Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Runbook: DNS Bootstrap & Recovery (OpenWRT + Technitium + ExternalDNS)

Purpose

Bring up or restore internal DNS while avoiding dependency loops. Applies to split-horizon risu.tech with OpenWRT as bootstrap resolver, Technitium as internal authority, and ExternalDNS for automation.

Preconditions

  • OpenWRT reachable with admin access.
  • Reserved stable IPs/VIPs for Technitium and internal ingress.
  • Access to Kubernetes cluster (Talos) for Technitium/ExternalDNS deployments.

Bootstrap Steps (greenfield or re-seed)

  1. OpenWRT
    • Ensure DHCP is enabled and advertises itself as DNS.
    • Verify public recursion works using upstream DNS IPs.
  2. Static overrides on OpenWRT
    • Add host overrides:
      • dns.risu.tech → Technitium IP/VIP
      • ingress-internal.risu.tech → internal ingress VIP (optional but recommended)
  3. Deploy Technitium
    • Deploy to the cluster with a stable Service IP/VIP.
    • Configure upstream resolvers by IP (public) or forward recursion to OpenWRT by IP.
    • Keep WAN exposure disabled.
  4. Conditional forward on OpenWRT
    • Add forward rule: risu.tech → Technitium IP/VIP.
  5. Deploy ExternalDNS
    • Scope with domain filters/ownership registry to internal hostnames only.
    • Set provider endpoint to the Technitium IP/VIP (not hostname).

Recovery: Technitium Down

  1. From a LAN/VPN client, confirm public DNS still works via OpenWRT.
  2. Use OpenWRT static overrides to reach the cluster ingress/UI.
  3. Restart Technitium workload; restore config/zones if needed.
  4. Validate conditional forwarding resumes and internal names resolve.

Recovery: ExternalDNS Down

  1. Confirm Technitium answers existing records.
  2. Restart ExternalDNS deployment; check logs for reconciliation success.

Recovery: OpenWRT DNS Down

  1. Clients lose DNS; bring OpenWRT back first (single resolver in Phase 1).
  2. Verify DHCP/DNS service restores; re-check conditional forward to Technitium.

Verification & Tests

  • Power-cycle the cluster with OpenWRT up: public DNS must still resolve.
  • Start cluster with Technitium intentionally delayed: control plane reachable via overrides.
  • Kill Technitium: public DNS works; internal names fail (expected).
  • Kill ExternalDNS: existing internal names resolve; no new records created.
  • WAN test: internal-only names do not resolve from cellular; LAN/VPN resolve to internal VIPs.

Notes

  • Keep all DNS dependencies by IP to avoid “DNS needs DNS.”
  • Once resolver redundancy exists, you may move clients to Technitium directly; update this runbook accordingly.