diff --git a/tech_docs/its_the_new_style_design.md b/tech_docs/its_the_new_style_design.md index 5aaf72f..4e558fe 100644 --- a/tech_docs/its_the_new_style_design.md +++ b/tech_docs/its_the_new_style_design.md @@ -1,3 +1,114 @@ +Below is a concise “decision + implementation” guide that folds the best-practice recommendations from the search results into a set of concrete steps you can take right now. + +-------------------------------------------------------------------- +1. When dnsmasq is the right tool +-------------------------------------------------------------------- +• Small / medium networks (≤ a few hundred hosts per subnet). +• You need both DHCP and DNS and want the two to stay in sync automatically (lease → A/AAAA record). +• You do NOT need sub-second DHCP failover or thousands of leases; if you do, look at KEA-DHCP instead . + +If those bullets fit, dnsmasq is an excellent lightweight choice. + +-------------------------------------------------------------------- +2. One file per scope / zone (best-practice layout) +-------------------------------------------------------------------- +``` +/etc/dnsmasq.d/ +├── 00-global.conf # upstream DNS, log settings +├── 10-mgmt.conf # management VLAN 10 +├── 20-guest.conf # guest VLAN 20 +├── 30-iot.conf # IoT VLAN 30 +└── 99-static-maps.conf # MAC→IP overrides for all subnets +``` +This keeps each scope small, readable, and under version control. + +-------------------------------------------------------------------- +3. Minimal global file (00-global.conf) +-------------------------------------------------------------------- +``` +# Only answer on the internal NICs +interface=eno1 +interface=eno2 +bind-interfaces + +# Upstream resolvers +no-resolv +server=1.1.1.1 +server=8.8.8.8 + +# DNS search suffix handed out to every client +domain=my.lab +expand-hosts + +# Lease file & logging +dhcp-leasefile=/var/lib/misc/dnsmasq.leases +log-dhcp # turn off in production if log volume is high +``` + +-------------------------------------------------------------------- +4. Example per-scope file (10-mgmt.conf) +-------------------------------------------------------------------- +``` +# Tag every request that matches this range +dhcp-range=set:mgmt,192.168.10.50,192.168.10.199,255.255.255.0,24h + +# Gateway and DNS for this subnet only +dhcp-option=tag:mgmt,3,192.168.10.1 +dhcp-option=tag:mgmt,6,192.168.10.2 # this dnsmasq box + +# Extra routes (optional) +dhcp-option=tag:mgmt,121,10.100.0.0/24,192.168.10.1 +``` +The same pattern is repeated for 20-guest.conf, 30-iot.conf, etc. +Each file is independent; you can reload or even move them to a second server without touching the others . + +-------------------------------------------------------------------- +5. Static reservations (99-static-maps.conf) +-------------------------------------------------------------------- +``` +# Printers, servers, APs, etc. +dhcp-host=aa:bb:cc:11:22:33,set:mgmt,192.168.10.10,infinite +dhcp-host=aa:bb:cc:44:55:66,set:iot,192.168.30.77,infinite +``` +Using the `set:` syntax keeps the host in the correct subnet and inherits the subnet-specific options automatically. + +-------------------------------------------------------------------- +6. Authoritative vs. split-scope HA +-------------------------------------------------------------------- +• Single server: add `dhcp-authoritative` to 00-global.conf. +• Two-server HA: run a second dnsmasq with a **non-overlapping pool** and add `dhcp-reply-delay=30` on the secondary so it only answers if the primary is dead . + +-------------------------------------------------------------------- +7. DNS integration tricks +-------------------------------------------------------------------- +• Because every lease automatically creates a DNS record, you can reach every host by short name (`ping printer1`) or FQDN (`ping printer1.my.lab`). +• If you later need “real” DNS recursion (DNSSEC, DNS64, etc.) you can keep Unbound on port 53 and move dnsmasq to e.g. 5353, then forward Unbound → dnsmasq for the local zones . + +-------------------------------------------------------------------- +8. Quick validation checklist +-------------------------------------------------------------------- +``` +# syntax check +sudo dnsmasq --test + +# restart +sudo systemctl restart dnsmasq + +# watch the tags +sudo journalctl -fu dnsmasq | grep DHCPACK +``` +From any client on VLAN 10 you should see: +``` +DHCPACK(enp0s1) 192.168.10.50 aa:bb:cc:11:22:33 printer1 +``` +and `nslookup printer1` should resolve immediately. + +-------------------------------------------------------------------- +Bottom line +Start with dnsmasq, keep each subnet in its own file, tag everything, and you’ll have a clean, maintainable DHCP+DNS platform that follows the same patterns used in production labs today . + +--- + Here is a concise, step-by-step crash course that will get you productive with **dnsmasq** on a minimal Debian 12 server that you only reach via SSH. Everything is copy-paste friendly; run the commands in the order shown.