# Ticket: Fix homelab DNS plan

## Metadata
- Type: Ticket
- Status: Planned
- Project: Network / Infrastructure
- Created: 2026-05-14
- Updated: 2026-05-17
- Priority: Medium

## Goal

Clarify and improve the home network DNS setup so local services can be reached predictably without confusion between public DNS, LAN DNS, reverse proxies, and Tailscale.

## Why

The current network has OPNsense running Unbound, a separate Caddy LXC, public DNS for `dropcutstud.io`, and Tailscale. The user is not happy with the current DNS configuration and wants to learn/fix it deliberately rather than keep layering workarounds.

## Current Known Facts

- OPNsense runs Unbound for local DNS.
- A separate LXC runs Caddy, but Caddy configuration is causing errors and is now on the back burner.
- `nc.dropcutstud.io` currently resolves publicly to the WAN/public IP.
- Nextcloud VM LAN IP: `192.168.0.110`.
- Nextcloud Tailscale IP: `100.76.27.77`.
- Nextcloud is currently reachable directly on port `8080`.

## Scope

Included:
- Document current DNS flow
- Identify all DNS sources of truth
- Decide desired naming pattern for LAN services
- Decide how Tailscale should interact with DNS
- Produce a simple DNS plan and migration steps

Not included:
- Fixing Caddy immediately
- Public exposure of services
- Major firewall/routing changes without separate spec

## Questions

- What is the OPNsense LAN IP?
- Are LAN clients using OPNsense as their DNS server via DHCP?
- Is Tailscale MagicDNS enabled?
- Should internal services use `*.dropcutstud.io`, a separate internal domain like `home.arpa`, or both?
- Should Tailscale clients resolve the same names as LAN clients?

## Next Actions

- [ ] Inventory current DNS: OPNsense Unbound, DHCP DNS settings, public DNS records, Tailscale DNS settings
- [ ] Draw simple current-state diagram
- [ ] Choose target-state DNS design
- [ ] Implement one low-risk host override as a test

## 2026-05-17 Spec Advancement

Confidence level: medium for current facts; low for target DNS design until OPNsense/Tailscale settings are inventoried.

Decisions now stable:
- DNS/Caddy should not block current Nextcloud and Pi assistant work.
- The first DNS fix should be a low-risk internal host override, not public exposure.
- Public `nc.dropcutstud.io` behavior must be separated from LAN/Tailscale service naming.

Refined next milestone:
- Produce a current-state DNS map and test one reversible LAN-only name for Nextcloud.

Updated next actions:
- [ ] Inventory OPNsense LAN IP, DHCP DNS server, Unbound overrides, Tailscale MagicDNS, and public DNS records.
- [ ] Choose test hostname: likely `nextcloud.home.arpa` or a LAN-only override for `nc.dropcutstud.io`.
- [ ] Implement one reversible Unbound host override and verify from one LAN client.

## Notes

- This is intentionally separated from the Nextcloud deployment to reduce overwhelm.