91 lines
3.4 KiB
Markdown
91 lines
3.4 KiB
Markdown
# UniFi DHCP/DNS Verification — 2026-05-23
|
|
|
|
Purpose: determine whether the restricted lanes (`IoT`, `Camera`, `Old IoT`) are safe for a broader `Untrusted -> Gateway` management shield, specifically by checking what DHCP/DNS behavior they actually appear to rely on.
|
|
|
|
## Live verification performed
|
|
Fresh read-only UniFi poll executed from PD against the live controller.
|
|
|
|
Verified live from UniFi:
|
|
- site: `default`
|
|
- controller path: `rest/networkconf`
|
|
- supporting reads: `stat/sta`, `v2/api/site/default/firewall-policies`
|
|
- current custom policy still present: `Block Untrusted to Gateway Admin Surfaces`
|
|
|
|
Observed restricted-lane client counts during the same read:
|
|
- `IoT`: 6
|
|
- `Camera`: 3
|
|
- `Old IoT`: 11
|
|
|
|
## Restricted-lane DHCP/DNS findings from the live controller
|
|
|
|
### IoT
|
|
- subnet: `10.5.10.1/24`
|
|
- VLAN: `510`
|
|
- DHCP range: `10.5.10.6` - `10.5.10.254`
|
|
- `dhcpd_enabled=true`
|
|
- `dhcpd_dns_enabled=false`
|
|
- `dhcpd_ntp_enabled=false`
|
|
- `dhcpd_gateway_enabled=false`
|
|
- `mdns_enabled=true`
|
|
- `network_isolation_enabled=true`
|
|
|
|
### Camera
|
|
- subnet: `10.5.20.1/24`
|
|
- VLAN: `520`
|
|
- DHCP range: `10.5.20.6` - `10.5.20.254`
|
|
- `dhcpd_enabled=true`
|
|
- `dhcpd_dns_enabled=false`
|
|
- `dhcpd_ntp_enabled=false`
|
|
- `dhcpd_gateway_enabled=false`
|
|
- `mdns_enabled=true`
|
|
- `network_isolation_enabled=false`
|
|
|
|
### Old IoT
|
|
- subnet: `192.168.1.1/24`
|
|
- VLAN: `2`
|
|
- DHCP range: `192.168.1.100` - `192.168.1.199`
|
|
- `dhcpd_enabled=true`
|
|
- `dhcpd_dns_enabled=false`
|
|
- `dhcpd_ntp_enabled=false`
|
|
- `dhcpd_gateway_enabled=false`
|
|
- `mdns_enabled=true`
|
|
- `network_isolation_enabled=false`
|
|
|
|
## Interpretation
|
|
The common pattern across all three restricted lanes is unchanged:
|
|
- DHCP is on
|
|
- custom DHCP DNS is off
|
|
- custom DHCP NTP is off
|
|
- no explicit per-network DNS servers are configured for those three lanes
|
|
|
|
Operationally, that means these lanes still look gateway-dependent for their default DHCP-delivered DNS behavior.
|
|
|
|
Safe working assumption from the live config:
|
|
- `IoT` clients likely still use `10.5.10.1` for default DNS delivery
|
|
- `Camera` clients likely still use `10.5.20.1` for default DNS delivery
|
|
- `Old IoT` clients likely still use `192.168.1.1` for default DNS delivery
|
|
- NTP is likewise not explicitly overridden per network
|
|
|
|
## Decision
|
|
Do not apply a broad `Untrusted -> Gateway` deny yet.
|
|
|
|
The currently deployed surgical rule remains the right safe stopping point:
|
|
- `Block Untrusted to Gateway Admin Surfaces`
|
|
|
|
A broader management shield is still unsafe until one of these becomes true and is verified:
|
|
1. restricted-lane clients are intentionally moved to explicit non-gateway DNS/NTP targets, or
|
|
2. the broader gateway policy explicitly preserves the exact gateway services those lanes still need, or
|
|
3. a later live validation proves those clients no longer depend on gateway DNS/NTP despite the current network definitions
|
|
|
|
## Practical next step before any broader gateway block
|
|
Preferred next live order:
|
|
1. decide whether `10.5.30.53` should be the DHCP-advertised DNS target for `IoT`, `Camera`, and `Old IoT`
|
|
2. decide whether NTP should stay public, stay gateway-provided, or move to a local service
|
|
3. if DNS/NTP stay gateway-dependent, model the exact gateway exceptions first
|
|
4. only then convert the current surgical admin-surface block into a broader `Untrusted -> Gateway` shield
|
|
|
|
## Bottom line
|
|
Fresh live UniFi reads confirm the restricted lanes still look gateway-dependent for default DHCP-delivered DNS behavior.
|
|
|
|
So the answer to "can we safely broaden the gateway shield right now?" is: not yet.
|