medusa/the_information_nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update tech_docs/its_the_new_style_design.md

Browse Source
This commit is contained in:
medusa
2025-08-04 16:17:59 -05:00
parent f4bc552baf
commit af3f476ca7
1 changed files with 111 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
tech_docs/its_the_new_style_design.md
View File

@@ -1,3 +1,114 @@
Below is a concise “decision + implementation” guide that folds the best-practice recommendations from the search results into a set of concrete steps you can take right now.
--------------------------------------------------------------------
1. When dnsmasq is the right tool
--------------------------------------------------------------------
• Small / medium networks (≤ a few hundred hosts per subnet).
• You need both DHCP and DNS and want the two to stay in sync automatically (lease → A/AAAA record).
• You do NOT need sub-second DHCP failover or thousands of leases; if you do, look at KEA-DHCP instead .
If those bullets fit, dnsmasq is an excellent lightweight choice.
--------------------------------------------------------------------
2. One file per scope / zone (best-practice layout)
--------------------------------------------------------------------
```
/etc/dnsmasq.d/
├── 00-global.conf # upstream DNS, log settings
├── 10-mgmt.conf # management VLAN 10
├── 20-guest.conf # guest VLAN 20
├── 30-iot.conf # IoT VLAN 30
└── 99-static-maps.conf # MAC→IP overrides for all subnets
```
This keeps each scope small, readable, and under version control.
--------------------------------------------------------------------
3. Minimal global file (00-global.conf)
--------------------------------------------------------------------
```
# Only answer on the internal NICs
interface=eno1
interface=eno2
bind-interfaces
# Upstream resolvers
no-resolv
server=1.1.1.1
server=8.8.8.8
# DNS search suffix handed out to every client
domain=my.lab
expand-hosts
# Lease file & logging
dhcp-leasefile=/var/lib/misc/dnsmasq.leases
log-dhcp # turn off in production if log volume is high
```
--------------------------------------------------------------------
4. Example per-scope file (10-mgmt.conf)
--------------------------------------------------------------------
```
# Tag every request that matches this range
dhcp-range=set:mgmt,192.168.10.50,192.168.10.199,255.255.255.0,24h
# Gateway and DNS for this subnet only
dhcp-option=tag:mgmt,3,192.168.10.1
dhcp-option=tag:mgmt,6,192.168.10.2 # this dnsmasq box
# Extra routes (optional)
dhcp-option=tag:mgmt,121,10.100.0.0/24,192.168.10.1
```
The same pattern is repeated for 20-guest.conf, 30-iot.conf, etc.
Each file is independent; you can reload or even move them to a second server without touching the others .
--------------------------------------------------------------------
5. Static reservations (99-static-maps.conf)
--------------------------------------------------------------------
```
# Printers, servers, APs, etc.
dhcp-host=aa:bb:cc:11:22:33,set:mgmt,192.168.10.10,infinite
dhcp-host=aa:bb:cc:44:55:66,set:iot,192.168.30.77,infinite
```
Using the `set:<tag>` syntax keeps the host in the correct subnet and inherits the subnet-specific options automatically.
--------------------------------------------------------------------
6. Authoritative vs. split-scope HA
--------------------------------------------------------------------
• Single server: add `dhcp-authoritative` to 00-global.conf.
• Two-server HA: run a second dnsmasq with a **non-overlapping pool** and add `dhcp-reply-delay=30` on the secondary so it only answers if the primary is dead .
--------------------------------------------------------------------
7. DNS integration tricks
--------------------------------------------------------------------
• Because every lease automatically creates a DNS record, you can reach every host by short name (`ping printer1`) or FQDN (`ping printer1.my.lab`).
• If you later need “real” DNS recursion (DNSSEC, DNS64, etc.) you can keep Unbound on port 53 and move dnsmasq to e.g. 5353, then forward Unbound → dnsmasq for the local zones .
--------------------------------------------------------------------
8. Quick validation checklist
--------------------------------------------------------------------
```
# syntax check
sudo dnsmasq --test
# restart
sudo systemctl restart dnsmasq
# watch the tags
sudo journalctl -fu dnsmasq | grep DHCPACK
```
From any client on VLAN 10 you should see:
```
DHCPACK(enp0s1) 192.168.10.50 aa:bb:cc:11:22:33 printer1
```
and `nslookup printer1` should resolve immediately.
--------------------------------------------------------------------
Bottom line
Start with dnsmasq, keep each subnet in its own file, tag everything, and youll have a clean, maintainable DHCP+DNS platform that follows the same patterns used in production labs today .
---
Here is a concise, step-by-step crash course that will get you productive with **dnsmasq** on a minimal Debian 12 server that you only reach via SSH. Here is a concise, step-by-step crash course that will get you productive with **dnsmasq** on a minimal Debian 12 server that you only reach via SSH.
Everything is copy-paste friendly; run the commands in the order shown. Everything is copy-paste friendly; run the commands in the order shown.