2.8 KiB
2.8 KiB
UniFi Restricted-Lane DNS/NTP Recommendation — 2026-05-23
Purpose: turn the DHCP/DNS verification result into a concrete next-step design decision for IoT, Camera, and Old IoT.
Inputs
- John wants restricted lanes to use
10.5.30.53so those devices inherit the DNS blacklist policy. - Fresh live verification showed
IoT,Camera, andOld IoTstill rely on default gateway-delivered DNS behavior. - Current live firewall hardening stops at
Block Untrusted to Gateway Admin Surfaces.
Recommended decision
DNS
Use explicit DHCP-advertised DNS for all restricted lanes:
IoT->10.5.30.53Camera->10.5.30.53Old IoT->10.5.30.53
Why:
- puts those devices behind John's DNS blacklist policy
- removes default dependency on each lane's gateway IP for DNS
- makes later
Untrusted -> Gatewaytightening much safer - centralizes DNS behavior instead of hiding it in per-subnet gateway defaults
NTP
Do not force restricted lanes onto a new local NTP dependency yet.
Recommended day-one posture:
- keep NTP non-gateway-dependent if UniFi's policy model can express it cleanly as outbound/public time sync
- if that cannot be expressed cleanly in the first pass, explicitly preserve only the exact gateway NTP behavior still needed until a later cleanup window
Why:
- DNS filtering value is clear and immediate
- local NTP adds another service dependency without the same immediate user-visible benefit
- many embedded devices are tolerant as long as they can reach some valid time source
- this avoids pretending PD or another host is the canonical house NTP service before that has been deliberately verified
Practical rollout shape
- Update the UniFi network definitions for
IoT,Camera, andOld IoTso DHCP hands out10.5.30.53explicitly. - Re-read
networkconfto confirm the custom DNS setting stuck. - Only after that, stage the broader
Untrusted -> Gatewayshield. - In that broader shield, preserve only:
- DHCP
- mDNS if still intentionally needed
- NTP path as explicitly chosen
- Do not guess Google/cast discovery carve-outs into the same wave.
What this means for the firewall plan
After the DNS cutover, the broader management shield can stop assuming the gateway must remain reachable for restricted-lane DNS.
That makes the next firewall phase much cleaner:
- block general
Untrusted -> Gateway - preserve only narrow exceptions actually proven necessary
- keep admin surfaces blocked regardless
Bottom line
Recommended design:
- DNS for
IoT/Camera/Old IoT:10.5.30.53 - NTP for those lanes: leave as minimal non-gateway/public behavior for now rather than inventing a new local dependency
This is the safest next step that gives immediate value and reduces hidden gateway dependency before broader firewall tightening.