proxmox/reports/status/DNS_ANALYSIS.md

# DNS Zone Analysis - Issues & Conflicts

## Critical Issues Identified

### 1. Multiple Hostnames Sharing Same Tunnel ID ⚠️

**Tunnel ID**: `10ab22da-8ea3-4e2e-a896-27ece2211a05`

The following hostnames all point to the **same tunnel**:
- `dbis-admin.d-bis.org`
- `dbis-api-2.d-bis.org`
- `dbis-api.d-bis.org`
- `mim4u.org.d-bis.org`
- `rpc-http-prv.d-bis.org`
- `rpc-http-pub.d-bis.org`
- `rpc-ws-prv.d-bis.org`
- `rpc-ws-pub.d-bis.org`
- `www.mim4u.org.d-bis.org`

**Problem**: This tunnel must handle routing for 9 different hostnames. If the tunnel configuration doesn't have proper ingress rules for all of these, some services will fail or route incorrectly.

**Impact**: 
- Services may not be accessible
- Routing conflicts
- Difficult to troubleshoot
- Single point of failure

### 2. Extremely Low TTL Values ⚠️

Most CNAME records have TTL of **1 second**:
```
dbis-admin.d-bis.org.	1	IN	CNAME	...
```

**Problem**: 
- Very aggressive DNS caching invalidation
- High DNS query load
- Potential DNS resolution delays
- Not standard practice (typically 300-3600 seconds)

**Recommendation**: Use TTL of 300 (5 minutes) or 3600 (1 hour) for production.

### 3. Proxmox Tunnel Configuration ✅

The Proxmox tunnels are correctly configured:
- `ml110-01.d-bis.org` → `ccd7150a-9881-4b8c-a105-9b4ead6e69a2.cfargotunnel.com`
- `r630-01.d-bis.org` → `4481af8f-b24c-4cd3-bdd5-f562f4c97df4.cfargotunnel.com`
- `r630-02.d-bis.org` → `0876f12b-64d7-4927-9ab3-94cb6cf48af9.cfargotunnel.com`

Each has its own tunnel ID - **no conflicts here**.

### 4. Mixed Proxy Status ⚠️

Most records have `cf-proxied:true` (orange cloud), but:
- `sip.d-bis.org` has `cf-proxied:false` (grey cloud)

**Impact**: Inconsistent security/protection levels.

## DNS Record Summary

### By Tunnel ID

| Tunnel ID | Hostnames | Count | Status |
|-----------|-----------|-------|--------|
| `10ab22da-8ea3-4e2e-a896-27ece2211a05` | dbis-admin, dbis-api, dbis-api-2, mim4u.org, rpc-*, www.mim4u.org | 9 | ⚠️ **CONFLICT** |
| `ccd7150a-9881-4b8c-a105-9b4ead6e69a2` | ml110-01 | 1 | ✅ OK |
| `4481af8f-b24c-4cd3-bdd5-f562f4c97df4` | r630-01 | 1 | ✅ OK |
| `0876f12b-64d7-4927-9ab3-94cb6cf48af9` | r630-02 | 1 | ✅ OK |
| `b02fe1fe-cb7d-484e-909b-7cc41298ebe8` | explorer | 1 | ✅ OK |
| External | ipfs, monetary-policies, tokens, sip | 4 | ✅ OK |

### By Service Type

| Service | Hostnames | Tunnel |
|---------|-----------|--------|
| **Proxmox** | ml110-01, r630-01, r630-02 | Separate tunnels ✅ |
| **DBIS API** | dbis-api, dbis-api-2 | Shared tunnel ⚠️ |
| **RPC** | rpc-http-prv, rpc-http-pub, rpc-ws-prv, rpc-ws-pub | Shared tunnel ⚠️ |
| **Admin** | dbis-admin | Shared tunnel ⚠️ |
| **MIM4U** | mim4u.org, www.mim4u.org | Shared tunnel ⚠️ |
| **Explorer** | explorer | Separate tunnel ✅ |
| **External** | ipfs, monetary-policies, tokens, sip | External services ✅ |

## Recommended Actions

### Priority 1: Fix Shared Tunnel Configuration

The tunnel `10ab22da-8ea3-4e2e-a896-27ece2211a05` must have proper ingress rules for all 9 hostnames.

**Check tunnel configuration**:
```bash
# SSH to tunnel container (VMID 102 on r630-02)
ssh root@192.168.11.12 "pct exec 102 -- cat /etc/cloudflared/config.yml"
```

**Required ingress rules** (in order):
```yaml
ingress:
  - hostname: dbis-admin.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: dbis-api.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: dbis-api-2.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: mim4u.org.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: www.mim4u.org.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: rpc-http-prv.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: rpc-http-pub.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: rpc-ws-prv.d-bis.org
    service: https://<internal-ip>:<port>
  - hostname: rpc-ws-pub.d-bis.org
    service: https://<internal-ip>:<port>
  - service: http_status:404  # Catch-all must be last
```

### Priority 2: Increase TTL Values

Change TTL from 1 second to 300 seconds (5 minutes) for production stability:

```bash
# In Cloudflare Dashboard:
# DNS → Records → Edit each CNAME → Set TTL to 300 (or Auto)
```

### Priority 3: Consider Separate Tunnels

For better isolation and troubleshooting, consider:
- Separate tunnel for RPC endpoints
- Separate tunnel for API endpoints
- Separate tunnel for admin interface

**Benefits**:
- Better isolation
- Easier troubleshooting
- Independent scaling
- Reduced single point of failure

### Priority 4: Verify Tunnel Health

```bash
# Check all tunnel services
ssh root@192.168.11.12 "pct exec 102 -- systemctl status cloudflared-*"

# Check tunnel logs for errors
ssh root@192.168.11.12 "pct exec 102 -- journalctl -u cloudflared-* -n 100"
```

## Testing & Validation

### Test Each Hostname

```bash
# Test Proxmox tunnels
curl -I https://ml110-01.d-bis.org
curl -I https://r630-01.d-bis.org
curl -I https://r630-02.d-bis.org

# Test shared tunnel services
curl -I https://dbis-admin.d-bis.org
curl -I https://dbis-api.d-bis.org
curl -I https://rpc-http-pub.d-bis.org
curl -I https://rpc-ws-pub.d-bis.org

# Test explorer
curl -I https://explorer.d-bis.org
```

### Check DNS Resolution

```bash
# Verify DNS records
dig +short ml110-01.d-bis.org
dig +short dbis-api.d-bis.org
dig +short rpc-http-pub.d-bis.org
```

## Summary

✅ **Proxmox Tunnels**: Correctly configured, no conflicts  
⚠️  **Shared Tunnel**: 9 hostnames on one tunnel - needs verification  
⚠️  **TTL Values**: Too low (1 second) - should be increased  
⚠️  **Proxy Status**: Mixed - consider standardizing  

**Main Issue**: The shared tunnel (`10ab22da-8ea3-4e2e-a896-27ece2211a05`) must have proper ingress rules configured for all 9 hostnames, otherwise services will fail or route incorrectly.