Iron-Legion/documentation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
520da27cd338738e63026ada4ad9b795659ddd0a
documentation/dns-topology.md
jarvis 484b2e6272 DNS topology: AdGuard removed, Technitium authoritative + DoT + ad blocking 
- Remove AdGuard Home from all service catalogs, deployment phases,
  persistence tables, and network architecture docs
- Update Technitium notes: authoritative .ai.home zone, recursive resolver,
  DoT forwarder to Cloudflare (tls://1.1.1.1), built-in ad blocking
- Resolve open questions #2 (Technitium upstream) and #3 (AdGuard layout)
- Add dns-topology.md: complete DNS architecture diagram, zone details,
  client assignments, Tailscale integration, troubleshooting table,
  migration history (AdGuard deployed → paused → removed)
2026-05-29 21:01:24 -04:00

5.0 KiB
Raw Blame History

DNS Topology — Iron Legion Homelab

Last updated: 2026-05-30 Canonical source: Iron-Legion/documentation/dns-topology.md

Overview

All DNS resolution for the fleet is handled by Technitium DNS Server on MK7. AdGuard Home has been removed — Technitium's built-in ad blocking (blocklist-based) replaces it entirely.

Single source of truth: Technitium is both authoritative for the fleet's private zone and recursive for the public internet.

DNS Architecture

Client Devices ──→ Router (primary, Cloudflare upstream)
                      │
                      └── Windows 11: secondary → MK7:53 (Technitium)

MK7 (Technitium DNS, port 53):
  ├── Authoritative zone: *.ai.home
  │   └── artemis.ai.home, mk7.ai.home, mk44.ai.home, mk5.ai.home, mk33.ai.home, ...
  ├── Recursive resolver (root servers for public domains)
  │   └── OR Cloudflare DoT forwarder: tls://1.1.1.1 (configurable)
  └── Ad blocking: blocklist loaded (StevenBlack / OISD / hBlock — user-configured)

Service Details

Attribute Value
Service Technitium DNS Server
Image technitium/dns-server:latest
Host MK7 (192.168.7.7, 100.66.70.51 Tailscale)
Published ports 53/tcp, 53/udp (DNS), 5380/tcp (Web UI)
Traefik host dns.ai.home
Compose /opt/iron-legion/docker-swarm/technitium/compose.yml
Data volume technitium-config (Docker volume)

Upstream / Forwarder Config

Setting Value Notes
Forwarder protocol DNS over TLS (DoT) Encrypted queries to Cloudflare
Forwarder address tls://1.1.1.1 Primary
Fallback tls://1.0.0.1 Secondary (if configured)
Root-server fallback Implicit Technitium falls back to recursive resolution if forwarder fails

Web UI: http://dns.ai.home:5380 or http://192.168.7.7:5380

  • Settings → DNS Server → Forwarders → Add tls://1.1.1.1

Ad Blocking

Technitium uses a DNS blocklist to drop ad/tracker/malware domains at resolution time.

Setting Value
Blocklist source User-configured (e.g., StevenBlack, OISD, hBlock)
Update interval User-configured (recommend: daily)
Whitelist .ai.home internal zone never blocked
Previous solution AdGuard Home — removed

Blocklist config: Web UI → Settings → Blocking → Blocklists

Zone: ai.home

Technitium is authoritative for .ai.home. Records are maintained via the web UI or API.

Record Type Examples
A artemis.ai.home → 192.168.15.182
A mk7.ai.home → 192.168.7.7
A mk44.ai.home → 192.168.x.x
CNAME dns.ai.home → mk7.ai.home

Zone file location: /etc/dns/config/zones/ai.home (inside container)

Client DNS Assignment

Client Primary DNS Secondary DNS Notes
Router Cloudflare (1.1.1.1) Default for all LAN devices
Windows 11 Router MK7:53 (Technitium) Ad blocking only on secondary
Tailscale devices 100.100.100.100 (MagicDNS) Split-brain: .ai.home → 192.168.7.7

Fleet nodes (MK33, MK34, MK39, MK42) resolve .ai.home against MK7:53 via their LAN gateway or static DNS assignment.

Tailscale Integration

Tailscale's MagicDNS and split-brain DNS handle *.ai.home for devices connected to the tailnet.

Setting Value
Split DNS domain ai.home
Nameserver 192.168.7.7 (MK7 LAN IP)
Override local DNS Yes

This means: a laptop on Tailscale resolving artemis.ai.home hits Tailscale's DNS, which forwards ai.home queries to 192.168.7.7 (Technitium). The laptop does NOT need to point its system DNS at MK7.

Off-Tailscale: Devices must point DNS at MK7:53 directly to resolve .ai.home.

Migration History

Date Change
2026-05-25 AdGuard Home deployed on port 3000/5373
2026-05-28 AdGuard paused (port conflict / redundancy concerns)
2026-05-30 AdGuard removed. Technitium blocklist configured. DoT to Cloudflare enabled.

Troubleshooting

Symptom Cause Fix
Can't resolve .ai.home Device not using Technitium Point DNS at MK7:53 or join Tailscale
Ads not blocked Blocklist not loaded / outdated Refresh blocklist in Technitium UI
Slow resolution DoT forwarder failing Check tls://1.1.1.1 reachability; fall back to root recursion
Tailscale IPs unreachable Device not on Tailscale Connect to tailnet; 100.x IPs are VPN-only

Operational Commands

# Test resolution from any node
dig @192.168.7.7 artemis.ai.home +short
dig @192.168.7.7 google.com +short

# Check Technitium container logs
ssh jarvis@mk7.ai.home "docker logs $(docker ps -q -f name=technitium)"

# Access web UI
open http://dns.ai.home:5380
Reference in New Issue View Git Blame Copy Permalink