2026-02-24 - Wazuh DNS Resolution Fix

Preamble

Wazuh SIEM was deployed to the k3s cluster on 2026-02-23 using the official Wazuh Helm chart with MetalLB LoadBalancer services for external access. The deployment uses four separate VIPs to isolate different traffic types:

  • Dashboard (10.50.1.132) - Web UI for analysts and administrators

  • Indexer (10.50.1.131) - OpenSearch API for queries and integrations

  • Manager API (10.50.1.134) - REST API for agent management, rules, and status; also handles agent registration (1515/tcp) and syslog reception (514/udp+tcp)

  • Workers (10.50.1.133) - Agent event data collection (1514/tcp)

During the initial deployment, a DNS entry wazuh.inside.domusdigitalis.dev was created to provide a friendly URL for the Dashboard. However, the entry was configured with the Manager API VIP (10.50.1.134) instead of the Dashboard VIP (10.50.1.132).

This misconfiguration was discovered during validation testing on 2026-02-24 when attempting to access the Dashboard via the FQDN resulted in connection timeouts (the Manager API listens on port 55000, not 443).

Wazuh DNS Resolution Fix
Figure 1. Wazuh DNS Resolution - Before/After

Root Cause Analysis

Symptom

curl -kIs "https://wazuh.inside.domusdigitalis.dev" --connect-timeout 5
# Result: exit code 28 (connection timed out)

curl -kIs "https://10.50.1.132" --connect-timeout 5
# Result: HTTP/1.1 302 Found (working - Dashboard responds)

Investigation

host wazuh.inside.domusdigitalis.dev
# wazuh.inside.domusdigitalis.dev has address 10.50.1.134

DNS resolved to 10.50.1.134, which is the Manager API VIP, not the Dashboard VIP.

Evidence Collected (2026-02-24)

Current DNS State - Command
for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  host "${svc}.inside.domusdigitalis.dev"
done
Current DNS State - Output
wazuh.inside.domusdigitalis.dev has address 10.50.1.134      # WRONG
wazuh-indexer.inside.domusdigitalis.dev has address 10.50.1.131  # OK
wazuh-api.inside.domusdigitalis.dev has address 10.50.1.134      # OK
Host wazuh-workers.inside.domusdigitalis.dev not found: 3(NXDOMAIN)  # MISSING
Dashboard VIP Test (Direct) - Command
curl -kIs "https://10.50.1.132" --connect-timeout 5 | head -5
Dashboard VIP Test (Direct) - Output
HTTP/1.1 302 Found
location: /app/login?
osd-name: wazuh-dashboard-69dd56df9d-br88g
x-frame-options: sameorigin
cache-control: private, no-cache, no-store, must-revalidate
Dashboard FQDN Test (Fails) - Command
curl -kIs "https://wazuh.inside.domusdigitalis.dev" --connect-timeout 5
Dashboard FQDN Test (Fails) - Output
# Exit code: 28 (connection timed out - wrong VIP, port 443 not listening)

Root Cause

Human error during initial DNS entry creation.

When the Wazuh stack was deployed, the DNS entry was created using the Manager API VIP (10.50.1.134) instead of the Dashboard VIP (10.50.1.132). This likely occurred because:

  1. The Manager API is the "primary" Wazuh component in documentation

  2. The VIP assignments were not clearly documented at DNS creation time

  3. No validation step was performed after DNS entry creation

Contributing Factors

Factor Description

Similar VIP range

All Wazuh VIPs are in 10.50.1.130-134 range, easy to transpose

Service confusion

"Wazuh" can mean Dashboard, Manager, or the overall stack

Missing FQDN attributes

antora.yml had VIP attributes but no FQDN attributes, forcing manual recall

No DNS validation checklist

DNS entries not verified against service ports after creation

Corrective Actions

Action Description Status

Fix DNS entry

Change wazuh → 10.50.1.132

This change

Add service-specific FQDNs

wazuh-indexer, wazuh-api, wazuh-workers

This change

Add FQDN attributes

Document FQDNs in antora.yml

This change

Add DNS validation step

Future: verify curl response after DNS changes

Process improvement

Summary

Fix DNS resolution for wazuh.inside.domusdigitalis.dev pointing to wrong VIP (Manager API instead of Dashboard). Add complete FQDN attributes to antora.yml and service-specific DNS entries for all Wazuh services.

Problem

Dashboard URL wazuh.inside.domusdigitalis.dev was not working:

# Current (WRONG)
host wazuh.inside.domusdigitalis.dev
# → 10.50.1.134 (Manager API port 55000)

# Should be
# → 10.50.1.132 (Dashboard port 443)
Table 1. Wazuh MetalLB VIP Assignments
Service VIP Port

Dashboard

10.50.1.132

443

Indexer

10.50.1.131

9200

Manager API

10.50.1.134

55000, 1515, 514

Workers

10.50.1.133

1514

Changes

DNS Architecture

Workstation → pfSense (10.50.1.1) → bind-01 (10.50.1.90)
                 ↓                        ↓
         Conditional Forwarder    Authoritative for
         for inside.domus...      inside.domusdigitalis.dev

pfSense forwards inside.domusdigitalis.dev queries to bind-01. However, pfSense host overrides take precedence over forwarded responses, causing the conflict.

DNS Records - pfSense Host Overrides

FQDN Current Override Correct Value Action

wazuh.inside.domusdigitalis.dev

10.50.1.134

10.50.1.132

DELETE override (let bind-01 answer)

wazuh-indexer.inside.domusdigitalis.dev

10.50.1.131

10.50.1.131

DELETE (redundant, bind-01 has it)

wazuh-api.inside.domusdigitalis.dev

10.50.1.134

10.50.1.134

DELETE (redundant, bind-01 has it)

wazuh-workers.inside.domusdigitalis.dev

NXDOMAIN

10.50.1.133

NO ACTION (add to bind-01 instead)

DNS Records - bind-01 Authoritative Zone

Table 2. Forward Zone: /var/named/inside.domusdigitalis.dev.zone
Hostname Current Value Correct Value Action

wazuh

10.50.1.132

10.50.1.132

NO CHANGE (already correct)

wazuh-indexer

10.50.1.131

10.50.1.131

NO CHANGE (already correct)

wazuh-api

10.50.1.134

10.50.1.134

NO CHANGE (already correct)

wazuh-workers

MISSING

10.50.1.133

ADD
Table 3. Reverse Zone: /var/named/10.50.1.rev
IP (last octet) Current PTR Correct PTR Action

131

wazuh-indexer.inside.domusdigitalis.dev.

wazuh-indexer.inside.domusdigitalis.dev.

NO CHANGE

132

wazuh.inside.domusdigitalis.dev.

wazuh.inside.domusdigitalis.dev.

NO CHANGE

133

MISSING

wazuh-workers.inside.domusdigitalis.dev.

ADD

134

wazuh-api.inside.domusdigitalis.dev.

wazuh-api.inside.domusdigitalis.dev.

NO CHANGE

antora.yml Attributes

Attribute Value

wazuh-dashboard-fqdn

wazuh.inside.domusdigitalis.dev

wazuh-indexer-fqdn

wazuh-indexer.inside.domusdigitalis.dev

wazuh-api-fqdn

wazuh-api.inside.domusdigitalis.dev

wazuh-workers-fqdn

wazuh-workers.inside.domusdigitalis.dev

Commands

Prerequisites

# Load network credentials
dsource d000 dev/network

Step 1: Remove Conflicting pfSense Overrides

dsource d000 dev/network
# List overrides to find IDs
netapi pfsense dns list | grep -E "10\.50\.1\.13[0-9]"
Expected output
│ 4  │ alertmanager           │ inside.domusdigitalis.dev │ 10.50.1.130   │ AlertManager (MetalLB)           │
│ 7  │ grafana                │ inside.domusdigitalis.dev │ 10.50.1.130   │ Grafana (MetalLB)                │
│ 37 │ prometheus             │ inside.domusdigitalis.dev │ 10.50.1.130   │ Prometheus (MetalLB)             │
│ 42 │ wazuh                  │ inside.domusdigitalis.dev │ 10.50.1.134   │ Wazuh Manager                    │
# Delete wazuh override (ID 42 - wrong IP 10.50.1.134, conflicts with bind-01)
netapi pfsense dns delete --id 42

Deleting DNS override 42…​ OK Applying DNS changes…​ OK ---

Step 2: Add wazuh-workers to bind-01 Forward Zone

# Backup zone file
ssh bind-01 "sudo cp /var/named/inside.domusdigitalis.dev.zone /var/named/inside.domusdigitalis.dev.zone.bak-$(date +%Y%m%d)"
# VERIFY BEFORE: Show wazuh entries and line numbers
ssh bind-01 "sudo awk '/wazuh/ {print NR\": \"\$0}' /var/named/inside.domusdigitalis.dev.zone"
# Enhanced version
ssh bind-01 "sudo awk '/wazuh/ {print NR\": \"\$0}' /var/named/inside.domusdigitalis.dev.zone" | wl-copy
Output 2026-02-24 22:30
20: wazuh-indexer   IN  A       10.50.1.131
21: wazuh           IN  A       10.50.1.132
22: wazuh-api       IN  A       10.50.1.134
# Add wazuh-workers A record (after wazuh-api line)
ssh bind-01 "sudo sed -i '/^wazuh-api/a wazuh-workers   IN  A       10.50.1.133' /var/named/inside.domusdigitalis.dev.zone"
# VERIFY AFTER: Confirm wazuh-workers added
ssh bind-01 "sudo awk '/wazuh/ {print NR\": \"\$0}' /var/named/inside.domusdigitalis.dev.zone"
Output 2026-02-24 22:34
20: wazuh-indexer   IN  A       10.50.1.131
21: wazuh           IN  A       10.50.1.132
22: wazuh-api       IN  A       10.50.1.134
23: wazuh-workers   IN  A       10.50.1.133
# Increment SOA serial (YYYYMMDDNN format) - VERIFY BEFORE
ssh bind-01 "sudo awk '/serial/ {print NR\": \"\$0}' /var/named/inside.domusdigitalis.dev.zone"
# Updated command
ssh bind-01 "sudo awk 'NR<=15 {print NR\": \"\$0}' /var/named/inside.domusdigitalis.dev.zone"
Output (SOA before)
1: $TTL 86400
2: @   IN  SOA     bind-01.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
3:                 2026022002  ; Serial (2026022302)
4:                 3600        ; Refresh
5:                 1800        ; Retry
6:                 604800      ; Expire
7:                 86400 )     ; Minimum TTL
8:
9: ; Name servers
10: @               IN  NS      bind-01.inside.domusdigitalis.dev.
11:
12: ; Gateway (.1)
13: pfsense-01      IN  A       10.50.1.1
14:
15: ; Network Devices (.10-19)
# Update SOA serial - line-specific (line 3 contains serial)
ssh bind-01 "sudo sed -i '3s/[0-9]\{10\}/2026022401/' /var/named/inside.domusdigitalis.dev.zone"
# VERIFY AFTER: Confirm SOA serial updated (line 3)
ssh bind-01 "sudo awk 'NR==3 {print NR\": \"\$0}' /var/named/inside.domusdigitalis.dev.zone"
Output (SOA after) 2026-02-24 22:40
3:                 2026022401  ; Serial (2026022302)

Step 3: Add wazuh-workers to bind-01 Reverse Zone

# Backup reverse zone
ssh bind-01 "sudo cp /var/named/10.50.1.rev /var/named/10.50.1.rev.bak-$(date +%Y%m%d)"
# VERIFY BEFORE: Show existing PTR records for 13x range
ssh bind-01 "sudo awk '/^13[0-9]/ {print NR\": \"\$0}' /var/named/10.50.1.rev"
Output (before) 2026-02-24 22:41
67: 131     IN  PTR     wazuh-indexer.inside.domusdigitalis.dev.
68: 132     IN  PTR     wazuh.inside.domusdigitalis.dev.
69: 134     IN  PTR     wazuh-api.inside.domusdigitalis.dev.
# Add PTR record for 133 (after 134 line)
ssh bind-01 "sudo sed -i '/^134/a 133     IN  PTR     wazuh-workers.inside.domusdigitalis.dev.' /var/named/10.50.1.rev"
# VERIFY AFTER: Confirm 133 PTR added
ssh bind-01 "sudo awk '/^13[0-9]/ {print NR\": \"\$0}' /var/named/10.50.1.rev"
Output (after)
67: 131     IN  PTR     wazuh-indexer.inside.domusdigitalis.dev.
68: 132     IN  PTR     wazuh.inside.domusdigitalis.dev.
69: 134     IN  PTR     wazuh-api.inside.domusdigitalis.dev.
70: 133     IN  PTR     wazuh-workers.inside.domusdigitalis.dev.
# VERIFY SOA BEFORE - show first 7 lines to find serial
ssh bind-01 "sudo awk 'NR<=7 {print NR\": \"\$0}' /var/named/10.50.1.rev"
Output (SOA before) 2026-02-24 22:46
2: @   IN  SOA     bind-01.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
3:                 2026022301  ; Serial
4:                 3600        ; Refresh
5:                 1800        ; Retry
6:                 604800      ; Expire
7:                 86400 )     ; Minimum TTL
# Update SOA serial - line-specific (adjust line number if different)
ssh bind-01 "sudo sed -i '3s/[0-9]\{10\}/2026022401/' /var/named/10.50.1.rev"
# VERIFY SOA AFTER
ssh bind-01 "sudo awk 'NR==3 {print NR\": \"\$0}' /var/named/10.50.1.rev"
Output (SOA after)
ssh bind-01 "sudo awk 'NR=3 {print NR\": \"\$0}' /var/named/10.50.1.rev"
3: $TTL 86400
3: @   IN  SOA     bind-01.inside.domusdigitalis.dev. admin.inside.domusdigitalis.dev. (
3:                 2026022401  ; Serial
3:                 3600        ; Refresh
3:                 1800        ; Retry
3:                 604800      ; Expire
3:                 86400 )     ; Minimum TTL
3:
3: @               IN  NS      bind-01.inside.domusdigitalis.dev.
3:
3: ; Gateway (.1)
3: 1               IN  PTR     pfsense-01.inside.domusdigitalis.dev.
3:
3: ; Network Devices (.10-19)
3: 10              IN  PTR     3560cx-01.inside.domusdigitalis.dev.
3: 11              IN  PTR     9300-01.inside.domusdigitalis.dev.
3:
3: ; Identity Services (.20-29)
3: 20              IN  PTR     ise-01.inside.domusdigitalis.dev.
3: 21              IN  PTR     ise-02.inside.domusdigitalis.dev.
3:
3: ; iPSK Manager (.30-39)
3: 30              IN  PTR     ipsk-mgr-01.inside.domusdigitalis.dev.
3: 31              IN  PTR     ipsk-mgr-02.inside.domusdigitalis.dev.
3:
3: ; Wireless (.40-49)
3: 40              IN  PTR     9800-wlc-01.inside.domusdigitalis.dev.
3:
3: ; Windows Servers (.50-59)
3: 50              IN  PTR     home-dc01.inside.domusdigitalis.dev.
3: 51              IN  PTR     home-dc02.inside.domusdigitalis.dev.
3:
3: ; PKI Services (.60-69)
3: 60              IN  PTR     vault-01.inside.domusdigitalis.dev.
3: 61              IN  PTR     vault-02.inside.domusdigitalis.dev.
3:
3: ; Storage/Git (.70-79)
3: 70              IN  PTR     nas-01.inside.domusdigitalis.dev.
3: 71              IN  PTR     nas-02.inside.domusdigitalis.dev.
3:
3: ; IdP/SSO (.80-89)
3: 80              IN  PTR     keycloak-01.inside.domusdigitalis.dev.
3: 81              IN  PTR     keycloak-02.inside.domusdigitalis.dev.
3:
3: ; DNS Services (.90-99)
3: 90              IN  PTR     bind-01.inside.domusdigitalis.dev.
3: 91              IN  PTR     bind-02.inside.domusdigitalis.dev.
3: 99              IN  PTR     kvm-01.inside.domusdigitalis.dev.
3:
3: ; LDAP/Directory (.100-109)
3: 100             IN  PTR     ipa-01.inside.domusdigitalis.dev.
3: 101             IN  PTR     ipa-02.inside.domusdigitalis.dev.
3:
3: ; Load Balancers (.110-119)
3: 110             IN  PTR     netscaler-01.inside.domusdigitalis.dev.
3: 111             IN  PTR     netscaler-02.inside.domusdigitalis.dev.
3:
3: ; Kubernetes (.120-129)
3: 120             IN  PTR     k3s-master-01.inside.domusdigitalis.dev.
3: 121             IN  PTR     k3s-master-02.inside.domusdigitalis.dev.
3: 122             IN  PTR     k3s-master-03.inside.domusdigitalis.dev.
3:
3: ; IPMI/BMC (.200-209)
3: 200             IN  PTR     ipmi-01.inside.domusdigitalis.dev.
3:
3: ; Wazuh SIEM (k3s LoadBalancer VIPs)
3: 131     IN  PTR     wazuh-indexer.inside.domusdigitalis.dev.
3: 132     IN  PTR     wazuh.inside.domusdigitalis.dev.
3: 134     IN  PTR     wazuh-api.inside.domusdigitalis.dev.
3: 133     IN  PTR     wazuh-workers.inside.domusdigitalis.dev.

Step 4: Reload bind-01 Zones

# Check zone syntax before reload
ssh bind-01 "sudo named-checkzone inside.domusdigitalis.dev /var/named/inside.domusdigitalis.dev.zone"
Expected Output
zone inside.domusdigitalis.dev/IN: loaded serial 2026022401
OK
# Check reverse zone syntax
ssh bind-01 "sudo named-checkzone 1.50.10.in-addr.arpa /var/named/10.50.1.rev"
# Reload zones (no restart needed)
ssh bind-01 "sudo rndc reload"
Expected Output
server reload successful

Step 5: Verify DNS Resolution

Option A: Using host (simple)

for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  result=$(host "${svc}.inside.domusdigitalis.dev" 2>&1)
  echo "${svc}: ${result}"
done
Expected Output
wazuh: wazuh.inside.domusdigitalis.dev has address 10.50.1.132
wazuh-indexer: wazuh-indexer.inside.domusdigitalis.dev has address 10.50.1.131
wazuh-api: wazuh-api.inside.domusdigitalis.dev has address 10.50.1.134
wazuh-workers: wazuh-workers.inside.domusdigitalis.dev has address 10.50.1.133

Option B: Using dig +short (clean)

for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  ip=$(dig +short "${svc}.inside.domusdigitalis.dev")
  [ -z "$ip" ] && ip="NXDOMAIN"
  printf "%-25s → %s\n" "$svc" "$ip"
done
Expected Output
wazuh                     → 10.50.1.132
wazuh-indexer             → 10.50.1.131
wazuh-api                 → 10.50.1.134
wazuh-workers             → 10.50.1.133

Option C: Using dig with specific DNS server

# Query pfSense directly (bypass cache)
for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  ip=$(dig +short @10.50.1.1 "${svc}.inside.domusdigitalis.dev")
  [ -z "$ip" ] && ip="NXDOMAIN"
  printf "%-25s → %s\n" "$svc" "$ip"
done

Option D: Full DNS audit with TTL and server

# Detailed view: IP, TTL, which server answered
for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  echo "=== ${svc} ==="
  dig +noall +answer +authority "${svc}.inside.domusdigitalis.dev"
done
Example Output
=== wazuh ===
wazuh.inside.domusdigitalis.dev. 3600 IN A 10.50.1.132

Step 6: Verify Service Connectivity

# Dashboard (HTTPS 443) - should return 302
curl -kIs "https://wazuh.inside.domusdigitalis.dev" --connect-timeout 5 | awk 'NR<=3'
Expected Output
HTTP/1.1 302 Found
location: /app/login?
# Indexer (HTTPS 9200) - should return 200
curl -kIs "https://wazuh-indexer.inside.domusdigitalis.dev:9200" --connect-timeout 5 | awk 'NR==1'
Expected Output
HTTP/1.1 200 OK
# Manager API (HTTPS 55000) - should return 401 (auth required)
curl -kIs "https://wazuh-api.inside.domusdigitalis.dev:55000" --connect-timeout 5 | awk 'NR==1'
Expected Output
HTTP/1.1 401 Unauthorized
# Workers (TCP 1514) - should connect
nc -zv wazuh-workers.inside.domusdigitalis.dev 1514 2>&1 | grep -E "succeeded|Connected"
Expected Output
Connection to wazuh-workers.inside.domusdigitalis.dev (10.50.1.133) 1514 port [tcp/fujitsu-dtcns] succeeded!

Step 7: Full Validation Matrix

# One-shot validation of all services
echo "=== Wazuh Service Validation ==="
echo ""
echo "DNS Resolution:"
for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  ip=$(host "${svc}.inside.domusdigitalis.dev" 2>/dev/null | awk '/has address/{print $NF}')
  [ -z "$ip" ] && ip="NXDOMAIN"
  printf "  %-20s → %s\n" "$svc" "$ip"
done
echo ""
echo "Service Connectivity:"
printf "  %-20s → %s\n" "Dashboard (443)" "$(curl -kIs https://wazuh.inside.domusdigitalis.dev --connect-timeout 3 2>/dev/null | awk 'NR==1{print $2}')"
printf "  %-20s → %s\n" "Indexer (9200)" "$(curl -kIs https://wazuh-indexer.inside.domusdigitalis.dev:9200 --connect-timeout 3 2>/dev/null | awk 'NR==1{print $2}')"
printf "  %-20s → %s\n" "API (55000)" "$(curl -kIs https://wazuh-api.inside.domusdigitalis.dev:55000 --connect-timeout 3 2>/dev/null | awk 'NR==1{print $2}')"
printf "  %-20s → %s\n" "Workers (1514)" "$(nc -zv wazuh-workers.inside.domusdigitalis.dev 1514 2>&1 | grep -q succeeded && echo "OK" || echo "FAIL")"
Expected Output
=== Wazuh Service Validation ===

DNS Resolution:
  wazuh                → 10.50.1.132
  wazuh-indexer        → 10.50.1.131
  wazuh-api            → 10.50.1.134
  wazuh-workers        → 10.50.1.133

Service Connectivity:
  Dashboard (443)      → 302
  Indexer (9200)       → 200
  API (55000)          → 401
  Workers (1514)       → OK

Step 8: Update antora.yml

Add FQDN attributes to docs/asciidoc/antora.yml after existing VIP attributes:

  # Wazuh FQDNs
  wazuh-dashboard-fqdn: wazuh.inside.domusdigitalis.dev
  wazuh-indexer-fqdn: wazuh-indexer.inside.domusdigitalis.dev
  wazuh-api-fqdn: wazuh-api.inside.domusdigitalis.dev
  wazuh-workers-fqdn: wazuh-workers.inside.domusdigitalis.dev

Backout Plan

If something goes wrong, restore the original configuration.

Rollback bind-01 Forward Zone

# Restore from backup
ssh bind-01 "sudo cp /var/named/inside.domusdigitalis.dev.zone.bak-$(date +%Y%m%d) /var/named/inside.domusdigitalis.dev.zone"
# Or manually remove wazuh-workers line
ssh bind-01 "sudo sed -i '/^wazuh-workers/d' /var/named/inside.domusdigitalis.dev.zone"
# Reload
ssh bind-01 "sudo rndc reload"

Rollback bind-01 Reverse Zone

# Restore from backup
ssh bind-01 "sudo cp /var/named/10.50.1.rev.bak-$(date +%Y%m%d) /var/named/10.50.1.rev"
# Or manually remove PTR for 133
ssh bind-01 "sudo sed -i '/^133.*wazuh-workers/d' /var/named/10.50.1.rev"
# Reload
ssh bind-01 "sudo rndc reload"

Restore pfSense Overrides (if needed for emergency)

Only if bind-01 is unreachable and you need DNS working:

# Restore overrides as workaround
netapi pfsense dns add -h wazuh -d inside.domusdigitalis.dev -i 10.50.1.132 --descr "Wazuh Dashboard (emergency override)"
netapi pfsense dns add -h wazuh-indexer -d inside.domusdigitalis.dev -i 10.50.1.131 --descr "Wazuh Indexer (emergency override)"
netapi pfsense dns add -h wazuh-api -d inside.domusdigitalis.dev -i 10.50.1.134 --descr "Wazuh API (emergency override)"
netapi pfsense dns add -h wazuh-workers -d inside.domusdigitalis.dev -i 10.50.1.133 --descr "Wazuh Workers (emergency override)"

antora.yml Rollback

git checkout docs/asciidoc/antora.yml

Verify Rollback

for svc in wazuh wazuh-indexer wazuh-api wazuh-workers; do
  ip=$(dig +short "${svc}.inside.domusdigitalis.dev")
  [ -z "$ip" ] && ip="NXDOMAIN"
  printf "%-25s → %s\n" "$svc" "$ip"
done

Files Modified

File Type Description

images/diagrams/wazuh-dns-fix.d2

Added

D2 source diagram showing before/after DNS resolution

images/diagrams/wazuh-dns-fix.svg

Added

Compiled SVG diagram

antora.yml

Changed

Add FQDN attributes for Wazuh services

changelog/2026-02-24-wazuh-dns-fix.adoc

Added

This changelog entry

pfSense DNS overrides

Deleted

Remove wazuh, wazuh-indexer, wazuh-api (let bind-01 answer)

bind-01:/var/named/inside.domusdigitalis.dev.zone

Changed

Add wazuh-workers A record

bind-01:/var/named/10.50.1.rev

Changed

Add 133 PTR record for wazuh-workers

Related

Execution Status

Step Status Notes

Changelog created

DONE

Awaiting approval

D2 diagram created

DONE

wazuh-dns-fix.d2/svg

Evidence collected

DONE

DNS state and curl tests documented

Git commit (changelog + diagram)

PENDING

Not executed - awaiting approval

DNS fix (wazuh → 10.50.1.132)

PENDING

Delete wrong entry, add correct

DNS add (wazuh-indexer)

SKIP

Already exists and correct (10.50.1.131)

DNS add (wazuh-api)

SKIP

Already exists and correct (10.50.1.134)

DNS add (wazuh-workers)

PENDING

Currently NXDOMAIN, needs to be added

DNS verification (Step 3-5)

PENDING

Run validation matrix after changes

antora.yml FQDN attributes

PENDING

Not executed

Final git commit

PENDING

Not executed

Appendix A: awk & sed Syntax Reference

Commands used in this changelog, broken down.

awk Patterns

Pattern Meaning Example

NR

Number of Record (line number)

NR==3 = line 3 only

NR⇐7

Lines 1 through 7

Show first 7 lines

NR>=10 && NR⇐20

Lines 10-20 inclusive

Range selection

/pattern/

Lines matching regex

/wazuh/ = lines containing "wazuh"

/^wazuh/

Lines starting with "wazuh"

^ = start of line anchor

/^13[0-9]/

Lines starting with 130-139

[0-9] = character class (any digit)

{print}

Action: print the line

Default action

{print NR": "$0}

Print line number + line content

$0 = entire line

$1, $2, $3

Field 1, 2, 3 (space-delimited)

{print $1} = first word

-F':'

Set field separator to :

For /etc/passwd parsing

sed Patterns

Pattern Meaning Example

-i

In-place edit (modify file directly)

sed -i 's/old/new/' file

-n

Suppress auto-print (use with p)

sed -n '3p' file = print line 3 only

s/old/new/

Substitute first match

s/foo/bar/

s/old/new/g

Substitute globally (all matches)

s/foo/bar/g

3s/old/new/

Substitute only on line 3

Line-specific replacement

/pattern/s/old/new/

Substitute on lines matching pattern

/^wazuh/s/api/API/

/pattern/a text

Append text after matching line

/^wazuh-api/a new-line

/pattern/i text

Insert text before matching line

/^wazuh-api/i new-line

/pattern/d

Delete matching lines

/^#/d = delete comments

[0-9]{10}

Match exactly 10 digits

SOA serial pattern

\(…​\)

Capture group (escaped parens)

For backreferences \1

Combining awk + ssh

# Pattern: ssh + quoted awk command
ssh host "sudo awk '/pattern/ {print NR\": \"\$0}' /path/to/file"

Escaping rules inside double quotes:

  • \" = literal quote inside the awk command

  • \$0 = literal $0 (not shell variable)

  • \\ = literal backslash

dig Output Explained

wazuh.inside.domusdigitalis.dev. 86368 IN A    10.50.1.132
│                                │     │  │    └── IP address (answer)
│                                │     │  └────── Record type (A = IPv4)
│                                │     └───────── Class (IN = Internet)
│                                └─────────────── TTL in seconds (86368 ≈ 24h)
└──────────────────────────────────────────────── FQDN (trailing dot = absolute)
Field Meaning Common Values

FQDN

Fully Qualified Domain Name

Trailing . = absolute (not relative to search domain)

TTL

Time To Live (cache duration)

86400 = 24h, 3600 = 1h, 300 = 5min

IN

DNS Class

IN = Internet (99.9% of queries)

A

Record Type

A = IPv4, AAAA = IPv6, PTR = reverse, CNAME = alias

Answer

The resolved value

IP for A, FQDN for PTR/CNAME

dig Flags

Flag Purpose

+short

IP only, no metadata

+noall +answer

Suppress everything except answer section

+noall +answer +authority

Include authoritative NS info

+trace

Show full resolution path (root → TLD → authoritative)

@server

Query specific DNS server (e.g., @10.50.1.90)

Quick Reference Card

# Show line 3
awk 'NR==3' file

# Show lines 1-10
awk 'NR<=10' file

# Show lines containing "wazuh"
awk '/wazuh/' file

# Show lines with line numbers
awk '{print NR": "$0}' file

# Replace on line 3 only
sed -i '3s/old/new/' file

# Add line after match
sed -i '/pattern/a new line' file

# Delete lines matching pattern
sed -i '/pattern/d' file

Author

  • evanusmodestus

  • Date: 2026-02-24