Service Contract: OpenWRT Bootstrap Resolver
Purpose
Authoritative DHCP/DNS front door for LAN/VPN clients; performs public recursion and conditionally forwards internal zones to Technitium while holding static overrides for recovery.
Exposure
- Category: Internal | VPN-only
- Ingress: Management
- DNS names: distributed via DHCP; management UI reachable via static IP
Identity
- AuthN: Local admin accounts
- AuthZ: Admin account required for configuration changes
- Break-glass account: Yes (documented in password vault)
Data
- Persistence: Persistent (config backups required)
- Data class: Standard
- Estimated storage growth: Negligible
Network
- Allowed source networks: LAN, VPN
- Egress requirements: Public DNS upstreams; Internet for firmware updates
Availability
- HA required: No (Phase 1 single resolver)
- Acceptable downtime: Short maintenance windows; restores must be priority
Backup
- Tier: Standard (export config before/after major changes)
- Restore test cadence: After firmware updates or quarterly
Dependencies
- Needs database: No
- Needs object storage: No
- Needs SMTP: No
- Other: Stable upstream DNS IPs
Observability
- Metrics: DNS query/error counters (if available)
- Logs: DNS and DHCP logs
- Alerts: Loss of upstream resolution; DHCP pool exhaustion
Change Control
- Deployment method: OpenWRT config/UI + git-backed config export
- Rollback plan: Restore last known-good config backup
Notes / Risks
Phase 1 single point of failure for DNS; keep static overrides for Technitium and ingress VIP to enable recovery.