Files
truenas-stacks/home/doris-dashboard/docs/unifi-restricted-dns-cutover-result-2026-05-23.md
Fizzlepoof 080ba83989
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Harden UniFi restricted-lane gateway access
2026-05-23 02:48:49 +00:00

1.6 KiB

UniFi Restricted-Lane DNS Cutover Result — 2026-05-23

Purpose: record the live DHCP DNS change for the restricted lanes and the immediate post-write verification.

Live change applied

Updated the UniFi network definitions for:

  • IoT
  • Camera
  • Old IoT

New DHCP DNS target on all three lanes:

  • 10.5.30.53

NTP was intentionally left unchanged:

  • dhcpd_ntp_enabled=false

Verified live after apply

IoT

  • subnet: 10.5.10.1/24
  • dhcpd_dns_enabled=true
  • dhcpd_dns_1=10.5.30.53

Camera

  • subnet: 10.5.20.1/24
  • dhcpd_dns_enabled=true
  • dhcpd_dns_1=10.5.30.53

Old IoT

  • subnet: 192.168.1.1/24
  • dhcpd_dns_enabled=true
  • dhcpd_dns_1=10.5.30.53

Why this matters

This removes the prior default-DNS dependency on each restricted lane's gateway address and puts those devices behind John's DNS blacklist policy.

That makes the next firewall phase materially safer because a broader Untrusted -> Gateway shield no longer has to preserve gateway DNS behavior for these three lanes.

Still not done yet

This change alone does not prove the broader gateway shield is safe to apply immediately.

Before the next firewall wave, still verify:

  • whether any restricted devices need gateway NTP behavior
  • whether any restricted devices still need other specific gateway services besides DHCP/mDNS
  • Google/cast behavior separately from a laptop session

Stage the broader Untrusted -> Gateway shield carefully with only exact remaining exceptions preserved, instead of leaving the current broad gateway dependency in place.