DNS Design
DNS architecture for the two-site homelab: public domain, internal zone, resolution flow, and certificate strategy.
DNS at AORXI uses a two-layer model: aorxi.io is the public domain registered on Cloudflare, and core.aorxi.io is the internal authoritative zone served by four Technitium DNS VMs. OPNsense Unbound acts as an interim resolver until those VMs are deployed in Phase 5.
Domains
| Domain | Role | Authority |
|---|---|---|
aorxi.io | Public domain | Cloudflare |
core.aorxi.io | Internal zone — all infrastructure hostnames | Technitium (4× VMs) |
core.aorxi.io is a subdomain of the public domain. This arrangement allows Let's Encrypt DNS-01 challenges to be satisfied through Cloudflare without exposing any internal records publicly. All infrastructure hostnames resolve only inside the homelab.
Resolution Flow
Interim: OPNsense Unbound
During Phase 4 and early Phase 5, OPNsense Unbound handles recursive resolution for all sites. Unbound remains active as a fallback resolver through the Technitium cutover and is disabled once the Technitium cluster is verified.
Target: Technitium DNS VMs
Four Technitium DNS VMs form a cluster managed from sa-dns-01. The cluster uses full recursive resolution from root servers — no forwarders.
sa-dns-01 is the single write endpoint; secondaries are read-only and receive zone updates via AXFR (DNS NOTIFY). sb-dns-01 and sb-dns-02 pull zone updates from sa-dns-01 over the WireGuard tunnel. If the tunnel is down, Site B nodes serve their last-replicated copy.
OPNsense DHCP at both sites hands out the two local Technitium VMs as DNS servers. Select VLANs additionally receive OPNsense RFC 2136 dynamic updates so new VMs auto-register A and PTR records in core.aorxi.io.
DNS Server Roles
| Hostname | Site | IP | Role |
|---|---|---|---|
sa-dns-01 | Site A | 10.10.30.10 | Primary — authoritative, write endpoint, cluster primary |
sa-dns-02 | Site A | 10.10.30.11 | Secondary — AXFR from sa-dns-01 (local) |
sb-dns-01 | Site B | 10.20.30.10 | Secondary — AXFR from sa-dns-01 via WireGuard |
sb-dns-02 | Site B | 10.20.30.11 | Secondary — AXFR from sa-dns-01 via WireGuard |
All four VMs run on VLAN 30 (VM Services). VM specifications, Technitium installation, zone replication configuration, and the OPNsense cutover procedure are on the DNS VMs page.
Site B replication requires WireGuard
sb-dns-01 and sb-dns-02 pull zone changes from sa-dns-01 over the WireGuard tunnel. If the tunnel is down, Site B VMs serve their last-replicated records. New or changed records will not appear on Site B until the tunnel recovers — acceptable for an infra-change workflow.
Certificate Strategy
All TLS certificates use publicly-trusted Let's Encrypt certs obtained via DNS-01 challenge through Cloudflare, covering both *.aorxi.io and *.core.aorxi.io. No private CA is needed.
How it works: cert-manager presents a DNS-01 challenge to Let's Encrypt, which requires placing a _acme-challenge TXT record in the public aorxi.io Cloudflare zone. Cloudflare resolves the challenge; Let's Encrypt issues the cert. Technitium does not serve any challenge record — the validation runs entirely through Cloudflare public DNS.
No root CA distribution required
Let's Encrypt certs are trusted by every browser and operating system out of the box. No manual CA trust setup on clients, Proxmox nodes, or Kubernetes pods.
The cert-manager ClusterIssuer, wildcard Certificate resources, and external-dns integration are covered on the CA & Certificates page.
Related Pages
- DNS VMs — VM specs, Technitium cluster setup, zone replication, TSIG keys, OPNsense cutover
- CA & Certificates — cert-manager ClusterIssuer, wildcard certs, external-dns integration
- WireGuard — site-to-site tunnel required for cross-site zone replication
- VLAN Reference — VLAN 30 (VM Services) where DNS VMs reside
WireGuard Site-to-Site VPN
Site-to-site WireGuard tunnel between Site A and Site B: transit network, routed subnets, traffic policy, and build-sequence position.
CGNAT, Gaming & Remote Access
How Carrier-Grade NAT blocks inbound connections and the recommended fix: a WireGuard tunnel to a VPS with a public IPv4 address for gaming NAT type and remote access via OPNsense.