DnsServer icon indicating copy to clipboard operation
DnsServer copied to clipboard
verified publisher icon TechnitiumSoftware

Security Concerns, and Multi User enviroments.

Open DDoty99 opened this issue 7 years ago • 3 comments

We have a student computer lab that we're attempting to deploy website blocking for, and we were considering this tool to do DNS level blocking. But I'm concerned over the service process privilege and user management elements. Running the installer on my windows 10 laptop, it appears that the dnsserver.exe process runs with system level permissions. Is this necessary? i realize that it needs to write to the C:\Program File(x86)\ Folder, but maybe relocating to C:\Technitium\Config and creating a user with just permissions for that folder would be better? I'd prefer to run web services with the least privilege principal. And from quick glancing over the web interface, the only user that can login is admin? I realize that it may be beyond the scope of this project, and maybe something a enterprise product would do. So maybe simplicity would be best, even if its compromising.

But the DNS over HTTPS/TLS features are really cool and modern, and i think this program has a very small footprint over all, so it's pretty fitting for our environment aside the issues above. Thank you for your time.

DDoty99 avatar Dec 11 '18 21:12 DDoty99

Thanks for the valuable feedback. Your concerns are legitimate but there are options you can use to make it work like that. Once you install the DNS Server, you can use the service properties to make it run as a different user from the options shown here:

image

With this option set, you will need to give the same user create+read+write access to the config folder (C:\Program Files (x86)\Technitium\DNS Server\config) or you could decide to install the software at a different location where the user already has file system access.

The web console has a fixed default user "admin" for now. In later releases there is plan to allow simple role based access where you could create different users especially if you need to use the web API for automation.

Right now, the focus is on the core functionality, stability, correctness and, enhancing the new protocol support. Once the core features are stable, which might take around a month, then the features related to security will be added.

ShreyasZare avatar Dec 12 '18 04:12 ShreyasZare

Sorry to poke a such an old topic. Any update on the plan to add user management?

DomiiBunn avatar May 16 '20 13:05 DomiiBunn

Sorry to poke a such an old topic. Any update on the plan to add user management?

Yes, there is a plan but I am currently working on core DNS features which are a priority.

ShreyasZare avatar May 17 '20 07:05 ShreyasZare

New version 9.0 now support multi-user role based access.

ShreyasZare avatar Sep 24 '22 13:09 ShreyasZare