// lastoctet · project octet
DNS, DHCP, and IPAM in one stack. You host it on your own boxes.
Project Octet is a self-hosted DNS, DHCP, and IPAM platform. Every site runs the same software and shares state through an append-only event log. Your network team owns its naming and addressing. No per-office controller. No vendor running your DNS for you.
Under the hood it's PowerDNS for authoritative zones, ISC Kea for DHCP, and dnsdist out front for resolvers. WireGuard ties the hosts together, including through CGNAT. The coordinator keeps the source of truth in Postgres; member agents apply config changes within seconds.
The UI handles the things you'd expect: multi-tenant views and zones, IPAM containers that follow real CIDR hierarchy, DHCP scopes and leases, shared host records, hostname templates, and RBAC down to the zone and subnet.
Everything runs in Docker on the hardware you already have. It's for network teams who want their DDI close to the metal without losing a usable interface.
Views, zones, and records, isolated the way Infoblox does it. PowerDNS underneath, dnsdist out front. Shared host records across views. Bulk import from Infoblox CSVs or BIND files.
ISC Kea, configured live over its API. No restart when you add a subnet or a reservation. Classes, options, hostname templates, DDNS to forward zones. Failover pairs sync state through the lattice.
Network containers that follow your CIDR hierarchy, not a flat list. Fingerprint discovered hosts against your reservations and leases. Click an IP and see the record, scope, or lease that claimed it.
A WireGuard overlay ties every host together, including across sites and CGNAT. No public IPs to expose, no relay vendor in the middle. Members on the same Docker host join the same mesh.
Every change goes into an append-only event log. Members replay the log to catch up. If a site goes offline it can rejoin and converge later, with the full history still on disk.
RBAC and ABAC on every resource, including per-zone and per-subnet actions. Named roles, scoped tokens for automation, an audit trail. Local users today. SSO on the roadmap.
Start on one host. Grow into a multi-site lattice later. The architecture won't force a bigger footprint than you need.
Shape 01
Coordinator, one DNS member, one DHCP member, all on one box.
docker compose up and you're running. Good for home labs and trying it out.
Shape 02
Two hosts in the same region. Coordinator with a standby database replica, paired DNS members, a Kea failover pair. One host can die and the network keeps running.
Shape 03
Members in branch offices, data centers, cloud VPCs, all on the WireGuard mesh. Each site runs its own DHCP and local recursor. Zones and IPAM converge through the shared event log.
When you talk to LastOctet, you're talking to the people writing the code.
CEO / Founder
CTO
CFO
VP of Customer Relations
President
COO
We're working with a few early partners to put Project Octet into real production. If that sounds like you, drop us a line.