Service Contract: Technitium DNS

Purpose

Authoritative DNS for internal service names, serving LAN/VPN clients and Kubernetes-ingress endpoints; optional recursion or forwarding to OpenWRT.

Exposure

Category: Internal | VPN-only
Ingress: Internal
DNS names: dns.risu.tech (internal-only)

Identity

AuthN: Local admin accounts
AuthZ: Admin role required for zone changes
Break-glass account: Yes (stored in password vault)

Data

Persistence: Persistent (zones/config)
Data class: Standard
Estimated storage growth: Minimal

Network

Allowed source networks: LAN, VPN, cluster nodes
Egress requirements: Upstream DNS IPs (public or OpenWRT)

Availability

HA required: High (for internal service resolution) but not required for platform bootstrap
Acceptable downtime: Minutes; recovery path via OpenWRT static overrides

Backup

Tier: Standard (regular export of zones/config)
Restore test cadence: After major upgrades or quarterly

Dependencies

Needs database: No (embedded)
Needs object storage: No
Needs SMTP: No
Other: Stable Service IP/VIP; upstream DNS reachable by IP

Observability

Metrics: Query rate, NXDOMAIN/servfail counts
Logs: Query/zone change logs
Alerts: Service availability; zone integrity errors

Change Control

Deployment method: Kubernetes (Talos) workload
Rollback plan: Redeploy previous version and restore last config backup

Notes / Risks

Must avoid DNS self-dependency: configure all upstreams and ExternalDNS endpoints by IP; keep WAN exposure disabled.