Using PROXY Protocol on Technitium fronted with a layer-4 router

[skedastically]

Just wanna share my configs for routing packets with PROXY Protocol enabled to Technitium. This helps with retrieving source IPs of DNS queries when Technitium can't do so natively (e.g. behind NAT). Also available as blog.

graph LR
    user -->|"53/udp"| nginx -->|"538/udp"|technitium
    user -->|"53/tcp"| nginx -->|"538/tcp"| technitium

Loading

1. Enable the protocols

Technitium Homepage -> Settings -> Optional Protocols -> check on Enable DNS-over-TCP-PROXY and Enable DNS-over-UDP-PROXY. By default these ports are 538/tcp and 538/udp, but you can change it if you want.

If you're using Technitium in a container, make sure to expose these ports as well.

2. Configure a nginx service

Install nginx via container or on host. Add this/mount this to your /etc/nginx/nginx.conf.

worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /tmp/nginx.pid;


events {
    # increased from 1024 to avoid congestions
    worker_connections  4096;
}

# use the stream directive
stream {
    # for DNS-over-UDP-PROXY
    server {
        listen              53 udp;
        proxy_pass          127.0.0.1:538;
        proxy_protocol      on;
    }
    server {
    # for DNS-over-TCP-PROXY
        listen              53;
        proxy_pass          127.0.0.1:538;
        proxy_protocol      on;
    }
}

If nginx is on a different machine from Technitium, replace 127.0.0.1 with appropriate Technitium's IP address.

Enable/Restart nginx.

3. Test the services

Using dog these should work:

dog -U example.com @<your-nginx-machine-ip>:53 # UDP
dog -T example.com @<your-nginx-machine-ip>:53 # TCP

And the correct client IP should be logged in Technitium.

---

PROXY Protocol helps with workarounds to some site-to-site DNS scenarios, which would make Split Horizon feasible. As per the docs, the same method can also be used for DoT as well.

graph LR
    user -->|"853/tcp"| nginx["TCP router with TLS termination"] -->|"538/tcp"|technitium

Loading

Please correct and suggest improvements. Also please share configs for other routers/reverse proxies e.g. Caddy-L4 or HAProxy (Nginx is the only one I found working so far).

[ShreyasZare]

Thanks for posting this here.