documentation/dns-topology.md

# DNS Topology — Iron Legion Homelab

**Last updated:** 2026-05-30
**Canonical source:** `Iron-Legion/documentation/dns-topology.md`

---

## Overview

All DNS resolution for the fleet is handled by **Technitium DNS Server** on MK7. AdGuard Home has been removed — Technitium's built-in ad blocking (blocklist-based) replaces it entirely.

**Single source of truth:** Technitium is both authoritative for the fleet's private zone and recursive for the public internet.

---

## DNS Architecture

```
Client Devices ──→ Router (primary, Cloudflare upstream)
                      │
                      └── Windows 11: secondary → MK7:53 (Technitium)

MK7 (Technitium DNS, port 53):
  ├── Authoritative zone: *.ai.home
  │   └── artemis.ai.home, mk7.ai.home, mk44.ai.home, mk5.ai.home, mk33.ai.home, ...
  ├── Recursive resolver (root servers for public domains)
  │   └── OR Cloudflare DoT forwarder: tls://1.1.1.1 (configurable)
  └── Ad blocking: blocklist loaded (StevenBlack / OISD / hBlock — user-configured)
```

---

## Service Details

| Attribute | Value |
|-----------|-------|
| **Service** | Technitium DNS Server |
| **Image** | `technitium/dns-server:latest` |
| **Host** | MK7 (`192.168.7.7`, `100.66.70.51` Tailscale) |
| **Published ports** | `53/tcp`, `53/udp` (DNS), `5380/tcp` (Web UI) |
| **Traefik host** | `dns.ai.home` |
| **Compose** | `/opt/iron-legion/docker-swarm/technitium/compose.yml` |
| **Data volume** | `technitium-config` (Docker volume) |

---

## Upstream / Forwarder Config

| Setting | Value | Notes |
|---------|-------|-------|
| **Forwarder protocol** | DNS over TLS (DoT) | Encrypted queries to Cloudflare |
| **Forwarder address** | `tls://1.1.1.1` | Primary |
| **Fallback** | `tls://1.0.0.1` | Secondary (if configured) |
| **Root-server fallback** | Implicit | Technitium falls back to recursive resolution if forwarder fails |

**Web UI:** `http://dns.ai.home:5380` or `http://192.168.7.7:5380`
- Settings → DNS Server → Forwarders → Add `tls://1.1.1.1`

---

## Ad Blocking

Technitium uses a **DNS blocklist** to drop ad/tracker/malware domains at resolution time.

| Setting | Value |
|---------|-------|
| **Blocklist source** | User-configured (e.g., StevenBlack, OISD, hBlock) |
| **Update interval** | User-configured (recommend: daily) |
| **Whitelist** | `.ai.home` internal zone never blocked |
| **Previous solution** | ~~AdGuard Home~~ — removed |

**Blocklist config:** Web UI → Settings → Blocking → Blocklists

---

## Zone: `ai.home`

Technitium is **authoritative** for `.ai.home`. Records are maintained via the web UI or API.

| Record Type | Examples |
|-------------|----------|
| **A** | `artemis.ai.home → 192.168.15.182` |
| **A** | `mk7.ai.home → 192.168.7.7` |
| **A** | `mk44.ai.home → 192.168.x.x` |
| **CNAME** | `dns.ai.home → mk7.ai.home` |

**Zone file location:** `/etc/dns/config/zones/ai.home` (inside container)

---

## Client DNS Assignment

| Client | Primary DNS | Secondary DNS | Notes |
|--------|-------------|---------------|-------|
| **Router** | Cloudflare (1.1.1.1) | — | Default for all LAN devices |
| **Windows 11** | Router | MK7:53 (Technitium) | Ad blocking only on secondary |
| **Tailscale devices** | 100.100.100.100 (MagicDNS) | — | Split-brain: `.ai.home` → 192.168.7.7 |

**Fleet nodes** (MK33, MK34, MK39, MK42) resolve `.ai.home` against MK7:53 via their LAN gateway or static DNS assignment.

---

## Tailscale Integration

Tailscale's **MagicDNS** and **split-brain DNS** handle `*.ai.home` for devices connected to the tailnet.

| Setting | Value |
|---------|-------|
| **Split DNS domain** | `ai.home` |
| **Nameserver** | `192.168.7.7` (MK7 LAN IP) |
| **Override local DNS** | Yes |

This means: a laptop on Tailscale resolving `artemis.ai.home` hits Tailscale's DNS, which forwards `ai.home` queries to `192.168.7.7` (Technitium). The laptop does NOT need to point its system DNS at MK7.

**Off-Tailscale:** Devices must point DNS at MK7:53 directly to resolve `.ai.home`.

---

## Migration History

| Date | Change |
|------|--------|
| 2026-05-25 | AdGuard Home deployed on port 3000/5373 |
| 2026-05-28 | AdGuard paused (port conflict / redundancy concerns) |
| 2026-05-30 | **AdGuard removed.** Technitium blocklist configured. DoT to Cloudflare enabled. |

---

## Troubleshooting

| Symptom | Cause | Fix |
|---------|-------|-----|
| Can't resolve `.ai.home` | Device not using Technitium | Point DNS at MK7:53 or join Tailscale |
| Ads not blocked | Blocklist not loaded / outdated | Refresh blocklist in Technitium UI |
| Slow resolution | DoT forwarder failing | Check `tls://1.1.1.1` reachability; fall back to root recursion |
| Tailscale IPs unreachable | Device not on Tailscale | Connect to tailnet; 100.x IPs are VPN-only |

---

## Operational Commands

```bash
# Test resolution from any node
dig @192.168.7.7 artemis.ai.home +short
dig @192.168.7.7 google.com +short

# Check Technitium container logs
ssh jarvis@mk7.ai.home "docker logs $(docker ps -q -f name=technitium)"

# Access web UI
open http://dns.ai.home:5380
```