From 1af615619bad4f103a9d0fc6ba926e03c9c94889 Mon Sep 17 00:00:00 2001 From: medusa Date: Mon, 4 Aug 2025 10:18:35 -0500 Subject: [PATCH] Update tech_docs/ddi_complete_debian.md --- tech_docs/ddi_complete_debian.md | 97 ++++++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) diff --git a/tech_docs/ddi_complete_debian.md b/tech_docs/ddi_complete_debian.md index 7574cf5..4e41aef 100644 --- a/tech_docs/ddi_complete_debian.md +++ b/tech_docs/ddi_complete_debian.md @@ -95,6 +95,103 @@ Everything is now perfectly symmetrical, predictable, and ready for future migra --- +Symmetry-first, engineer-grade DNS + DHCP design +(Everything lives on one Debian box running dnsmasq; the numbers look *clean*.) + +──────────────────────────────────────── +1. Naming & numbering symmetry + • Domain root  : `mycorp.net` + • LAN zone    : `lan.mycorp.net`  /24 → `10.0.0.0/24` + • DMZ zone    : `dmz.mycorp.net`  /24 → `10.0.1.0/24` + • Infrastructure subnet : `infra.mycorp.net` /28 → `10.0.255.0/28` + + Ranges within each /24 are split **exactly in half**: + • `.1` – `.126` → static (infra, printers, VIPs) + • `.129` – `.254` → DHCP pool (128 addresses each) + • `.127` reserved for broadcast (never handed out) + + Reverse zones are the *exact* mirror: + • `0.0.10.in-addr.arpa` + • `1.0.10.in-addr.arpa` + • `255.0.10.in-addr.arpa` + +──────────────────────────────────────── +2. Hostname scheme (fully symmetrical) + • Server itself  : `ns.infra.mycorp.net` → `10.0.255.1` + • Gateways    : `gw.lan.mycorp.net` → `10.0.0.1` + `gw.dmz.mycorp.net` → `10.0.1.1` + • Every host follows `role-seq.domain` + – Examples: `work-01.lan.mycorp.net`, `web-05.dmz.mycorp.net` + +──────────────────────────────────────── +3. Single `/etc/dnsmasq.d/00-symmetry.conf` + +``` +# ───── GLOBAL ───────────────────────── +domain-needed +bogus-priv +expand-hosts +local=/mycorp.net/ +server=1.1.1.1 +server=8.8.8.8 + +# ───── INFRA /28 ───────────────────── +# 10.0.255.0/28 (.1–.14 usable) +domain=infra.mycorp.net,10.0.255.0/28 +dhcp-range=set:infra,10.0.255.129,10.0.255.254,255.255.255.240,24h +dhcp-option=tag:infra,3,10.0.255.1 +dhcp-option=tag:infra,6,10.0.255.1 +ptr-record=255.0.10.in-addr.arpa,infra.mycorp.net + +# ───── LAN /24 ─────────────────────── +domain=lan.mycorp.net,10.0.0.0/24 +dhcp-range=set:lan,10.0.0.129,10.0.0.254,255.255.255.0,24h +dhcp-option=tag:lan,3,10.0.0.1 +dhcp-option=tag:lan,6,10.0.255.1 +ptr-record=0.0.10.in-addr.arpa,lan.mycorp.net + +# ───── DMZ /24 ─────────────────────── +domain=dmz.mycorp.net,10.0.1.0/24 +dhcp-range=set:dmz,10.0.1.129,10.0.1.254,255.255.255.0,24h +dhcp-option=tag:dmz,3,10.0.1.1 +dhcp-option=tag:dmz,6,10.0.255.1 +ptr-record=1.0.10.in-addr.arpa,dmz.mycorp.net + +# ───── STATIC HOSTS (symmetry enforced) +addn-hosts=/etc/dnsmasq-static-hosts +``` + +──────────────────────────────────────── +4. `/etc/dnsmasq-static-hosts` (mirrored layout) + +``` +# INFRA +10.0.255.1 ns.infra.mycorp.net +10.0.255.2 gw.infra.mycorp.net + +# LAN +10.0.0.1 gw.lan.mycorp.net +10.0.0.2 wifi-01.lan.mycorp.net +10.0.0.10 printer-01.lan.mycorp.net + +# DMZ +10.0.1.1 gw.dmz.mycorp.net +10.0.1.5 web-01.dmz.mycorp.net +10.0.1.6 db-01.dmz.mycorp.net +``` + +──────────────────────────────────────── +5. Apply & verify +```bash +systemctl restart dnsmasq +dig +short ns.infra.mycorp.net @127.0.0.1 # 10.0.255.1 +dig -x 10.0.0.150 @127.0.0.1 # hostname.lan.mycorp.net +``` + +Everything is now perfectly symmetrical, predictable, and ready for future migration to kea/BIND/NetBox without changing the addressing or naming scheme. + +--- + Here is a **scrubbed, zero-defect** integration guide. I’ve fixed every logic / syntax problem, tightened the symmetry, and kept the **“one-Debian-box”** promise.