DNS Architecture
Overview
Two-tier split-DNS. AdGuard Home handles all queries from all VLANs — it does ad blocking, upstream resolution over DoT, and conditionally forwards internal zone queries to BIND (ns1).
pob.network is a registered public domain. Internal zones are subdomains of it, resolved only internally via BIND. External DNS for pob.network itself is separate and not managed by the homelab.
Client (any VLAN)
│
▼
AdGuard Home (10.37.64.53)
│
├── internal zones? ──► BIND / ns1 (10.37.64.54)
│
└── everything else ──► DoT upstreams
├── Cloudflare (1.1.1.1)
├── Google (8.8.8.8)
└── Quad9 (9.9.9.9)
Resolvers
AdGuard Home
| Field | Value |
|---|---|
| Host | adguard — CT101 on pve0-core |
| IPv4 | 10.37.64.53 |
| IPv6 | fda8:288c:4f37:4000::53 |
| VLAN | 64 |
All VLANs use AdGuard as their DNS server. The .53 address suffix is intentional (DNS port).
Upstream resolvers (DNS-over-TLS):
| Provider | Hostname |
|---|---|
| Cloudflare | tls://1dot1dot1dot1.cloudflare-dns.com |
tls://dns.google |
|
| Quad9 | tls://dns.quad9.net |
BIND (ns1)
| Field | Value |
|---|---|
| Host | ns1 — CT113 on pve0-core |
| IPv4 | 10.37.64.54 |
| IPv6 | fda8:288c:4f37:4000::54 |
| VLAN | 64 |
| Hostname | ns1.pve.pob.network |
Authoritative for all internal zones. Not queried directly by clients — only by AdGuard via conditional forwarding.
Internal Zones
AdGuard forwards queries for these domains to ns1.pve.pob.network (10.37.64.54). All other queries go to the DoT upstreams.
| Zone | Purpose |
|---|---|
pve.pob.network |
Proxmox hosts and containers |
home.pob.network |
Home network devices (VLAN 192) |
voice.pob.network |
VoIP devices (VLAN 224) |
management.pob.network |
Management interfaces (switches, OPNsense, etc.) |
wireless.pob.network |
Wireless infrastructure (VLAN 8) |
Notable CNAMEs
| Record | Target | Notes |
|---|---|---|
smtp.pve.pob.network |
docker-prod-01.pve.pob.network |
Internal SMTP relay (Google Workspace for delivery). CNAME is intentional — any future migration to a dedicated SMTP service only requires updating this record, not every service that depends on it. |