48 lines
1.6 KiB
Markdown
48 lines
1.6 KiB
Markdown
# UniFi Restricted-Lane DNS Cutover Result — 2026-05-23
|
|
|
|
Purpose: record the live DHCP DNS change for the restricted lanes and the immediate post-write verification.
|
|
|
|
## Live change applied
|
|
Updated the UniFi network definitions for:
|
|
- `IoT`
|
|
- `Camera`
|
|
- `Old IoT`
|
|
|
|
New DHCP DNS target on all three lanes:
|
|
- `10.5.30.53`
|
|
|
|
NTP was intentionally left unchanged:
|
|
- `dhcpd_ntp_enabled=false`
|
|
|
|
## Verified live after apply
|
|
### IoT
|
|
- subnet: `10.5.10.1/24`
|
|
- `dhcpd_dns_enabled=true`
|
|
- `dhcpd_dns_1=10.5.30.53`
|
|
|
|
### Camera
|
|
- subnet: `10.5.20.1/24`
|
|
- `dhcpd_dns_enabled=true`
|
|
- `dhcpd_dns_1=10.5.30.53`
|
|
|
|
### Old IoT
|
|
- subnet: `192.168.1.1/24`
|
|
- `dhcpd_dns_enabled=true`
|
|
- `dhcpd_dns_1=10.5.30.53`
|
|
|
|
## Why this matters
|
|
This removes the prior default-DNS dependency on each restricted lane's gateway address and puts those devices behind John's DNS blacklist policy.
|
|
|
|
That makes the next firewall phase materially safer because a broader `Untrusted -> Gateway` shield no longer has to preserve gateway DNS behavior for these three lanes.
|
|
|
|
## Still not done yet
|
|
This change alone does not prove the broader gateway shield is safe to apply immediately.
|
|
|
|
Before the next firewall wave, still verify:
|
|
- whether any restricted devices need gateway NTP behavior
|
|
- whether any restricted devices still need other specific gateway services besides DHCP/mDNS
|
|
- Google/cast behavior separately from a laptop session
|
|
|
|
## Recommended next live step
|
|
Stage the broader `Untrusted -> Gateway` shield carefully with only exact remaining exceptions preserved, instead of leaving the current broad gateway dependency in place.
|