azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2adb4b9e92ffc19ce4dec4b79c180695ee4549ef
claudetools/clients/cascades-tucson/docs/network/dns.md
Howard Enos 8d975c1b44 import: ingested 160 files from C:\Users\howar\Clients 
Howard's personal MSP client documentation folder imported into shared
ClaudeTools repo via /import command. Scope:

Clients (structured MSP docs under clients/<name>/docs/):
- anaise       (NEW)  - 13 files
- cascades-tucson     - 47 files merged (existing had only reports/)
- dataforth           - 18 files merged (alongside incident reports)
- instrumental-music-center - 14 files merged
- khalsa       (NEW)  - 22 files, multi-site (camden, river)
- kittle       (NEW)  - 16 files incl. fix-pdf-preview, gpo-intranet-zone
- lens-auto-brokerage (NEW) - 3 files (name matches SOPS vault)
- _client_template    - 13-file scaffold for new clients

MSP tooling (projects/msp-tools/):
- msp-audit-scripts/ - server_audit.ps1, workstation_audit.ps1, README
- utilities/         - clean_printer_ports, win11_upgrade,
                       screenconnect-toolbox-commands

Credential handling:
- Extracted 1 inline password (Anaise DESKTOP-O8GF4SD / david)
  to SOPS vault: clients/anaise/desktop-o8gf4sd.sops.yaml
- Redacted overview.md with vault reference pattern
- Scanned all 160 files for keys/tokens/connection strings -
  no other credentials found

Skipped:
- Cascades/.claude/settings.local.json (per-machine config)
- Source-root CLAUDE.md (personal, claudetools has its own)
- scripts/server_audit.ps1 and workstation_audit.ps1 at source root
  (identical duplicates of msp-audit-scripts versions)

Memory updates:
- reference_client_docs_structure.md (layout, conventions, active list)
- reference_msp_audit_scripts.md (locations, ScreenConnect 80-char rule)

Session log: session-logs/2026-04-16-howard-client-docs-import.md

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-16 19:43:58 -07:00

136 lines
6.3 KiB
Markdown
Raw Blame History

# DNS Configuration
## Internal DNS Server (Unbound Resolver)
- Server: pfSense (pfsense.cascades.local)
- Server IP: 192.168.0.1
- DNSSEC: Enabled
- Prefetch: Enabled
- Active Interface: All
- Outgoing Interface: WAN
## DNS Forwarders (System DNS)
- Forwarder 1: 8.8.8.8 (Google)
- Forwarder 2: 1.1.1.1 (Cloudflare)
## Cache Settings
- Message Cache Size: 512
- Max TTL: 86400 (24 hours)
- Min TTL: 0
- Infra Host TTL: 900
- Infra Cache Hosts: 10000
## DHCP Integration
- Register DHCP leases in DNS: Yes
- Register DHCP static mappings: Yes
## Host Overrides
| Hostname | Domain | IP Address | Aliases |
|-------------|-----------------|----------------|---------------------------|
| cascadesds | cascades.local | 192.168.0.120 | synology.cascades.local |
## Windows DNS Server (AD-Integrated)
- Server: CS-SERVER (192.168.2.254)
- Required for: Active Directory domain resolution, SRV records, Kerberos, LDAP
### DNS Zones
| Zone | Type | AD-Integrated | Auto-Created | Notes |
|------|------|---------------|-------------|-------|
| cascades.local | Primary | Yes | No | Main AD zone |
| _msdcs.cascades.local | Primary | Yes | No | AD metadata zone |
| 0.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 127.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| 255.in-addr.arpa | Primary | No | Yes | Auto-created reverse |
| TrustAnchors | Primary | Yes | No | DNSSEC trust anchors |
**NOTE: No real reverse lookup zones exist** for any production subnet (192.168.0.0/22, 10.0.20.0/24, room VLANs). Only auto-created placeholder zones.
### Key DNS Records (cascades.local zone)
| Hostname | Type | IP / Data | Timestamp | Notes |
|----------|------|-----------|-----------|-------|
| @ (cascades.local) | A | 192.168.0.5 | 3/25/2025 | **STALE — not current DC IP** |
| @ (cascades.local) | A | 192.168.2.59 | 9/22/2024 | **STALE — not current DC IP** |
| cs-server | A | 192.168.2.254 | Static | Correct DC record |
| ACCT2-PC | A | 10.0.20.209 | 3/2/2026 | Current |
| CRYSTAL-PC | A | 192.168.5.115 | 3/27/2025 | **STALE — should be 10.0.20.205** |
| CS-QB | A | 192.168.5.29 | 3/27/2025 | **STALE — should be 192.168.2.228** |
| DESKTOP-1ISF081 | A | 192.168.5.30 | 3/27/2025 | **192.168.5.x not a documented subnet** |
| DESKTOP-H6QHRR7 | A | 10.0.20.235 | 3/2/2026 | Current |
| Cascades-Probe | A | 192.168.3.155 | 4/23/2025 | Monitoring probe? |
| Probe | A | 192.168.5.160 | 3/14/2025 | Monitoring probe? |
| DomainDnsZones | A | 192.168.0.5 | 3/25/2025 | **STALE** |
| DomainDnsZones | A | 192.168.2.59 | 9/22/2024 | **STALE** |
| ForestDnsZones | A | 192.168.0.5 | 3/25/2025 | **STALE** |
| ForestDnsZones | A | 192.168.2.59 | 9/22/2024 | **STALE** |
### AD SRV Records (all point to cs-server.cascades.local)
- _gc._tcp (Global Catalog, port 3268)
- _kerberos._tcp (Kerberos, port 88)
- _kpasswd._tcp (Kerberos password, port 464)
- _ldap._tcp (LDAP, port 389)
- All registered 8/28/2024 — normal for single-DC environment
### DNS Issues — Status
1. ~~**Stale @ records**~~**FIXED 2026-03-06.** Removed old 192.168.0.5 and 192.168.2.59. Added correct 192.168.2.254.
2. ~~**Stale computer records**~~**FIXED 2026-03-06.** Removed CRYSTAL-PC (192.168.5.115), CS-QB (192.168.5.29), DESKTOP-1ISF081 (192.168.5.30).
3. ~~**No reverse lookup zones**~~**FIXED 2026-03-06.** Created 5 reverse zones covering LAN /22 and INTERNAL.
4. ~~**DomainDnsZones/ForestDnsZones stale**~~**FIXED 2026-03-06.** Removed old IPs, added 192.168.2.254.
## DNS Architecture (pfSense + Windows DNS)
- **pfSense Unbound** (192.168.0.1): Primary DNS resolver for all clients. Forwards external queries to 8.8.8.8 / 1.1.1.1. Registers DHCP leases.
- **Windows DNS** (192.168.2.254): Authoritative for cascades.local zone. Required for AD SRV records, Kerberos, LDAP lookups.
- **Forwarding relationship:** Needs verification — pfSense should forward cascades.local queries to 192.168.2.254, and Windows DNS should forward external queries to pfSense or directly to internet resolvers.
- Domain-joined PCs likely use 192.168.2.254 as DNS (per server's own config) or 192.168.0.1 (per DHCP).
## Migration Plan — DNS Changes (Phase 1.4 + 2.1)
See `migration/phase2-server-prep.md` and `migration/scripts/phase2-dns-cleanup.ps1`.
### pfSense Domain Overrides (Phase 1.4) — DONE 2026-03-06
| Domain | Forward to | Purpose | Status |
|--------|-----------|---------|--------|
| `cascades.local` | 192.168.2.254 | AD domain resolution | ✅ Added |
| `_msdcs.cascades.local` | 192.168.2.254 | AD metadata zone | ✅ Added |
### CS-SERVER DNS Client Fix (Phase 1.4) — DONE 2026-03-06
~~CS-SERVER used pfSense (192.168.0.1) + 8.8.8.8 as DNS.~~ Fixed: now uses `127.0.0.1, 192.168.0.1`. Verified — both `cs-server.cascades.local` and `google.com` resolve correctly through localhost.
### CS-SERVER Forwarder Fix (Phase 1.4)
Set Windows DNS forwarder to `192.168.0.1` (pfSense) for external resolution. **TODO: Verify this is set.**
### Stale Record Cleanup (Phase 2.1) — DONE 2026-03-06
All stale records removed and correct records added:
- ~~cascades.local @ → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: @ → 192.168.2.254
- ~~CRYSTAL-PC → 192.168.5.115~~ Removed (will re-register correct IP via DHCP)
- ~~CS-QB → 192.168.5.29~~ Removed (will re-register correct IP via DHCP)
- ~~DESKTOP-1ISF081 → 192.168.5.30~~ Removed
- ~~DomainDnsZones → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: → 192.168.2.254
- ~~ForestDnsZones → 192.168.0.5, 192.168.2.59~~ Removed. Added correct: → 192.168.2.254
### Enable Scavenging (Phase 2.1) — DONE 2026-03-06
- Server-level scavenging: enabled, 7-day interval ✅
- Zone aging on cascades.local: enabled ✅
- First scavenge available: 3/13/2026 (14-day aging window from enable date)
### Create Reverse Lookup Zones (Phase 2.1) — DONE 2026-03-06
All 5 reverse zones created (AD-integrated, Domain replication scope):
- 0.168.192.in-addr.arpa ✅
- 1.168.192.in-addr.arpa ✅
- 2.168.192.in-addr.arpa ✅
- 3.168.192.in-addr.arpa ✅
- 20.0.10.in-addr.arpa ✅
## External DNS
- Not documented yet (registrar, hosted DNS, etc.)
## Notes
- pfSense Unbound serves as the DNS resolver for all VLANs
- Room VLANs use their gateway (pfSense interface IP) as DNS server
- INTERNAL VLAN uses 192.168.0.1 explicitly as DNS
- 999GuruTestNet uses 10.0.99.1 as DNS
Reference in New Issue View Git Blame Copy Permalink