AORXI Homelab
Networking

DNS Design

DNS architecture for the two-site homelab: public domain, internal zone, resolution flow, and certificate strategy.

DNS at AORXI uses a two-layer model: aorxi.io is the public domain registered on Cloudflare, and core.aorxi.io is the internal authoritative zone served by four Technitium DNS VMs. OPNsense Unbound acts as an interim resolver until those VMs are deployed in Phase 5.

Domains

DomainRoleAuthority
aorxi.ioPublic domainCloudflare
core.aorxi.ioInternal zone — all infrastructure hostnamesTechnitium (4× VMs)

core.aorxi.io is a subdomain of the public domain. This arrangement allows Let's Encrypt DNS-01 challenges to be satisfied through Cloudflare without exposing any internal records publicly. All infrastructure hostnames resolve only inside the homelab.

Resolution Flow

Interim: OPNsense Unbound

During Phase 4 and early Phase 5, OPNsense Unbound handles recursive resolution for all sites. Unbound remains active as a fallback resolver through the Technitium cutover and is disabled once the Technitium cluster is verified.

Target: Technitium DNS VMs

Four Technitium DNS VMs form a cluster managed from sa-dns-01. The cluster uses full recursive resolution from root servers — no forwarders.

sa-dns-01 is the single write endpoint; secondaries are read-only and receive zone updates via AXFR (DNS NOTIFY). sb-dns-01 and sb-dns-02 pull zone updates from sa-dns-01 over the WireGuard tunnel. If the tunnel is down, Site B nodes serve their last-replicated copy.

OPNsense DHCP at both sites hands out the two local Technitium VMs as DNS servers. Select VLANs additionally receive OPNsense RFC 2136 dynamic updates so new VMs auto-register A and PTR records in core.aorxi.io.

DNS Server Roles

HostnameSiteIPRole
sa-dns-01Site A10.10.30.10Primary — authoritative, write endpoint, cluster primary
sa-dns-02Site A10.10.30.11Secondary — AXFR from sa-dns-01 (local)
sb-dns-01Site B10.20.30.10Secondary — AXFR from sa-dns-01 via WireGuard
sb-dns-02Site B10.20.30.11Secondary — AXFR from sa-dns-01 via WireGuard

All four VMs run on VLAN 30 (VM Services). VM specifications, Technitium installation, zone replication configuration, and the OPNsense cutover procedure are on the DNS VMs page.

Site B replication requires WireGuard

sb-dns-01 and sb-dns-02 pull zone changes from sa-dns-01 over the WireGuard tunnel. If the tunnel is down, Site B VMs serve their last-replicated records. New or changed records will not appear on Site B until the tunnel recovers — acceptable for an infra-change workflow.

Certificate Strategy

All TLS certificates use publicly-trusted Let's Encrypt certs obtained via DNS-01 challenge through Cloudflare, covering both *.aorxi.io and *.core.aorxi.io. No private CA is needed.

How it works: cert-manager presents a DNS-01 challenge to Let's Encrypt, which requires placing a _acme-challenge TXT record in the public aorxi.io Cloudflare zone. Cloudflare resolves the challenge; Let's Encrypt issues the cert. Technitium does not serve any challenge record — the validation runs entirely through Cloudflare public DNS.

No root CA distribution required

Let's Encrypt certs are trusted by every browser and operating system out of the box. No manual CA trust setup on clients, Proxmox nodes, or Kubernetes pods.

The cert-manager ClusterIssuer, wildcard Certificate resources, and external-dns integration are covered on the CA & Certificates page.

  • DNS VMs — VM specs, Technitium cluster setup, zone replication, TSIG keys, OPNsense cutover
  • CA & Certificates — cert-manager ClusterIssuer, wildcard certs, external-dns integration
  • WireGuard — site-to-site tunnel required for cross-site zone replication
  • VLAN Reference — VLAN 30 (VM Services) where DNS VMs reside

On this page