Skip to main content
Glama
rosschurchill

Technitium MCP Secure

by rosschurchill
OverviewSchemaRelated ServersScoreDiscussions
TypeScript
Remote

technitium-mcp-secure

A security-hardened Model Context Protocol (MCP) server for managing Technitium DNS Server via its HTTP API.

Built for use with Claude Code and other MCP-compatible clients.

Features

  • 39 tools covering DNS zones, records, blocking, cache, settings, apps, DNSSEC, logs, and diagnostics

  • Input validation on all parameters (RFC 1035 domain checks, IP validation, enum allowlists)

  • HTTPS enforcement with explicit HTTP opt-in for local networks

  • Read-only mode to expose only safe query tools

  • Confirmation required for destructive operations (delete zone, delete record, flush cache/allow/block, uninstall app)

  • Rate limiting with stricter limits on destructive operations

  • Audit logging as structured JSONL to stderr

  • Response sanitization to strip tokens, passwords, stack traces, and sensitive paths

  • Error sanitization to prevent credential/path leakage in error messages

  • Token file support for secure credential storage

  • Auth mutex to prevent concurrent authentication races

  • POST-only API calls for all mutating operations; zone export uses GET (required by Technitium API) with short-lived session tokens

Quick Start

# Clone and build
git clone https://github.com/rosschurchill/technitium-mcp-secure.git
cd technitium-mcp-secure
npm install
npm run build

# Register with Claude Code (see "Generating an API Token" below first)
claude mcp add technitium-dns \
  --env TECHNITIUM_URL=https://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-api-token \
  -- node /path/to/technitium-mcp-secure/dist/index.js

Configuration

All configuration is via environment variables:

Variable

Required

Description

TECHNITIUM_URL

Yes

Server URL (e.g. https://192.168.1.100:5380)

TECHNITIUM_TOKEN

One of token/password

API token (preferred)

TECHNITIUM_TOKEN_FILE

One of token/password

Path to file containing token (must be mode 0600)

TECHNITIUM_PASSWORD

One of token/password

Admin password (token is preferred)

TECHNITIUM_USER

No

Username (default: admin)

TECHNITIUM_READONLY

No

Set true to hide all write tools

TECHNITIUM_ALLOW_HTTP

No

Set true to allow insecure HTTP connections

Authentication priority: TECHNITIUM_TOKEN > TECHNITIUM_TOKEN_FILE > TECHNITIUM_PASSWORD

Sensitive environment variables are cleared from process.env after being read.

Tools

Read-only (18 tools)

Tool

Description

dns_health_check

Server version, uptime, forwarder config, failure rate

dns_get_stats

Query statistics with top clients/domains/blocked

dns_check_update

Check if a newer server version is available

dns_resolve

Test DNS resolution via the server

dns_list_zones

List all configured zones

dns_zone_options

Zone DNSSEC, transfer, and notify settings

dns_export_zone

Export a zone file in BIND format

dns_list_records

List records in a zone

dns_list_blocked

List blocked domains (hierarchical, supports drill-down)

dns_list_allowed

List allowed domains (hierarchical, supports drill-down)

dns_list_cache

List cached zones (hierarchical, supports drill-down)

dns_get_settings

Full server settings

dns_query_logs

Query DNS logs with filters

dns_list_apps

List installed DNS apps

dns_list_app_store

List available apps from the Technitium app store

dns_get_app_config

Get configuration for an installed app

dns_dnssec_info

DNSSEC properties for a zone

dns_get_ds

DS records for a DNSSEC-signed zone

Write (21 tools)

Tool

Description

dns_create_zone

Create a new DNS zone

dns_delete_zone

Delete a zone (requires confirm: true)

dns_enable_zone

Enable a disabled zone

dns_disable_zone

Disable a zone (preserves records)

dns_set_zone_options

Update zone configuration (notify, transfer ACLs)

dns_add_record

Add a DNS record

dns_update_record

Update an existing record

dns_delete_record

Delete a record (requires confirm: true)

dns_block_domain

Block a domain

dns_remove_blocked

Remove a domain from the block list

dns_flush_blocked

Flush entire custom block list (requires confirm: true)

dns_allow_domain

Allow a domain (bypass block lists)

dns_remove_allowed

Remove a domain from the allow list

dns_flush_allowed

Flush entire allow list (requires confirm: true)

dns_flush_cache

Flush DNS cache (requires confirm: true)

dns_delete_cached

Delete a specific domain from cache

dns_set_settings

Update server settings (forwarders, blocking, etc.)

dns_update_blocklists

Force immediate block list update

dns_temp_disable_blocking

Temporarily disable blocking (auto re-enables)

dns_install_app

Install a DNS app from the app store

dns_uninstall_app

Uninstall an app (requires confirm: true)

Security

Generating an API Token

An API token is the recommended way to authenticate. Tokens avoid sending your admin password on every request and can be revoked independently.

Option A: Web Admin UI

  1. Open the Technitium web admin (e.g. http://your-server-ip:5380)

  2. Log in with your admin credentials

  3. Go to Administration (gear icon, top right)

  4. Scroll down to Sessions

  5. Under Create API Token, enter a name (e.g. mcp-server)

  6. Click Create

  7. Copy the token value shown - this is the only time it will be displayed

Option B: API (curl)

# Login first to get a session token
curl -s -X POST 'http://your-server-ip:5380/api/user/login' \
  -d 'user=admin&pass=yourpassword' | jq -r '.response.token'

# Then create a non-expiring API token using the session token
curl -s -X POST 'http://your-server-ip:5380/api/user/createToken' \
  -d 'user=admin&pass=yourpassword&tokenName=mcp-server' | jq -r '.response.token'

Storing the token securely:

# Option 1: Pass directly as env var (simplest)
claude mcp add technitium-dns \
  --env TECHNITIUM_TOKEN=your-token-here ...

# Option 2: Use a token file (more secure - keeps token out of shell history)
echo "your-token-here" > ~/.technitium-token
chmod 600 ~/.technitium-token

claude mcp add technitium-dns \
  --env TECHNITIUM_TOKEN_FILE=~/.technitium-token ...

Local Network (HTTP)

If your Technitium server doesn't have TLS configured (common for LAN-only setups), you need to explicitly allow HTTP:

claude mcp add technitium-dns \
  --env TECHNITIUM_URL=http://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-token \
  --env TECHNITIUM_ALLOW_HTTP=true \
  -- node /path/to/technitium-mcp-secure/dist/index.js

A warning will be logged to stderr reminding you that credentials are sent in plaintext.

Read-only Mode

For monitoring-only use cases, hide all write tools:

claude mcp add technitium-dns-readonly \
  --env TECHNITIUM_URL=http://your-server-ip:5380 \
  --env TECHNITIUM_TOKEN=your-token \
  --env TECHNITIUM_READONLY=true \
  --env TECHNITIUM_ALLOW_HTTP=true \
  -- node /path/to/dist/index.js

Rate Limits

  • Global: 100 requests/minute

  • Create/mutate operations: 10/minute

  • Delete/flush operations: 5/minute

Audit Log

All tool calls are logged as JSONL to stderr with timestamps, tool name, sanitized arguments, result status, and duration. Sensitive values (tokens, passwords) are redacted before logging.

Not Yet Implemented

The Technitium API has ~173 endpoints. This MCP server covers the most useful 36. The following categories are available in the API but not yet exposed:

  • DHCP management — scopes, leases, reservations (~12 endpoints)

  • User & group administration — create/delete users, manage groups, permissions (~15 endpoints)

  • Cluster management — multi-server clustering, health, failover (~15 endpoints)

  • Zone import/clone/convert — import from file, clone from another server, convert zone types

  • DNSSEC signing & key management — sign/unsign zones, rotate keys, algorithm config

  • Allowed/blocked zone import/export — bulk import/export from files

  • Settings backup/restore — full server config backup and restore

  • Log management — log file deletion, log settings changes

If you need any of these, contributions are welcome or open an issue.

Compatibility

Tested against Technitium DNS Server v14.3 on Alpine Linux. All 36 API endpoints verified against the live v14 API.

Note: Technitium's API paths changed between versions. If you see 404 errors, check that your server version is v14+. Earlier versions used different paths (e.g. /api/allowedZones/list instead of /api/allowed/list).

Requirements

  • Node.js >= 18

  • Technitium DNS Server v14+

Changelog

v1.2.0

  • Add 19 new tools (39 total): remove/flush allowed & blocked, delete cached, enable/disable/configure/export zones, server settings management, temporary blocking disable, block list updates, app store/install/uninstall/config, DNSSEC info, update check

  • All 36 API endpoints verified returning 200 against live Technitium v14.3

  • Add "Not Yet Implemented" section documenting available API categories

v1.1.1

  • Fix dns_resolve missing required server parameter (now defaults to this-server)

  • Fix dns_query_logs missing name and classPath params for Query Logs (Sqlite) app

  • Fix dns_list_allowed, dns_allow_domain using wrong API path (/api/allowedZones/* -> /api/allowed/*)

  • Fix dns_list_blocked, dns_block_domain using wrong API path (/api/blockedZones/* -> /api/blocked/*)

  • Fix dns_list_cache using wrong API path (/api/cache/zones/list -> /api/cache/list)

  • Fix dns_allow_domain, dns_block_domain using wrong param name (zone -> domain)

  • All 17 API endpoints verified returning 200 against live Technitium v14.3

v1.1.0

  • Security hardening: input validation, audit logging, rate limiting, response sanitization

  • HTTPS enforcement with HTTP opt-in, read-only mode, confirmation for destructive ops

  • Token file support, auth mutex, POST-only API calls, env var clearing

v1.0.0

  • Initial release with 20 tools for DNS management

License

MIT

Install Server
A
security – no known vulnerabilities
A
license - permissive license
A
quality - confirmed to work

How are these scores calculated?

Resources

Tools

View all tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/rosschurchill/technitium-mcp-secure'

If you have feedback or need assistance with the MCP directory API, please join our Discord server