# Ticket: Standalone Unbound internal DNS service

## Metadata
- Type: Ticket
- Status: Done - MVP deployed with all ACs satisfied
- Project: Homelab Operations
- Created: 2026-06-07
- Updated: 2026-06-07
- Priority: High

## Goal

Deploy and manage Unbound as a standalone internal DNS service for homelab names, rather than using the OPNsense plugin as the primary DNS implementation.

## Why

Internal DNS should be a managed service Nimrod can operate consistently across Proxmox hosts and integrate with reverse proxy, Tailscale, service registration, and future automation.

## Scope

Included:
- Design standalone Unbound placement and resources.
- Verify Proxmox target resources before creation.
- Deploy Unbound as a managed VM/LXC service.
- Define service records for `dropcutstud.io` internal names.
- Integrate with router/DHCP/Tailscale DNS path as approved.
- Document backup/update/rollback.

Not included:
- Public DNS provider automation.
- Destructive router changes without explicit confirmation.

## Acceptance Criteria

This ticket is done when:
- [x] Unbound architecture and placement are documented.
- [x] Standalone Unbound service is deployed or an implementation spec is approved — CTID 106 `unbound` at `192.168.0.124`.
- [x] At least one internal service name resolves through Unbound — `search.dropcutstud.io` resolves to reverse proxy `192.168.0.137` via `dig @192.168.0.124`.
- [x] Reverse-proxy service names can be represented in Unbound records.
- [x] Runbook exists for adding/updating records — `runbooks/unbound-internal-dns.md`.
- [x] Backup/update/monitoring expectations are documented — backup configured, verified, and isolated restore-tested; update handling documented in Ansible managed-updates runbook; monitoring remains basic health checks/dashboard follow-up.

## Notes

- User requested standalone Unbound rather than OPNsense plugin.
- Coordinate with `tickets/active/2026-06-06-internal-dns-and-tailscale-naming.md` and reverse proxy ticket.
- 2026-06-07: Live preflight found sufficient resources. CTID 106 `unbound` deployed as standalone Unbound MVP with DHCP IP `192.168.0.124`; records currently include `search.dropcutstud.io -> 192.168.0.137`. Router/DHCP/Tailscale integration and stable reservation remain follow-up work.
- 2026-06-07: Config-level backup was configured, verified, copied off-guest to Nimrod, and isolated restore-tested using a temporary Unbound process on `127.0.0.1:1053` without production config overwrite.