# ADR 004 - DNS

## Date

- Feb/23/2026
    - First documentation


## Status

- Accepted

## Context

- Private authoritative DNS is required to use private reserved root domain \(.internal\)
- Split horizon DNS needs DNS resolver, because authoritative DNS must not send queries to other DNS.
- Automatical issuing certificates needs private authoritative DNS which supports nsupdate \(RFC 2136\)

## Consideration

### Resolver DNS
- AdGuard Home
    - More powerful query routing than blocky
    - Web UI dependency
    - Extra function which is not useful \(DHCP, etc ..\)
- Unbound DNS
    - Cache and forward zone management is powerful
    - more complex than blocky
    - cache function is not that needed in this environment
        - Internal authoritative DNS only takes charge of internal communication
        - All security function is delegated to public DNS like cloudflare \(DNSSEC, etc\) 

## Decisions

- Operate BIND9 as authoritative DNS
    - BIND9 is developed by ISC as de facto standard of authoritative DNS
    - It supports nsupdate perfectly
    - Use 2 forward zones
        - ilnmors.com for split horizon DNS
        - ilnmors.internal for internal DNS
    - Uses 4 PTR zones
        - Client vlan ipv4, v6 PTR zone
        - Server vlan ipv4, v6 PTR zone
- Operate Blocky as resolver and cache DNS
    - blocky set the configurations with one code file
    - It supports query routing based on its domain - Split horizon DNS

## Consequences

- Implementation of split horizon DNS
- ACME is available via nsupdate
- malicious DNS query is blocked in DNS level