Dns on heezy.blog

Getting Cloudflare on IaC

Thu, 14 May 2026 00:00:00 +0000

Everything in the lab is managed as code. FortiGate firewall rules, Proxmox VMs, Kubernetes manifests. Cloudflare was the last holdout. DNS records, tunnel config, and zone settings all lived in the dashboard, clicked into existence and never tracked anywhere. Time to fix that.

Pi-hole on Kubernetes with MetalLB and a Ruckus SSID

Wed, 15 Apr 2026 00:00:00 +0000

🚧 UNDER CONSTRUCTION 🚧 Switch and Ruckus configuration pending. Screenshots to be added.

Pi-hole was already running on the cluster. It worked fine from inside the cluster and via NodePort on weird high ports. The problem was that no actual client device could use it as a DNS server, because DNS clients expect port 53 and NodePort gives you 30054.

What started as “just give Pi-hole a real IP” turned into a new VLAN, a new DHCP server, firewall policy changes, switch configuration, and a Ruckus SSID. The usual homelab scope creep.

Split DNS, MetalLB, and the dnsmasq Debugging Saga

Sun, 12 Apr 2026 00:00:00 +0000

This is the story of building split-horizon DNS for a homelab with four VLANs, a FortiGate firewall, a 5-node MicroK8s cluster, and a Cloudflare tunnel. Then spending hours debugging why dnsmasq wouldn’t answer queries despite the port being open, the firewall allowing traffic, and the container running fine. The entire implementation and debugging session was driven through MCP tooling.

Networking the Heezy: VLANs, Firewall Zones, and How Traffic Moves

Thu, 12 Mar 2026 00:00:00 +0000

The network is the foundation of everything in the lab. Four VLANs, a FortiGate doing all the routing, a Cisco 3560 doing the switching, and a set of rules about what can talk to what. This post covers how it’s all wired together, how DNS works across zones, and how remote access gets in without exposing anything to the internet.