From c740ed130199ad032011f599cf80c0954ca38e1f Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 12 Apr 2026 18:29:25 +0100 Subject: [PATCH] docs: update Technitium DNS docs after cache optimization MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix Technitium IP typo: 10.0.20.101 → 10.0.20.201 (service-catalog, vpn.md) - Fix PDB minAvailable: 1 → 2 (networking.md) - Add emrsn.org stub zone, cache TTL tuning, PG query logging, CronJobs - Update forwarders: was "Cloudflare + Google", actually Cloudflare DoH only - Update config storage: was generic PVC, now NFS path --- .claude/reference/service-catalog.md | 2 +- docs/architecture/networking.md | 13 +++++++++---- docs/architecture/vpn.md | 2 +- 3 files changed, 11 insertions(+), 6 deletions(-) diff --git a/.claude/reference/service-catalog.md b/.claude/reference/service-catalog.md index c5d8e9d6..eba601ba 100644 --- a/.claude/reference/service-catalog.md +++ b/.claude/reference/service-catalog.md @@ -6,7 +6,7 @@ | Service | Description | Stack | |---------|-------------|-------| | wireguard | VPN server | wireguard | -| technitium | DNS server (10.0.20.101) | technitium | +| technitium | DNS server (10.0.20.201) | technitium | | headscale | Tailscale control server | headscale | | traefik | Ingress controller (Helm) | traefik | | xray | Proxy/tunnel | platform | diff --git a/docs/architecture/networking.md b/docs/architecture/networking.md index 9154ad2e..195ea51f 100644 --- a/docs/architecture/networking.md +++ b/docs/architecture/networking.md @@ -1,6 +1,6 @@ # Networking Architecture -Last updated: 2026-04-10 +Last updated: 2026-04-12 ## Overview @@ -172,7 +172,7 @@ VMs tag traffic on vmbr1 to isolate workloads. pfSense bridges VLAN 20 to the up - Serves `.viktorbarzin.lan` zone with 30+ internal A/CNAME records - Also acts as full recursive resolver for public domains - `externalTrafficPolicy: Local` preserves client source IPs for query logging -- HA: primary + secondary + tertiary pods with anti-affinity, PDB minAvailable=1 +- HA: primary + secondary + tertiary pods with anti-affinity, PDB minAvailable=2 **LAN client DNS path (192.168.1.0/24)**: - TP-Link DHCP gives DNS=192.168.1.2 (pfSense WAN) @@ -320,11 +320,16 @@ Containerd on all K8s nodes uses `hosts.toml` to redirect pulls to the local cac - Firewall rules: Allow K8s egress, block inter-VLAN by default **Technitium**: -- Config: Stored in PVC `technitium-data` +- Config: Stored on NFS PVC (`/srv/nfs/technitium` on 192.168.1.127) - Zone file: `viktorbarzin.lan` (A records for all internal hosts) - Reverse zones: `10.0.10.in-addr.arpa`, `20.0.10.in-addr.arpa`, `1.168.192.in-addr.arpa`, `2.3.10.in-addr.arpa`, `0.168.192.in-addr.arpa` +- Stub zone: `emrsn.org` (returns NXDOMAIN locally for corporate domain queries, avoids upstream forwarding) - Dynamic updates: Enabled (UseSpecifiedNetworkACL) from pfSense IPs (10.0.20.1, 10.0.10.1, 192.168.1.2) -- Forwarders: Cloudflare 1.1.1.1, Google 8.8.8.8 +- Forwarders: Cloudflare DNS-over-HTTPS (1.1.1.1, 1.0.0.1) +- Cache: 100K max entries, min TTL 60s, max TTL 7 days, serve stale enabled (3 days) +- Query logging: PostgreSQL (`technitium` database on `pg-cluster-rw.dbaas.svc.cluster.local`) +- Blocking: OISD Big List + StevenBlack hosts (~486K domains) +- CronJobs: `technitium-password-sync` (6h, Vault password rotation), `technitium-split-horizon-sync` (6h, hairpin NAT fix), `technitium-dns-optimization` (6h, cache TTL + stub zones) **phpIPAM (IP Address Management)**: - Stack: `stacks/phpipam/` diff --git a/docs/architecture/vpn.md b/docs/architecture/vpn.md index be4d095e..fa74c06f 100644 --- a/docs/architecture/vpn.md +++ b/docs/architecture/vpn.md @@ -147,7 +147,7 @@ Headscale is a self-hosted alternative to Tailscale's commercial control plane. **Resolution flow**: 1. Client queries AdGuard for any domain. -2. If domain ends in `.lan`, AdGuard forwards to Technitium (10.0.20.101). +2. If domain ends in `.lan`, AdGuard forwards to Technitium (10.0.20.201). 3. For all other domains, AdGuard resolves directly via upstream (Cloudflare 1.1.1.1). 4. AdGuard caches responses, reducing load on Technitium and upstream.