Dns

The Problem: Six Interfaces for One Question # “Is anything broken in my homelab?” Answering that question used to mean: SSH into Proxmox to check guest status. Curl the Pi-hole API for DNS health. Open Grafana to scan Prometheus alerts. Check Graylog for error spikes. Look at Semaphore for failed automation runs. Glance at Caddy logs for 502s.

Overview # DNS is the backbone of your network. When your Pi-hole goes down, every device in your home loses internet access. Websites won’t load. Apps stop working. Smart home devices go offline. It’s a single point of failure that brings everything to a halt. This tutorial shows you how to build a resilient DNS infrastructure using two Pi-hole servers with automatic failover. If one server dies, the other seamlessly takes over in under 15 seconds — without any manual intervention.

My homelab network is segmented into 5 VLANs with a multi-tier DNS architecture and high-availability reverse proxy. This wiki covers the design decisions and implementation details. Complete Network Topology # ⛶ Click to expand Homelab Network Topology 5 VLANs · PA-440 NGFW · HA DNS · HA Reverse Proxy ☁️ INTERNET 🌐 ISP Gateway 🛡️ Cloudflare CDN + WAF + Access 🔥 SECURITY EDGE 🛡️ PA-440 Next-Gen Firewall App-ID · DNS Proxy · DHCP · NAT · Zone Security ☁️ CF Tunnel Agent Zero-Trust Tunnel 🔀 NETWORK FABRIC 🚪 UniFi Gateway Inter-VLAN Routing 📡 USW-24 Managed 24-Port PoE Switch 📶 U6-LR WiFi 6 AP 📶 U6-Pro WiFi 6 AP TP-Link Switch Authenticated Trunk Trunk Trunk 🔒 VLAN 10 · MANAGEMENT 192.168.10.0/24 💾 NAS-Primary DS920+ · 4-Bay NFS · iSCSI 💾 NAS-Secondary DS719 · 2-Bay Backup Target DNS HIGH AVAILABILITY HA 🟢 DNS-Primary Pi-hole · Pri 200 VIP .110 🟡 DNS-Secondary Pi-hole · Pri 100 keepalived VRRP 🖥️ TinyPilot KVM Remote Console 🖥️ GL KVM IP-KVM Device 🔥 FW Management Out-of-Band Mgmt 📡 Uplink Switch TP-Link Managed ⚙️ VLAN 30 · SERVERS & SERVICES 192.168.30.0/24 PROXMOX VE CLUSTER 📦 Node-2 LVM-thin Mini PC 📦 Node-3 ZFS Primary API 📦 Node-5 LVM-thin Mini PC 📦 Node-6 ZFS Mini PC 💿 PBS Backup Server NFS → NAS REVERSE PROXY HA HA 🔀 Caddy Primary Reverse Proxy VIP .161 🔀 Caddy Backup Hot Standby MONITORING & LOGGING 📊 Graylog SIEM · Log Server 🛡️ Wazuh XDR FIM · Vuln · CIS 📈 Uptime Kuma Status × 2 📉 Prometheus Metrics + Grafana 🔍 Pi.Alert Network Scanner 💨 MySpeed Speed Tracker AUTOMATION & WORKFLOWS ⚡ n8n Workflow Engine 🎯 Semaphore Ansible CI/CD 🐳 Portainer Container Mgmt 📡 UniFi Controller Network Mgmt APPLICATION SERVICES 🔐 Vaultwarden Passwords 🏠 Home Assist. Smart Home 📱 Homarr Dashboard 🔑 Infisical Secrets Mgmt 🌐 NetBox IPAM SECURITY & VPN 🔒 WireGuard VPN Server 🛡️ Panorama FW Mgmt 🔥 VM Firewalls PAN-OS Lab × 5 🤖 AI Assistants Claude · Gilfoyle 40+ LXCs 🧠 VLAN 20 · AI / DEV 192.168.20.0/24 💻 OpenClaw AI Agent MacBook Pro M4 Max · 48GB · Ollama LLM Inference 🔸 VLAN 40 · ISOLATED 172.30.40.0/24 🌐 DNS-40 Standalone Pi-hole 🔒 Isolated Services Restricted Access ❌ No cross-VLAN access 📱 VLAN 50 · IoT 172.30.50.0/24 🌐 DNS-50 Standalone Pi-hole 📱 Smart Devices IoT · Home Auto 🔒 Fully isolated network 🔐 VLAN 254 · FW MGMT 10.254.254.0/24 🔥 PAN-OS Out-of-Band Management Interfaces LEGEND Physical Connection Virtual / Tunnel VIP HA Virtual IP (VRRP) Management Servers Isolated IoT AI / Dev FW Mgmt EXTERNAL ACCESS PATHS ☁️ Cloudflare Tunnel (Zero-Trust): Vaultwarden · WireGuard · TinyPilot Emby · OpenSpeed Test · KASM 🔀 Caddy HA (Internal TLS): *.loc.domain.com wildcard cert All internal services via DNS-01 🔒 Direct (Management only): Proxmox UI · NAS DSM · Pi-hole VLAN Design # VLAN Subnet Purpose Key Services Security Level 10 192.168.10.0/24 Management & Core NAS, DNS HA, KVM devices 🔒 High 30 192.168.30.0/24 Server Network Proxmox, Docker, Apps ⚙️ Medium 40 172.30.40.0/24 Isolated Services Restricted access 🔸 Low 50 172.30.50.0/24 IoT Devices Smart home 📱 Minimal 254 10.254.254.0/24 Firewall Management Out-of-band mgmt 🔐 Critical Design principle: Servers (VLAN 30) can reach management (VLAN 10), but management devices are protected from server-initiated connections. IoT devices are fully isolated—they cannot initiate connections to any other VLAN.