cb47cce074
- Organized 252 files across project - Root directory: 187 → 2 files (98.9% reduction) - Moved configuration guides to docs/04-configuration/ - Moved troubleshooting guides to docs/09-troubleshooting/ - Moved quick start guides to docs/01-getting-started/ - Moved reports to reports/ directory - Archived temporary files - Generated comprehensive reports and documentation - Created maintenance scripts and guides All files organized according to established standards.
5.8 KiB
DNS Zone Analysis - Issues & Conflicts
Critical Issues Identified
1. Multiple Hostnames Sharing Same Tunnel ID ⚠️
Tunnel ID: 10ab22da-8ea3-4e2e-a896-27ece2211a05
The following hostnames all point to the same tunnel:
dbis-admin.d-bis.orgdbis-api-2.d-bis.orgdbis-api.d-bis.orgmim4u.org.d-bis.orgrpc-http-prv.d-bis.orgrpc-http-pub.d-bis.orgrpc-ws-prv.d-bis.orgrpc-ws-pub.d-bis.orgwww.mim4u.org.d-bis.org
Problem: This tunnel must handle routing for 9 different hostnames. If the tunnel configuration doesn't have proper ingress rules for all of these, some services will fail or route incorrectly.
Impact:
- Services may not be accessible
- Routing conflicts
- Difficult to troubleshoot
- Single point of failure
2. Extremely Low TTL Values ⚠️
Most CNAME records have TTL of 1 second:
dbis-admin.d-bis.org. 1 IN CNAME ...
Problem:
- Very aggressive DNS caching invalidation
- High DNS query load
- Potential DNS resolution delays
- Not standard practice (typically 300-3600 seconds)
Recommendation: Use TTL of 300 (5 minutes) or 3600 (1 hour) for production.
3. Proxmox Tunnel Configuration ✅
The Proxmox tunnels are correctly configured:
ml110-01.d-bis.org→ccd7150a-9881-4b8c-a105-9b4ead6e69a2.cfargotunnel.comr630-01.d-bis.org→4481af8f-b24c-4cd3-bdd5-f562f4c97df4.cfargotunnel.comr630-02.d-bis.org→0876f12b-64d7-4927-9ab3-94cb6cf48af9.cfargotunnel.com
Each has its own tunnel ID - no conflicts here.
4. Mixed Proxy Status ⚠️
Most records have cf-proxied:true (orange cloud), but:
sip.d-bis.orghascf-proxied:false(grey cloud)
Impact: Inconsistent security/protection levels.
DNS Record Summary
By Tunnel ID
| Tunnel ID | Hostnames | Count | Status |
|---|---|---|---|
10ab22da-8ea3-4e2e-a896-27ece2211a05 |
dbis-admin, dbis-api, dbis-api-2, mim4u.org, rpc-*, www.mim4u.org | 9 | ⚠️ CONFLICT |
ccd7150a-9881-4b8c-a105-9b4ead6e69a2 |
ml110-01 | 1 | ✅ OK |
4481af8f-b24c-4cd3-bdd5-f562f4c97df4 |
r630-01 | 1 | ✅ OK |
0876f12b-64d7-4927-9ab3-94cb6cf48af9 |
r630-02 | 1 | ✅ OK |
b02fe1fe-cb7d-484e-909b-7cc41298ebe8 |
explorer | 1 | ✅ OK |
| External | ipfs, monetary-policies, tokens, sip | 4 | ✅ OK |
By Service Type
| Service | Hostnames | Tunnel |
|---|---|---|
| Proxmox | ml110-01, r630-01, r630-02 | Separate tunnels ✅ |
| DBIS API | dbis-api, dbis-api-2 | Shared tunnel ⚠️ |
| RPC | rpc-http-prv, rpc-http-pub, rpc-ws-prv, rpc-ws-pub | Shared tunnel ⚠️ |
| Admin | dbis-admin | Shared tunnel ⚠️ |
| MIM4U | mim4u.org, www.mim4u.org | Shared tunnel ⚠️ |
| Explorer | explorer | Separate tunnel ✅ |
| External | ipfs, monetary-policies, tokens, sip | External services ✅ |
Recommended Actions
Priority 1: Fix Shared Tunnel Configuration
The tunnel 10ab22da-8ea3-4e2e-a896-27ece2211a05 must have proper ingress rules for all 9 hostnames.
Check tunnel configuration:
# SSH to tunnel container (VMID 102 on r630-02)
ssh root@192.168.11.12 "pct exec 102 -- cat /etc/cloudflared/config.yml"
Required ingress rules (in order):
ingress:
- hostname: dbis-admin.d-bis.org
service: https://<internal-ip>:<port>
- hostname: dbis-api.d-bis.org
service: https://<internal-ip>:<port>
- hostname: dbis-api-2.d-bis.org
service: https://<internal-ip>:<port>
- hostname: mim4u.org.d-bis.org
service: https://<internal-ip>:<port>
- hostname: www.mim4u.org.d-bis.org
service: https://<internal-ip>:<port>
- hostname: rpc-http-prv.d-bis.org
service: https://<internal-ip>:<port>
- hostname: rpc-http-pub.d-bis.org
service: https://<internal-ip>:<port>
- hostname: rpc-ws-prv.d-bis.org
service: https://<internal-ip>:<port>
- hostname: rpc-ws-pub.d-bis.org
service: https://<internal-ip>:<port>
- service: http_status:404 # Catch-all must be last
Priority 2: Increase TTL Values
Change TTL from 1 second to 300 seconds (5 minutes) for production stability:
# In Cloudflare Dashboard:
# DNS → Records → Edit each CNAME → Set TTL to 300 (or Auto)
Priority 3: Consider Separate Tunnels
For better isolation and troubleshooting, consider:
- Separate tunnel for RPC endpoints
- Separate tunnel for API endpoints
- Separate tunnel for admin interface
Benefits:
- Better isolation
- Easier troubleshooting
- Independent scaling
- Reduced single point of failure
Priority 4: Verify Tunnel Health
# Check all tunnel services
ssh root@192.168.11.12 "pct exec 102 -- systemctl status cloudflared-*"
# Check tunnel logs for errors
ssh root@192.168.11.12 "pct exec 102 -- journalctl -u cloudflared-* -n 100"
Testing & Validation
Test Each Hostname
# Test Proxmox tunnels
curl -I https://ml110-01.d-bis.org
curl -I https://r630-01.d-bis.org
curl -I https://r630-02.d-bis.org
# Test shared tunnel services
curl -I https://dbis-admin.d-bis.org
curl -I https://dbis-api.d-bis.org
curl -I https://rpc-http-pub.d-bis.org
curl -I https://rpc-ws-pub.d-bis.org
# Test explorer
curl -I https://explorer.d-bis.org
Check DNS Resolution
# Verify DNS records
dig +short ml110-01.d-bis.org
dig +short dbis-api.d-bis.org
dig +short rpc-http-pub.d-bis.org
Summary
✅ Proxmox Tunnels: Correctly configured, no conflicts
⚠️ Shared Tunnel: 9 hostnames on one tunnel - needs verification
⚠️ TTL Values: Too low (1 second) - should be increased
⚠️ Proxy Status: Mixed - consider standardizing
Main Issue: The shared tunnel (10ab22da-8ea3-4e2e-a896-27ece2211a05) must have proper ingress rules configured for all 9 hostnames, otherwise services will fail or route incorrectly.