DNS client with private CA certificates

[dittert]

I am using the Technitium docker image as DNS server for my internal network. All internal SSL is based on an internal CA that is installed on all systems.

However, that causes problems with the fantastic internal DNS client when you're trying to query the corresponding Technitium instance. Here is an example when I try to query the DNS name of Technitium with DNS over TLS.

[2026-01-03 11:35:58 UTC] [10.102.2.151:64344] System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
 ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: PartialChain
   at System.Net.Security.SslStream.SendAuthResetSignal(ReadOnlySpan`1 alert, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
   at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   --- End of inner exception stack trace ---
   at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.ConnectAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.InjectNewHttp2ConnectionAsync(QueueItem queueItem)
   at System.Threading.Tasks.TaskCompletionSourceWithCancellation`1.WaitWithCancellationAsync(CancellationToken cancellationToken)
   at System.Net.Http.HttpConnectionPool.SendWithVersionDetectionAndRetryAsync(HttpRequestMessage request, Boolean async, Boolean doRequestAuth, CancellationToken cancellationToken)
   at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, Boolean async, CancellationToken cancellationToken)
   at System.Net.Http.HttpClient.<SendAsync>g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)
   at TechnitiumLibrary.Net.Dns.ClientConnection.HttpsClientConnection.QueryAsync(DnsDatagram request, Int32 timeout, Int32 retries, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\HttpsClientConnection.cs:line 319
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass90_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4546
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass90_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4772
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass90_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4462
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func`3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4934
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalNoDnssecResolveAsync(DnsDatagram request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4953
   at DnsServerCore.DnsWebService.WebServiceApi.ResolveQueryAsync(HttpContext context) in Z:\Technitium\Projects\DnsServer\DnsServerCore\WebServiceApi.cs:line 345
   at DnsServerCore.DnsWebService.WebServiceApiMiddleware(HttpContext context, RequestDelegate next) in Z:\Technitium\Projects\DnsServer\DnsServerCore\DnsWebService.cs:line 2015
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
[2026-01-03 11:36:09 UTC] [10.102.2.151:64344] System.Security.Authentication.AuthenticationException: The remote certificate is invalid because of errors in the certificate chain: RemoteCertificateChainErrors
   at System.Net.Quic.QuicConnection.SslConnectionOptions.ValidateCertificate(X509Certificate2 certificate, Span`1 certData, Span`1 chainData)
   at System.Net.Quic.QuicConnection.SslConnectionOptions.StartAsyncCertificateValidation(IntPtr certificatePtr, IntPtr chainPtr)
   at System.Net.Quic.ValueTaskSource.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
   at System.Net.Quic.QuicConnection.FinishConnectAsync(QuicClientConnectionOptions options, CancellationToken cancellationToken)
   at System.Net.Quic.QuicConnection.<ConnectAsync>g__StartConnectAsync|2_0(QuicClientConnectionOptions options, CancellationToken cancellationToken)
   at System.Net.Quic.QuicConnection.<ConnectAsync>g__StartConnectAsync|2_0(QuicClientConnectionOptions options, CancellationToken cancellationToken)
   at TechnitiumLibrary.Net.Dns.ClientConnection.QuicClientConnection.GetConnectionAsync(Int32 timeout, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\QuicClientConnection.cs:line 206
   at TechnitiumLibrary.Net.Dns.ClientConnection.QuicClientConnection.QueryAsync(DnsDatagram request, Int32 timeout, Int32 retries, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\ClientConnection\QuicClientConnection.cs:line 308
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass90_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4546
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass90_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4772
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.<>c__DisplayClass90_0.<<InternalResolveAsync>g__DoResolveAsync|1>d.MoveNext() in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4462
--- End of stack trace from previous location ---
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalResolveAsync(DnsDatagram request, Func`3 getValidatedResponseAsync, Boolean doNotReorderNameServers, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4934
   at TechnitiumLibrary.Net.Dns.DnsClient.InternalNoDnssecResolveAsync(DnsDatagram request, CancellationToken cancellationToken) in Z:\Technitium\Projects\TechnitiumLibrary\TechnitiumLibrary.Net\Dns\DnsClient.cs:line 4953
   at DnsServerCore.DnsWebService.WebServiceApi.ResolveQueryAsync(HttpContext context) in Z:\Technitium\Projects\DnsServer\DnsServerCore\WebServiceApi.cs:line 345
   at DnsServerCore.DnsWebService.WebServiceApiMiddleware(HttpContext context, RequestDelegate next) in Z:\Technitium\Projects\DnsServer\DnsServerCore\DnsWebService.cs:line 2015
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
~

I assume this error is caused by the fact that the docker image does not contain my certificate authority and therefore the Technitium DNS client (correctly) cannot verify the certificate chain.

There are a couple of possible solutions, and I was wondering which one would be best:

• You could build their own Docker container based on Technitium that includes the privat root certificate. This is inconvenient because of the extra steps that are needed for building and maintaining the container
• You could maintain a custom certificate store with your own CA and mount that as /etc/ssl/certs/ca-certificates.crt into the container. It is my understanding that you can't just mount your own CA as a single file because that would require updating the central certificate store. This solution is also inconvenient, even though a little better than the first solution
• Technitium could automatically add CA certificates/all certificates (?) from Settings | Optional Protocols | TLS Certificate File Path as trusted for the DNS client
• Technitium could add an additional PFX file with trusted root certificates and include that for all TLS functionality.

I am wondering if there is any other functionality that could run into the same problems (e.g. cluster updates?)?

What do you think?

[maxfield-allison]

Entrypoint Wrapper Script Solution for Private CA Certificates

You can create an entrypoint wrapper script that installs your private CA certificate before starting the DNS server. You just mount the script and your certificates.

1. Create the wrapper script

Save this as entrypoint-wrapper.sh:

#!/bin/bash

# Copy custom CA certificates if they exist
if [ -d /custom-certs ] && [ "$(ls -A /custom-certs 2>/dev/null)" ]; then
    echo "Installing custom CA certificates..."
    cp /custom-certs/*.crt /usr/local/share/ca-certificates/ 2>/dev/null || true
    update-ca-certificates
    echo "Custom CA certificates installed."
fi

# Execute the original entrypoint/command
exec "$@"

Make it executable:

chmod +x entrypoint-wrapper.sh

2. Docker Compose configuration

services:
  dns-server:
    image: technitium/dns-server:latest
    entrypoint: ["/entrypoint-wrapper.sh"]
    command: ["/opt/technitium/dns/start.sh"]
    volumes:
      - ./entrypoint-wrapper.sh:/entrypoint-wrapper.sh:ro
      - ./certs:/custom-certs:ro  # Put your CA .crt files here
      - dns-config:/etc/dns
    ports:
      - "53:53/udp"
      - "53:53/tcp"
      - "5380:5380/tcp"
    restart: unless-stopped

volumes:
  dns-config:

3. Add your CA certificate

Place your private CA certificate in the ./certs/ directory:

./certs/my-internal-ca.crt

Important notes

• Certificate format: The certificate must be in PEM format (base64 encoded, starts with -----BEGIN CERTIFICATE-----)
• File extension: Use .crt extension for the certificate files
• How it works: The update-ca-certificates command updates the system trust store that .NET Core uses, so Technitium's DNS client will trust your internal CA
• No rebuild needed: Since this runs at container startup, you get the benefit of using the official image while still having your CA trusted

Directory structure

.
├── docker-compose.yml
├── entrypoint-wrapper.sh
└── certs/
    └── my-internal-ca.crt

This solution should address the errors you're seeing without too much fuss.

[dittert]

Thank you for explaining another solution so clearly!

I have looked into possible solutions in more detail. It seems to me that the solution with the least amount of maintenance burden is in fact to mount /etc/ssl/certs/ca-certificates.crt from the host machine into the container. That way, the container automatically receives all the updates whenever the host system receives it and I don't have to maintain that file manually or need to invoke the certificate update process.

Obviously, that only works if the container is hosted on a machine that uses the same mechanism to maintain its list of certificate authorities. At least for Linux that should be the case.

For the sake of completeness: installing my root CA indeed resolves the error in the DNS client. So, this really is the root cause.

[ShreyasZare]

Thanks for the post. Good to know that you found an easy solution. Installing private CA is a generic requirement which has to be done using the solutions like the one you found.