# UniFi Restricted-Lane DNS Cutover Result — 2026-05-23 Purpose: record the live DHCP DNS change for the restricted lanes and the immediate post-write verification. ## Live change applied Updated the UniFi network definitions for: - `IoT` - `Camera` - `Old IoT` New DHCP DNS target on all three lanes: - `10.5.30.53` NTP was intentionally left unchanged: - `dhcpd_ntp_enabled=false` ## Verified live after apply ### IoT - subnet: `10.5.10.1/24` - `dhcpd_dns_enabled=true` - `dhcpd_dns_1=10.5.30.53` ### Camera - subnet: `10.5.20.1/24` - `dhcpd_dns_enabled=true` - `dhcpd_dns_1=10.5.30.53` ### Old IoT - subnet: `192.168.1.1/24` - `dhcpd_dns_enabled=true` - `dhcpd_dns_1=10.5.30.53` ## Why this matters This removes the prior default-DNS dependency on each restricted lane's gateway address and puts those devices behind John's DNS blacklist policy. That makes the next firewall phase materially safer because a broader `Untrusted -> Gateway` shield no longer has to preserve gateway DNS behavior for these three lanes. ## Still not done yet This change alone does not prove the broader gateway shield is safe to apply immediately. Before the next firewall wave, still verify: - whether any restricted devices need gateway NTP behavior - whether any restricted devices still need other specific gateway services besides DHCP/mDNS - Google/cast behavior separately from a laptop session ## Recommended next live step Stage the broader `Untrusted -> Gateway` shield carefully with only exact remaining exceptions preserved, instead of leaving the current broad gateway dependency in place.