01 Overview
DNS and DHCP are both handled by the UDR7's built-in resolver. Each VLAN gets its own DHCP scope and is assigned the UDR7 as its DNS server. This gives a single control plane for all network segments:
- DNS rewrites — internal hostnames (e.g.
argo.in.alybadawy.com) resolve to the k3s server IP without leaving the LAN. - Per-VLAN DHCP scopes — each VLAN hands out addresses from its own
172.20.Y.0/24range with the UDR7 gateway and DNS server. - AREDN mesh forwarding —
local.meshqueries are forwarded to the AREDN node at10.6.229.9. - Upstream forwarding — all other queries are forwarded to public upstream resolvers.
| Property | Value |
|---|---|
| Device | UniFi Dream Router 7 (UDR7) |
| DNS IP (per VLAN) | 172.20.Y.1 — each VLAN's gateway is its DNS server (e.g. VLAN 20 → 172.20.20.1, VLAN 10 → 172.20.10.1) |
| Management UI | UniFi Network application on UDR7 (172.20.1.1) |
| Upstream resolvers | Primary: CleanBrowsing-Security — blocks access to malicious websites and content. Secondary: CleanBrowsing-Family — blocks adult content and other inappropriate websites. |
02 DNS rewrites for cluster services
All *.in.alybadawy.com hostnames are rewritten in the UDR7 to the k3s server's IP address. Traffic never leaves the network for internal services — it hits the ingress-nginx controller directly on the LAN.
*.in.alybadawy.com →
# Examples of what resolves:
argo.in.alybadawy.com → k3s server
vault.in.alybadawy.com → k3s server
grafana.in.alybadawy.com → k3s server
auth.in.alybadawy.com → k3s server
cloud.in.alybadawy.com → k3s server
photos.in.alybadawy.com → k3s serverThe rewrite is a wildcard entry in the UniFi DNS settings. All subdomains under in.alybadawy.com resolve to the same IP — the k3s node's address on VLAN 20. ingress-nginx on the cluster then routes each hostname to the correct service based on the Ingress rules.
in.alybadawy.com subdomain has CNAME records in Cloudflare pointing to alybadawy.com (unproxied). These are needed so cert-manager's DNS-01 ACME challenge can create _acme-challenge.in.alybadawy.com TXT records that Cloudflare's DNS actually serves. Without them, Cloudflare's DNS wouldn't serve child TXT records. External DNS for in.alybadawy.com intentionally resolves to nothing useful — the services are LAN-only.03 AREDN mesh forwarding
All local.mesh DNS queries are forwarded to the AREDN mesh node at 10.6.229.9. This lets homelab devices resolve hostnames on the amateur radio mesh network without knowing any mesh-internal addresses.
| Domain | Forwarded to | Purpose |
|---|---|---|
| *.local.mesh | 10.6.229.9 | AREDN mesh node resolver — handles all mesh hostnames |
local.mesh domain and its address ranges are managed entirely by the AREDN firmware — they are not under local control. See arednmesh.org for details on the mesh addressing model.04 Per-VLAN DHCP
The UDR7 runs a DHCP scope for each VLAN. Clients on each segment get an address from their VLAN's 172.20.Y.0/24 range, with 172.20.Y.1 as both gateway and DNS server.
| VLAN | Subnet | Gateway / DNS |
|---|---|---|
| Management (1) | 172.20.1.0/24 | 172.20.1.1 |
| Personal (10) | 172.20.10.0/24 | 172.20.10.1 |
| Servers (20) | 172.20.20.0/24 | 172.20.20.1 |
| VPN (15) | 172.20.15.0/24 | 172.20.15.1 |
| IoT (100) | 172.20.100.0/24 | 172.20.100.1 |
| Guest (200) | 172.20.200.0/24 | 172.20.200.1 |
| Work (30) | 172.20.30.0/24 | 172.20.30.1 |