DNS Architecture
Decision authority: ADR-0041
— Internal Resolution Strategy (Accepted 2026-04-27)
Overview
Internal DNS on the Archon platform is split across two services with a
known fragmentation problem: most LAN nodes receive Bell ISP DNS from DHCP
and cannot resolve internal peries.ca names via the OS resolver. The
target state (WI-248) consolidates authority into Technitium behind AdGuard
and distributes AdGuard to all nodes via DHCP.
Current state
LAN clients (DHCP from Bell Giga Hub)
└── DNS: REDACTED (Bell) + 207.164.234.193 (Bell ISP)
↑ peries.ca resolves: NO
caneast-site1-node2 (static resolv.conf — WI-305)
Primary: REDACTED AdGuard Home
Secondary: REDACTED Pi-hole (wlan0) ← 42K queries/day
Fallback: 1.1.1.1
AdGuard Home — caneast-site1-node2:[REDACTED] (Docker, host-network)
├── 11 DNS rewrites (peries.ca zone — see table below)
├── Upstream: Quad9 DoH + Cloudflare DoH
└── Filtering: AdGuard DNS filter
Pi-hole v6 — caneast-site1-node1:[REDACTED] (native service)
├── No peries.ca records
├── Upstream: Quad9 plain UDP
└── Clients: caneast-site1-node2 (secondary), CanEast AI Node Windows, unknown REDACTED
k3s pods (all nodes)
└── CoreDNS → CoreDNS-custom (peries.ca) → AdGuard REDACTED:[REDACTED]
↑ temporary bridge — WI-345; removed in Phase 6
Node resolver summary
| Node |
DNS source |
Primary resolver |
peries.ca works? |
| caneast-site1-node1 |
Tailscale-managed resolv.conf |
100.100.100.100 |
Via Tailscale only |
| caneast-site1-node2 |
Static (WI-305) |
AdGuard REDACTED |
Yes |
| caneast-site1-node3 |
systemd-resolved, DHCP |
ISP gateway REDACTED |
No — NXDOMAIN |
| caneast-site1-node4 |
systemd-resolved, DHCP |
ISP gateway REDACTED |
No — NXDOMAIN |
| CanEast AI Node WSL |
WSL-generated |
REDACTED (WSL) |
Via Windows host DNS |
AdGuard rewrites (current — all 11 records)
| Domain |
Answer |
Notes |
*.peries.ca |
REDACTED |
Wildcard catch-all |
*.caneast-site1-node3.peries.ca |
REDACTED |
Overrides wildcard |
grafana-platform.peries.ca |
REDACTED |
Explicit override |
chat.peries.ca |
REDACTED |
OpenClaw frontend |
openclaw.peries.ca |
REDACTED |
OpenClaw backend |
openclaw-node3.peries.ca |
REDACTED |
Explicit override |
cmms.peries.ca |
REDACTED |
Explicit override |
caneast-site1-node4.peries.ca |
REDACTED |
Node record |
caneast-site1-node2.home |
REDACTED |
.home shortname |
caneast-site1-node1.home |
REDACTED |
.home shortname (bug — wlan0, not eth0 REDACTED) |
caneast-site1-node3.home |
REDACTED |
.home shortname |
caneast-site1-node4.home |
REDACTED |
.home shortname |
Target state (WI-248)
Bell Giga Hub DHCP (updated)
└── DNS1: REDACTED AdGuard (filtering layer)
└── DNS2: REDACTED Technitium replica (HA secondary)
AdGuard Home (caneast-site1-node2) — unchanged for clients
├── Filtering retained
├── Per-domain upstream: [/peries.ca/][/.home/] → Technitium local
└── External upstream: Quad9 DoH + Cloudflare DoH (unchanged)
Technitium primary (caneast-site1-node2 — port 5380)
├── peries.ca zone (authoritative)
├── All 11 AdGuard rewrites migrated as A records
├── Prometheus metrics
└── Zone sync → replica
Technitium replica (caneast-site1-node1 — replaces Pi-hole)
└── Read-only zone sync from primary
caneast-site1-node3, caneast-site1-node4 (after DHCP update)
└── AdGuard REDACTED → Technitium → peries.ca resolved
CoreDNS bridge (WI-345)
└── Removed in Phase 6 once all nodes receive AdGuard via DHCP
Migration phases (WI-248)
| Phase |
Name |
Key actions |
| 1 |
Pre-migration hygiene |
Identify REDACTED; fix caneast-site1-node1.home rewrite bug; confirm CanEast AI Node Windows DNS |
| 2 |
Deploy Technitium primary |
caneast-site1-node2; create peries.ca zone; AdGuard per-domain upstream |
| 3 |
Deploy Technitium replica |
caneast-site1-node1; primary→replica sync |
| 4 |
Update resolv.conf + DHCP |
caneast-site1-node2 secondary → Technitium replica; Bell Hub DHCP DNS update |
| 5 |
Retire Pi-hole |
Zero traffic confirmed; stop Pi-hole on caneast-site1-node1 |
| 6 |
Remove CoreDNS bridge |
All nodes resolve via DHCP DNS; remove kube-system custom stanza |
See ADR-0041 for full decision rationale and stop conditions.
Open stop conditions (before Phase 4/5)
| # |
Condition |
Status |
| 1 |
Identify REDACTED (MAC 5c:c1:d7:8b:3a:ec, Huawei OUI) |
Open |
| 2 |
Confirm CanEast AI Node Windows DNS → AdGuard |
Open |
| 3 |
Fix caneast-site1-node1.home rewrite (→ REDACTED eth0) |
Open — Phase 1 |
| WI |
Title |
State |
| WI-248 |
Technitium DNS migration |
Active |
| WI-345 |
CoreDNS peries.ca bridge |
Done (bridge in place — Phase 6 removes it) |
| WI-305 |
Tailscale DNS on Docker hosts |
Done (caneast-site1-node2 static resolv.conf) |
| WI-363 |
DNS Architecture & Migration Planning (Feature) |
Active |
| WI-364 |
ADR-0041 DNS architecture discovery |
Done |