DNS & domains
How saxobroko.com names find their way to Cloudflare, tunnels, and Pages. Use this when a hostname fails but you are unsure whether the problem is DNS, the tunnel, or the app itself.
DNS-001: Every saxobroko.com address fails with server not found
Symptoms: Browser says the server cannot be found for stream, docs, or even saxobroko.com — before any login page.
Likely cause: Domain DNS at Cloudflare is broken, expired, or your device is using a DNS resolver that cannot reach Cloudflare.
Fix:
1. Test on mobile data and home Wi‑Fi — if both fail globally, suspect Cloudflare or domain expiry.
2. Try https://1.1.1.1 to confirm basic internet works.
3. Check domain registration is current — see Renew domain.
4. If only homelab subdomains fail, continue to DNS-015.
Still broken? See What is DNS or Cloudflare.
DNS-002: One subdomain works but another does not (e.g. docs OK, stream fails)
Symptoms: docs.saxobroko.com loads; stream.saxobroko.com shows DNS or connection error.
Likely cause: Missing or wrong DNS record for that subdomain — docs uses Pages, stream uses tunnel CNAME.
Fix:
1. Note which URL fails — compare Network URL list.
2. If LAN IP works (192.168.2.203) but public URL fails, likely tunnel/DNS for that host only.
3. See Cloudflare tunnel (TUN-010) for single-host failures.
4. Do not delete working DNS records while fixing one subdomain.
Still broken? See DNS-015.
DNS-003: What is saxobroko.com in simple terms?
Symptoms: Confusion about what a "domain" is vs Wi‑Fi or the NAS.
Likely cause: saxobroko.com is the name registered on the internet; Cloudflare hosts its address book (DNS).
Fix:
1. Think of DNS as a phone book: stream.saxobroko.com → Cloudflare → tunnel → TrueNAS.
2. LAN IPs like 192.168.2.203 are separate — home-only unless tunneled.
3. Read What is a subdomain.
4. Passwords for Cloudflare login are in Vaultwarden — not in FAQ text.
Still broken? See Glossary.
DNS-004: I changed DNS hours ago — why is my phone still broken?
Symptoms: Saxon fixed DNS in Cloudflare; your device still resolves the old address or fails. Likely cause: DNS propagation — caches on phones, ISPs, and routers keep old answers for minutes to hours (TTL). Fix: 1. Wait up to one hour for most changes; some caches up to 24 hours rarely. 2. Toggle aeroplane mode on the phone or restart the device to flush local cache. 3. Restart the Dream Machine if the whole house sees stale DNS. 4. Test with mobile data vs Wi‑Fi to compare caches. Still broken? See DNS-010.
DNS-005: What is a CNAME and why do tunnel subdomains use it?
Symptoms: Cloudflare DNS shows CNAME to something like uuid.cfargotunnel.com instead of an IP address.
Likely cause: Tunnel hostnames point at Cloudflare's tunnel edge — CNAME is correct for CGNAT setups.
Fix:
1. Do not replace tunnel CNAMEs with A records to 192.168.2.203 — that cannot work from the internet.
2. Homelab public URLs should CNAME to the tunnel unless documented otherwise.
3. Pages sites (docs) use different Cloudflare targets — see DNS-012.
4. Read cloudflared.
Still broken? See Cloudflare tunnel (TUN-020).
DNS-006: Legacy local.saxobroko.com still appears in old notes
Symptoms: Old docs mention local.saxobroko.com pointing at home public IP; it does not work now.
Likely cause: Legacy pattern before tunnels — useless behind CGNAT where there is no stable public IP.
Fix:
1. Ignore local.saxobroko.com for new fixes — use tunnel CNAMEs instead.
2. If a subdomain still CNAMEs to local.saxobroko.com, it needs migration to tunnel DNS.
3. See Network.
4. Do not add new records pointing at local.saxobroko.com.
Still broken? See Cloudflare tunnel (TUN-025).
DNS-007: docs.saxobroko.com DNS looks different from stream.saxobroko.com
Symptoms: In Cloudflare DNS, docs points to Pages; stream points to tunnel — intentional?
Likely cause: Yes — SaxDocs is static on Cloudflare Pages; Jellyfin is on TrueNAS via cloudflared.
Fix:
1. Do not make docs and stream DNS records match — different hosting.
2. Pages records often show Cloudflare Pages target or CNAME to *.pages.dev.
3. Stream should CNAME to *.cfargotunnel.com.
4. See Network.
Still broken? See Cloudflare edge (CFL-030).
DNS-008: auth.saxobroko.com must stay reachable for login
Symptoms: Authentik login fails; OIDC errors mention auth.saxobroko.com unreachable.
Likely cause: Authentik DNS or tunnel for auth is broken — breaks SSO and Cloudflare Access handshakes.
Fix:
1. Test https://auth.saxobroko.com from Australia in incognito.
2. Confirm tunnel hostname for auth in Zero Trust → Tunnels.
3. Confirm auth is excluded from aggressive geo blocks — see WAF rules.
4. Restart cloudflared if auth fails with other tunnel sites.
Still broken? See Authentik.
DNS-009: vault.saxobroko.com does not resolve
Symptoms: Password manager apps cannot sync; browser says host not found for vault.
Likely cause: Missing tunnel DNS or deleted CNAME for Vaultwarden.
Fix:
1. Check Cloudflare DNS for vault CNAME to tunnel.
2. Confirm cloudflared running on TrueNAS.
3. Use LAN fallback only if Saxon documented internal URL — usually public vault URL is required off-LAN.
4. Do not create duplicate vault records (CNAME + A conflict).
Still broken? See Open Vaultwarden.
DNS-010: How do I flush DNS cache on Windows or phone?
Symptoms: You suspect stale DNS after a fix; want to force a fresh lookup.
Likely cause: Devices cache DNS answers to speed up browsing — normal but confusing after changes.
Fix:
1. Windows: Open Command Prompt as admin → run ipconfig /flushdns.
2. iPhone/Android: Toggle aeroplane mode on 10 seconds, off again — or reboot.
3. Home router: Restart Dream Machine SE (affects all LAN clients).
4. Retest the failing hostname in incognito browser.
Still broken? See DNS-004.
DNS-011: status.saxobroko.com and weather.saxobroko.com — where do they point?
Symptoms: Unsure if status/weather run on TrueNAS or elsewhere when checking DNS.
Likely cause: Not on the homelab tunnel — hosted externally per Monitoring.
Fix:
1. If homelab is down but status loads, that is expected — different host.
2. Do not point status DNS at 192.168.2.203 unless Saxon migrates it.
3. Use status as external health signal, not NAS ping.
4. See Public sites.
Still broken? See Check status page.
DNS-012: Cloudflare Pages subdomain for docs — what record type?
Symptoms: Adding or fixing SaxDocs DNS; unsure whether A, CNAME, or Pages integration.
Likely cause: docs.saxobroko.com uses Cloudflare Pages project binding — usually automatic CNAME in Cloudflare DNS.
Fix:
1. Cloudflare dashboard → Workers & Pages → SaxDocs project → custom domain docs.saxobroko.com.
2. DNS tab should show proxied CNAME to Pages — orange cloud on.
3. Do not point docs at TrueNAS tunnel.
4. Deploy issues are separate — see Cloudflare edge (CFL-035).
Still broken? See Open docs site.
DNS-013: Orange cloud vs grey cloud on DNS records
Symptoms: Cloudflare DNS shows orange (proxied) or grey (DNS only) icons — which is correct? Likely cause: Proxied (orange) sends traffic through Cloudflare WAF/SSL — required for tunnel and most saxobroko.com hosts. Fix: 1. Homelab tunnel subdomains should stay proxied unless Saxon documented exception. 2. Grey cloud bypasses Cloudflare features — rarely wanted for public homelab URLs. 3. Do not grey-cloud records to "fix" SSL without understanding — often breaks WAF rules. 4. Ask Saxon before toggling proxy on production hosts. Still broken? See Cloudflare.
DNS-014: Duplicate DNS records for the same name
Symptoms: Cloudflare shows two stream or dash records; behaviour is random or broken.
Likely cause: Accidental double entry — DNS allows conflicts that confuse resolvers.
Fix:
1. Cloudflare → DNS → filter by subdomain name.
2. Keep one correct CNAME to tunnel (or Pages target for docs).
3. Delete the wrong/legacy duplicate — not both.
4. Wait TTL (DNS-004) and retest.
Still broken? See Common Issues.
DNS-015: Only one subdomain fails DNS lookup
Symptoms: radarr.saxobroko.com fails; sonarr.saxobroko.com works fine.
Likely cause: That specific record missing, typo in hostname, or tunnel hostname never added for that app.
Fix:
1. Search Cloudflare DNS for exact name radarr.
2. Compare working sibling sonarr record — copy pattern (CNAME to same tunnel).
3. Zero Trust → Tunnels → confirm public hostname exists for radarr → internal port.
4. Wait five minutes after adding record.
Still broken? See cloudflared.
DNS-016: www.saxobroko.com vs saxobroko.com
Symptoms: One works, the other does not; certificate or redirect confusion.
Likely cause: Separate DNS records or redirect rules for apex vs www on Pages or homepage project.
Fix:
1. Check Cloudflare DNS for both @ (apex) and www records.
2. Confirm redirect rule if Saxon uses apex-only or www-only public site.
3. Test both in incognito.
4. See Public sites.
Still broken? See All important URLs.
DNS-017: Email or TXT records — will DNS fixes break mail?
Symptoms: Afraid to edit DNS in case email for @saxobroko.com stops working.
Likely cause: MX and TXT records are separate from tunnel CNAMEs — edit carefully but tunnel fixes rarely touch MX.
Fix:
1. Before deleting any record, screenshot existing MX/TXT/SPF rows.
2. Only add/change the subdomain you are fixing (e.g. stream CNAME).
3. Do not remove MX records unless migrating email with Saxon.
4. If email breaks after DNS edit, restore MX from screenshot.
Still broken? See Cloudflare account access.
DNS-018: dash, request, sonarr, radarr — all need DNS entries?
Symptoms: New arr app added; unsure if each needs its own subdomain record. Likely cause: Each public URL needs tunnel public hostname + matching DNS CNAME — see arr stack. Fix: 1. Confirm app runs on TrueNAS LAN first. 2. Add tunnel hostname in Zero Trust (often auto-creates DNS). 3. Verify CNAME in Cloudflare DNS → tunnel. 4. Add to WAF rules — WAF. Still broken?* See Cloudflare tunnel (TUN-015).
DNS-019: photos, music, plex subdomains — same tunnel?
Symptoms: Multiple media URLs; wonder if one DNS record covers all.
Likely cause: Each service has its own subdomain and tunnel hostname mapping to different internal ports.
Fix:
1. Check Network for the full list.
2. Each name (music, photos, stream, plex) needs its own CNAME + tunnel route.
3. Fixing one does not fix others.
4. Plex is legacy — see Plex legacy.
Still broken? See Services.
DNS-020: Domain saxobroko.com expired or renewal failed
Symptoms: All subdomains vanish; registrar email about expiry; WHOIS shows expired. Likely cause: Registration lapsed — nothing homelab-side can fix until domain is renewed. Fix: 1. Log into domain registrar (credentials in Vaultwarden). 2. Renew domain immediately — follow Renew domain guide. 3. Confirm Cloudflare still authoritative nameservers after renewal. 4. Wait DNS-004 propagation after recovery. Still broken? See Handover.
DNS-021: Cloudflare nameservers wrong at registrar
Symptoms: DNS changes in Cloudflare dashboard have no effect worldwide.
Likely cause: Registrar still points at old nameservers — Cloudflare is not authoritative.
Fix:
1. Cloudflare dashboard shows assigned nameservers (e.g. ada.ns.cloudflare.com).
2. Log into registrar → set custom DNS to Cloudflare nameservers exactly.
3. Wait up to 24 hours for registrar NS propagation (rare full day).
4. Use whatsmydns.net only as hint — not gospel.
Still broken? See Cloudflare.
DNS-022: Internal LAN uses 192.168.2.203 but DNS points to Cloudflare
Symptoms: Confusion why public DNS does not return 192.168.2.x private addresses.
Likely cause: Private RFC1918 IPs must never appear in public DNS — internet cannot route to them; tunnel bridges instead.
Fix:
1. At home, you may use 192.168.2.203 directly in browser for TrueNAS.
2. Away from home, use dsm.saxobroko.com through tunnel.
3. Do not publish 192.168.2.203 in Cloudflare A records.
4. Read Home network simple.
Still broken? See Network general (NET-014).
DNS-023: Split DNS or local override for saxobroko.com at home
Symptoms: Some setups resolve saxobroko.com to LAN IP at home — does Saxon use that?
Likely cause: Saxon's setup uses public DNS + tunnel even at home for most URLs — no special split DNS required for beginners.
Fix:
1. Default troubleshooting: use same public URL at home (stream.saxobroko.com) unless guide says LAN port.
2. If hairpin/NAT loopback fails on router, use LAN IP for NAS admin instead.
3. Do not add UniFi DNS overrides without Saxon.
4. See Network.
Still broken? See Network general (NET-022).
DNS-024: HTTPS works but browser shows wrong site on subdomain
Symptoms: DNS resolves; SSL valid; page content is not the expected app (wrong dashboard).
Likely cause: Tunnel hostname mapped to wrong internal port/service — DNS is fine, routing is wrong.
Fix:
1. Confirm you typed the correct subdomain (sonarr vs radarr).
2. Fix tunnel public hostname → service URL in Zero Trust — not DNS A record.
3. See TUN-012.
4. Restart cloudflared after tunnel config change.
Still broken? See Cloudflare tunnel.
DNS-025: TTL value — should I lower it before changes?
Symptoms: Guides say "lower TTL before migration"; unsure if needed for tunnel fixes. Likely cause: Lower TTL speeds propagation for planned DNS moves — optional for quick tunnel CNAME adds. Fix: 1. For emergency fix, just change record — wait DNS-004. 2. For planned migration, Saxon may lower TTL to 300 seconds a day ahead. 3. Do not set TTL to 0 or absurd values. 4. Restore normal TTL after stable. Still broken? See DNS-004.
DNS-026: Wildcard DNS *.saxobroko.com
Symptoms: Wondering if one wildcard record covers all subdomains.
Likely cause: Saxon uses explicit subdomains per service plus tunnel hostnames — wildcards may not match tunnel routing.
Fix:
1. Do not add * wildcard unless Saxon documents it — breaks WAF granularity.
2. Add each new app subdomain deliberately.
3. Tunnel config must list each hostname anyway.
4. See cloudflared.
Still broken? See DNS-018.
DNS-027: blog, links, share subdomains — public marketing sites
Symptoms: These URLs work worldwide without AU geo block — different DNS? Likely cause: Public sites on Pages or external hosts — excluded from block no aus — see Public sites. Fix: 1. Do not apply homelab tunnel/WAF pattern to blog/links blindly. 2. Check each site's hosting in Public sites doc. 3. DNS may point to Pages, Netlify, or other — not TrueNAS. 4. 403 abroad on homelab is normal; public sites should work globally. Still broken? See Cloudflare edge (CFL-003).
DNS-028: I need Cloudflare dashboard access to fix DNS
Symptoms: DNS fix requires Cloudflare login; you have Vaultwarden but not sure procedure. Likely cause: Cloudflare account uses YubiKey 2FA — follow account access guide with hardware key available. Fix: 1. Read Cloudflare account access. 2. Use YubiKey from Saxon's desk setup when prompted. 3. Navigate Websites → saxobroko.com → DNS. 4. Do not share API tokens in chat or SaxDocs. Still broken? See YubiKey.
DNS-029: DNS resolves to Cloudflare but page times out
Symptoms: nslookup or online DNS tools show Cloudflare IPs; browser spins then times out.
Likely cause: DNS is OK — failure is tunnel, WAF, or origin down — not missing record.
Fix:
1. Test 192.168.2.203 on LAN for origin health.
2. Check cloudflared status (TUN-001).
3. Check WAF 403 vs timeout — 403 is block, timeout is tunnel/origin.
4. See Common Issues.
Still broken? See Cloudflare tunnel.
DNS-030: alt, alt2, ipfs mirror subdomains
Symptoms: Main saxobroko.com homepage works; mirror URLs fail or differ. Likely cause: Redundant mirrors on GitHub Pages, Netlify, IPFS — separate DNS targets from main site. Fix: 1. See Network. 2. Each mirror has its own DNS — fixing main site does not fix alt2. 3. Mirrors are optional fallbacks — not critical for homelab media. 4. Check Public sites doc for current status. Still broken? See Public sites.
DNS-031: New tunnel hostname did not auto-create DNS record
Symptoms: Added route in Zero Trust; subdomain still NXDOMAIN after ten minutes.
Likely cause: Auto DNS creation failed or wrong zone selected — manual CNAME needed.
Fix:
1. Zero Trust → tunnel → public hostname — note target tunnel UUID.
2. Cloudflare DNS → add CNAME newapp → uuid.cfargotunnel.com proxied.
3. Wait five minutes; flush DNS (DNS-010).
4. Confirm no typo in subdomain spelling.
Still broken? See TUN-015.
DNS-032: IPv6 AAAA records for saxobroko.com
Symptoms: Cloudflare shows AAAA records; unsure if required for homelab. Likely cause: Cloudflare may publish IPv6 for proxied hosts — normal; homelab LAN remains IPv4. Fix: 1. Do not delete AAAA without reason — usually harmless. 2. Troubleshoot homelab using IPv4 LAN and HTTPS hostnames. 3. If IPv6 path broken ISP-side, Cloudflare proxy often still works via IPv4. 4. Escalate to Saxon for AAAA experiments only. Still broken? See Network general (NET-035).
DNS-033: DNS over HTTPS or 1.1.1.1 app still shows old IP
Symptoms: Using Cloudflare 1.1.1.1 app; subdomain still wrong after DNS fix. Likely cause: App cache or encrypted DNS still within TTL window — less common than device cache. Fix: 1. Disable/re-enable 1.1.1.1 app or WARP briefly. 2. Reboot phone. 3. Verify record in Cloudflare dashboard is actually saved (not draft). 4. Wait full TTL from DNS-004. Still broken? See DNS-004.
DNS-034: request.saxobroko.com (Overseerr) DNS missing after reinstall
Symptoms: Overseerr rebuilt on TrueNAS; old DNS exists but points nowhere useful.
Likely cause: Tunnel internal URL/port changed; DNS CNAME may still be valid but backend mapping stale.
Fix:
1. DNS CNAME to tunnel likely still OK — fix tunnel service URL first.
2. Update Zero Trust hostname → new internal http://192.168.2.203:PORT.
3. Only recreate DNS if subdomain was deleted entirely.
4. See Overseerr guide.
Still broken? See TUN-012.
DNS-035: Can I use Pi-hole or alternate DNS on the LAN?
Symptoms: Want ad-blocking DNS; worry about breaking saxobroko.com resolution. Likely cause: Saxon's documented setup uses Dream Machine DNS forwarding — Pi-hole not in baseline docs. Fix: 1. Do not deploy Pi-hole without Saxon — can break local resolution if misconfigured. 2. Public saxobroko.com still resolves via Cloudflare regardless if forwarders are 1.1.1.1. 3. If already running, ensure upstream is 1.1.1.1 or Cloudflare. 4. Test all key URLs after any DNS server change. Still broken? See UniFi.
DNS-036: SSL certificate error but DNS looks correct
Symptoms: DNS resolves; browser warns certificate mismatch or expired cert. Likely cause: SSL issue at Cloudflare edge or missing localnet full strict ssl rule — not DNS propagation. Fix: 1. Confirm orange-cloud proxied on DNS record. 2. Add hostname to localnet full strict ssl — WAF rules. 3. Wait five minutes — not 24h DNS wait. 4. See Cloudflare edge (CFL-010). Still broken? See CFL-010.
DNS-037: Who hosts DNS — registrar or Cloudflare?
Symptoms: Unsure whether to log into GoDaddy/Namecheap vs Cloudflare for record edits. Likely cause: Cloudflare is authoritative DNS for saxobroko.com — edit records there, not registrar DNS (if NS delegated). Fix: 1. Confirm nameservers at registrar point to Cloudflare (DNS-021). 2. All CNAME/A edits happen in Cloudflare → DNS. 3. Registrar is for renewal/billing only when NS delegated. 4. See Cloudflare account access. Still broken? See DNS-021.
DNS-038: Subdomain typo — stram instead of stream
Symptoms: User bookmarked wrong spelling; "works for Saxon" but not for them.
Likely cause: Simple typo — only valid hostnames exist in DNS.
Fix:
1. Compare All important URLs.
2. Use exact names: stream, dash, vault, dsm, auth, request, weather, status.
3. Update bookmark to correct spelling.
4. Search SaxDocs (Ctrl+K) for service name.
Still broken? See Homepage for beginners.
DNS-039: DNS fix checklist for new homelab subdomain
Symptoms: Saxon added a new app; you need to verify DNS end-to-end.
Likely cause: Multi-step process — easy to miss WAF or tunnel while DNS exists.
Fix:
1. Cloudflare DNS: CNAME exists, proxied orange.
2. Zero Trust: public hostname → correct internal URL on 192.168.2.203.
3. WAF: added to block no aus and localnet full strict ssl if private homelab app.
4. Test from AU incognito; update Network and Homepage tile.
Still broken? See WAF checklist.
DNS-040: Everything DNS-related checked — still broken
Symptoms: Records correct, propagated, tunnel up — subdomain still fails. Likely cause: Problem is likely application layer (Docker app down), not DNS — escalate with symptom log. Fix: 1. Re-run NET-020 diagnostic order from Network general. 2. Check status.saxobroko.com for that service class. 3. Restart specific Docker app on TrueNAS — Restart Docker app. 4. Document exact error text (403 vs 502 vs timeout) for Saxon. Still broken? See Common Issues and FAQ overview.