# DNS Configuration

## Internal DNS Server (Unbound Resolver)
- Server: pfSense (pfsense.cascades.local)
- Server IP: 192.168.0.1
- DNSSEC: Enabled
- Prefetch: Enabled
- Active Interface: All
- Outgoing Interface: WAN

## DNS Forwarders (System DNS)
- Forwarder 1: 8.8.8.8 (Google)
- Forwarder 2: 1.1.1.1 (Cloudflare)

## Cache Settings
- Message Cache Size: 512
- Max TTL: 86400 (24 hours)
- Min TTL: 0
- Infra Host TTL: 900
- Infra Cache Hosts: 10000

## DHCP Integration
- Register DHCP leases in DNS: Yes
- Register DHCP static mappings: Yes

## Host Overrides
| Hostname     | Domain          | IP Address     | Aliases                   |
|-------------|-----------------|----------------|---------------------------|
| cascadesds  | cascades.local  | 192.168.0.120  | synology.cascades.local   |

## Windows DNS Server (AD-Integrated)
- Server: CS-SERVER (192.168.2.254)
- Required for: Active Directory domain resolution, SRV records, Kerberos, LDAP

### DNS Zones
| Zone | Type | AD-Integrated | Auto-Created | Notes |
|------|------|---------------|-------------|-------|
| cascades.local | Primary | Yes | No | Main AD zone |
| _msdcs.cascades.local | Primary | Yes | No | AD metadata zone |
| 0.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 127.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 255.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| TrustAnchors | Primary | Yes | No | DNSSEC trust anchors |

**NOTE: No real reverse lookup zones exist** for any production subnet (192.168.0.0/22, 10.0.20.0/24, room VLANs). Only auto-created placeholder zones.

### Key DNS Records (cascades.local zone)
| Hostname | Type | IP / Data | Timestamp | Notes |
|----------|------|-----------|-----------|-------|
| @ (cascades.local) | A | 192.168.0.5 | 3/25/2025 | **STALE — not current DC IP** |
| @ (cascades.local) | A | 192.168.2.59 | 9/22/2024 | **STALE — not current DC IP** |
| cs-server | A | 192.168.2.254 | Static | Correct DC record |
| ACCT2-PC | A | 10.0.20.209 | 3/2/2026 | Current |
| CRYSTAL-PC | A | 192.168.5.115 | 3/27/2025 | **STALE — should be 10.0.20.205** |
| CS-QB | A | 192.168.5.29 | 3/27/2025 | **STALE — should be 192.168.2.228** |
| DESKTOP-1ISF081 | A | 192.168.5.30 | 3/27/2025 | **192.168.5.x not a documented subnet** |
| DESKTOP-H6QHRR7 | A | 10.0.20.235 | 3/2/2026 | Current |
| Cascades-Probe | A | 192.168.3.155 | 4/23/2025 | Monitoring probe? |
| Probe | A | 192.168.5.160 | 3/14/2025 | Monitoring probe? |
| DomainDnsZones | A | 192.168.0.5 | 3/25/2025 | **STALE** |
| DomainDnsZones | A | 192.168.2.59 | 9/22/2024 | **STALE** |
| ForestDnsZones | A | 192.168.0.5 | 3/25/2025 | **STALE** |
| ForestDnsZones | A | 192.168.2.59 | 9/22/2024 | **STALE** |

### AD SRV Records (all point to cs-server.cascades.local)
- _gc._tcp (Global Catalog, port 3268)
- _kerberos._tcp (Kerberos, port 88)
- _kpasswd._tcp (Kerberos password, port 464)
- _ldap._tcp (LDAP, port 389)
- All registered 8/28/2024 — normal for single-DC environment

### DNS Issues — Status
1. ~~**Stale @ records**~~ — **FIXED 2026-03-06.** Removed old 192.168.0.5 and 192.168.2.59. Added correct 192.168.2.254.
2. ~~**Stale computer records**~~ — **FIXED 2026-03-06.** Removed CRYSTAL-PC (192.168.5.115), CS-QB (192.168.5.29), DESKTOP-1ISF081 (192.168.5.30).
3. ~~**No reverse lookup zones**~~ — **FIXED 2026-03-06.** Created 5 reverse zones covering LAN /22 and INTERNAL.
4. ~~**DomainDnsZones/ForestDnsZones stale**~~ — **FIXED 2026-03-06.** Removed old IPs, added 192.168.2.254.

## DNS Architecture (pfSense + Windows DNS)
- **pfSense Unbound** (192.168.0.1): Primary DNS resolver for all clients. Forwards external queries to 8.8.8.8 / 1.1.1.1. Registers DHCP leases.
- **Windows DNS** (192.168.2.254): Authoritative for cascades.local zone. Required for AD SRV records, Kerberos, LDAP lookups.
- **Forwarding relationship:** Needs verification — pfSense should forward cascades.local queries to 192.168.2.254, and Windows DNS should forward external queries to pfSense or directly to internet resolvers.
- Domain-joined PCs likely use 192.168.2.254 as DNS (per server's own config) or 192.168.0.1 (per DHCP).

## Migration Plan — DNS Changes (Phase 1.4 + 2.1)

See `migration/phase2-server-prep.md` and `migration/scripts/phase2-dns-cleanup.ps1`.

### pfSense Domain Overrides (Phase 1.4) — DONE 2026-03-06

| Domain | Forward to | Purpose | Status |
|--------|-----------|---------|--------|
| `cascades.local` | 192.168.2.254 | AD domain resolution | ✅ Added |
| `_msdcs.cascades.local` | 192.168.2.254 | AD metadata zone | ✅ Added |

### CS-SERVER DNS Client Fix (Phase 1.4) — DONE 2026-03-06

~~CS-SERVER used pfSense (192.168.0.1) + 8.8.8.8 as DNS.~~ Fixed: now uses `127.0.0.1, 192.168.0.1`. Verified — both `cs-server.cascades.local` and `google.com` resolve correctly through localhost.

### CS-SERVER Forwarder Fix (Phase 1.4)

Set Windows DNS forwarder to `192.168.0.1` (pfSense) for external resolution. **TODO: Verify this is set.**

### Stale Record Cleanup (Phase 2.1) — DONE 2026-03-06

All stale records removed and correct records added:
- ~~cascades.local @ → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: @ → 192.168.2.254
- ~~CRYSTAL-PC → 192.168.5.115~~ Removed (will re-register correct IP via DHCP)
- ~~CS-QB → 192.168.5.29~~ Removed (will re-register correct IP via DHCP)
- ~~DESKTOP-1ISF081 → 192.168.5.30~~ Removed
- ~~DomainDnsZones → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: → 192.168.2.254
- ~~ForestDnsZones → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: → 192.168.2.254

### Enable Scavenging (Phase 2.1) — DONE 2026-03-06

- Server-level scavenging: enabled, 7-day interval ✅
- Zone aging on cascades.local: enabled ✅
- First scavenge available: 3/13/2026 (14-day aging window from enable date)

### Create Reverse Lookup Zones (Phase 2.1) — DONE 2026-03-06

All 5 reverse zones created (AD-integrated, Domain replication scope):
- 0.168.192.in-addr.arpa ✅
- 1.168.192.in-addr.arpa ✅
- 2.168.192.in-addr.arpa ✅
- 3.168.192.in-addr.arpa ✅
- 20.0.10.in-addr.arpa ✅

## External DNS
- Not documented yet (registrar, hosted DNS, etc.)

## Notes
- pfSense Unbound serves as the DNS resolver for all VLANs
- Room VLANs use their gateway (pfSense interface IP) as DNS server
- INTERNAL VLAN uses 192.168.0.1 explicitly as DNS
- 999GuruTestNet uses 10.0.99.1 as DNS