName=mcp-server' | jq -r '.response.token'

Storing the token securely:

# Option 1: Pass directly as env var (simplest) claude mcp add technitium-dns \ --env TECHNITIUM_TOKEN=your-token-here ... # Option 2: Use a token file (more secure - keeps token out of shell history) echo "your-token-here" > ~/.technitium-token chmod 600 ~/.technitium-token claude mcp add technitium-dns \ --env TECHNITIUM_TOKEN_FILE=~/.technitium-token ...

Local Network (HTTP)

If your Technitium server doesn't have TLS configured (common for LAN-only setups), you need to explicitly allow HTTP:

claude mcp add technitium-dns \ --env TECHNITIUM_URL=http://your-server-ip:5380 \ --env TECHNITIUM_TOKEN=your-token \ --env TECHNITIUM_ALLOW_HTTP=true \ -- node /path/to/technitium-mcp-secure/dist/index.js

A warning will be logged to stderr reminding you that credentials are sent in plaintext.

Read-only Mode

For monitoring-only use cases, hide all write tools:

claude mcp add technitium-dns-readonly \ --env TECHNITIUM_URL=http://your-server-ip:5380 \ --env TECHNITIUM_TOKEN=your-token \ --env TECHNITIUM_READONLY=true \ --env TECHNITIUM_ALLOW_HTTP=true \ -- node /path/to/dist/index.js

Rate Limits

Global: 100 requests/minute
Create/mutate operations: 10/minute
Delete/flush operations: 5/minute

Audit Log

All tool calls are logged as JSONL to stderr with timestamps, tool name, sanitized arguments, result status, and duration. Sensitive values (tokens, passwords) are redacted before logging.