DHCP & DNS

Every network in Stratum comes with a built-in DHCP server and an authoritative DNS zone. Both run inside the agent process — there are no external daemons to configure or keep in sync. Addresses are handed to a network's endpoints (an endpoint is an IP ↔ MAC profile). This page covers pool configuration, static leases, DHCP relay, and DNS zone management.

DHCP pools

When you create a network you give it an IPv4 CIDR, and the agent registers an IPAM pool for that subnet and activates a DHCP server scoped to the network's bridge segment. Leases are allocated from the IPAM pool and released back to it on expiry.

sudo cenvero-str-ctl network create \
  --name db-net \
  --cidr 10.30.0.0/24 \
  --gateway 10.30.0.1

network create accepts --name, --cidr, and optionally --gateway, --vlan, and --tenant. (Only IPv4 CIDRs are supported.)

The DHCP server tells clients:

Option	Value
Subnet mask	derived from --cidr
Default gateway	--gateway
DNS server	the agent's gateway IP (same as --gateway)
Lease time	the server's lease TTL
Domain search	<network-name>.internal

Reservations (static leases)

Pin a specific IP to a MAC address so an endpoint always gets the same address:

sudo cenvero-str-ctl dhcp reserve \
  --network db-net \
  --mac 52:54:00:de:ad:01 \
  --ip 10.30.0.10 \
  --hostname db-primary

Reservations are reflected in DNS immediately — the hostname resolves to the reserved IP whether or not the endpoint is online.

Inspecting leases

cenvero-str-ctl dhcp leases --network db-net

MAC                  IP            HOSTNAME      EXPIRES
52:54:00:de:ad:01    10.30.0.10    db-primary    (static)
52:54:00:ab:01:02    10.30.0.21    db-replica    2h 14m

To release a lease early (e.g. before re-provisioning a workload):

sudo cenvero-str-ctl dhcp release --network db-net --mac 52:54:00:ab:01:02

DHCP relay

When a network segment does not have an agent acting as local DHCP server — for example, a physical VLAN you are bridging into the fabric — configure the agent as a relay to forward DHCP discovery packets to an upstream server:

networks:
  - name: legacy-vlan
    subnet: 192.168.10.0/24
    dhcp:
      relay: true
      relay_target: 192.168.1.50

Apply with cenvero-str-ctl config apply --file node.yaml. When relay: true, the built-in DHCP server is disabled for that network and requests are forwarded to relay_target instead.

Authoritative DNS

The agent runs a DNS server bound to the bridge addresses (the management and user bridge IPv4 addresses) rather than every interface, so the resolver is never exposed on an untrusted NIC. Every network gets its own internal zone:

Zone	Example
<network-name>.internal	app-net.internal

Endpoints receive an A record as soon as they get a DHCP lease:

web-01.app-net.internal   →  10.20.0.50
db-primary.db-net.internal →  10.30.0.10

Adding manual DNS records

sudo cenvero-str-ctl dns add \
  --network app-net \
  --name api \
  --type A \
  --value 10.20.0.55

sudo cenvero-str-ctl dns add \
  --network app-net \
  --name services \
  --type CNAME \
  --value api.app-net.internal

List records for a zone:

cenvero-str-ctl dns list --network app-net

NAME        TYPE    VALUE                    TTL
web-01      A       10.20.0.50               300
api         A       10.20.0.55               300
services    CNAME   api.app-net.internal      300

Remove a record:

sudo cenvero-str-ctl dns delete --network app-net --name api --type A

Upstream forwarders

Queries for names outside the local zone are forwarded to configurable upstream resolvers. Set them in the network definition:

networks:
  - name: app-net
    dns:
      forwarders:
        - 1.1.1.1
        - 8.8.8.8

The agent tries forwarders in order and falls back to the next on timeout. If no forwarders are configured, external names do not resolve.

Not an open resolver. Recursion (forwarding a query upstream) is gated by a client ACL. When the ACL is unset it defaults to the private and loopback ranges (127.0.0.0/8, ::1/128, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, fc00::/7), so only clients inside those ranges have their queries forwarded; a query from outside the allowed set is refused rather than silently forwarded. Authoritative answers for local zones are always returned regardless of the ACL.

Cross-network resolution

Endpoints on different networks can resolve each other's names if they share a forwarder chain. Configure a network to delegate another zone explicitly:

dns:
  forwarders:
    - 1.1.1.1
  delegates:
    - zone: db-net.internal
      target: 10.30.0.1

See also

• Networking Overview — how DHCP and DNS fit into the data plane.
• Zero-Trust Firewall — DNS traffic on port 53 must be explicitly allowed for cross-network queries.
• Configuration — encoding DHCP and DNS settings in node.yaml.