From 3d47d67e89eda9a5dd5f71cc63f240d937eb1b2f Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Sat, 16 May 2026 13:59:33 -0600
Subject: [PATCH] coredns: production port defaults (5353 plain DNS, 8081
 health)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Deployed to dell01.mer.idahomuellers.net with firewall NAT'ing
public requests in to host:5353/tcp+udp.

Port changes baked in as new defaults so future hosts inherit them:
- DNS_PORT: 1053 -> 5353 (dev was 1053 because avahi-daemon owns
  5353 on Arch desktops; production hosts typically don't run avahi
  and 5353 is the conventional non-privileged DNS port — mDNS uses
  multicast 224.0.0.251:5353 which never conflicts with a unicast bind)
- HEALTH_PORT: 8080 -> 8081 (8080 collided with a python3 service
  on dell01; 8081 is less commonly contested)
---
 .env | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.env b/.env
index b7d5452..78dd28a 100644
--- a/.env
+++ b/.env
@@ -5,9 +5,10 @@ COREDNS_IMAGE=coredns/coredns:1.11.3
 
 # Host ports. systemd-resolved usually binds 53, so default to 5353.
 # Override to 53 if you actually want this to be the host's resolver.
-DNS_PORT=1053
+DNS_PORT=5353
 METRICS_PORT=9153
-HEALTH_PORT=8080
+# 8080 is famously contested (dev servers, alternate HTTP). 8081 less so.
+HEALTH_PORT=8081
 
 # DoT (DNS-over-TLS, RFC 7858) — IANA port 853. Host port 8853 to
 # stay unprivileged.