Files
truenas-stacks/home/doris-dashboard/docs/unifi-dhcp-dns-verification-2026-05-23.md
Fizzlepoof 080ba83989
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Harden UniFi restricted-lane gateway access
2026-05-23 02:48:49 +00:00

3.4 KiB

UniFi DHCP/DNS Verification — 2026-05-23

Purpose: determine whether the restricted lanes (IoT, Camera, Old IoT) are safe for a broader Untrusted -> Gateway management shield, specifically by checking what DHCP/DNS behavior they actually appear to rely on.

Live verification performed

Fresh read-only UniFi poll executed from PD against the live controller.

Verified live from UniFi:

  • site: default
  • controller path: rest/networkconf
  • supporting reads: stat/sta, v2/api/site/default/firewall-policies
  • current custom policy still present: Block Untrusted to Gateway Admin Surfaces

Observed restricted-lane client counts during the same read:

  • IoT: 6
  • Camera: 3
  • Old IoT: 11

Restricted-lane DHCP/DNS findings from the live controller

IoT

  • subnet: 10.5.10.1/24
  • VLAN: 510
  • DHCP range: 10.5.10.6 - 10.5.10.254
  • dhcpd_enabled=true
  • dhcpd_dns_enabled=false
  • dhcpd_ntp_enabled=false
  • dhcpd_gateway_enabled=false
  • mdns_enabled=true
  • network_isolation_enabled=true

Camera

  • subnet: 10.5.20.1/24
  • VLAN: 520
  • DHCP range: 10.5.20.6 - 10.5.20.254
  • dhcpd_enabled=true
  • dhcpd_dns_enabled=false
  • dhcpd_ntp_enabled=false
  • dhcpd_gateway_enabled=false
  • mdns_enabled=true
  • network_isolation_enabled=false

Old IoT

  • subnet: 192.168.1.1/24
  • VLAN: 2
  • DHCP range: 192.168.1.100 - 192.168.1.199
  • dhcpd_enabled=true
  • dhcpd_dns_enabled=false
  • dhcpd_ntp_enabled=false
  • dhcpd_gateway_enabled=false
  • mdns_enabled=true
  • network_isolation_enabled=false

Interpretation

The common pattern across all three restricted lanes is unchanged:

  • DHCP is on
  • custom DHCP DNS is off
  • custom DHCP NTP is off
  • no explicit per-network DNS servers are configured for those three lanes

Operationally, that means these lanes still look gateway-dependent for their default DHCP-delivered DNS behavior.

Safe working assumption from the live config:

  • IoT clients likely still use 10.5.10.1 for default DNS delivery
  • Camera clients likely still use 10.5.20.1 for default DNS delivery
  • Old IoT clients likely still use 192.168.1.1 for default DNS delivery
  • NTP is likewise not explicitly overridden per network

Decision

Do not apply a broad Untrusted -> Gateway deny yet.

The currently deployed surgical rule remains the right safe stopping point:

  • Block Untrusted to Gateway Admin Surfaces

A broader management shield is still unsafe until one of these becomes true and is verified:

  1. restricted-lane clients are intentionally moved to explicit non-gateway DNS/NTP targets, or
  2. the broader gateway policy explicitly preserves the exact gateway services those lanes still need, or
  3. a later live validation proves those clients no longer depend on gateway DNS/NTP despite the current network definitions

Practical next step before any broader gateway block

Preferred next live order:

  1. decide whether 10.5.30.53 should be the DHCP-advertised DNS target for IoT, Camera, and Old IoT
  2. decide whether NTP should stay public, stay gateway-provided, or move to a local service
  3. if DNS/NTP stay gateway-dependent, model the exact gateway exceptions first
  4. only then convert the current surgical admin-surface block into a broader Untrusted -> Gateway shield

Bottom line

Fresh live UniFi reads confirm the restricted lanes still look gateway-dependent for default DHCP-delivered DNS behavior.

So the answer to "can we safely broaden the gateway shield right now?" is: not yet.