// lastoctet · project octet
Enterprise DDI — DNS, DHCP, IPAM — built as a self-hosted lattice.
Project Octet is a self-hosted DDI platform — DNS, DHCP, and IPAM — built as a lattice of cooperating members. Every site runs the same software and syncs state through an append-only event log, so a network team can own its own infrastructure without standing up a control plane per office, and without trusting a vendor-managed cloud with the naming and addressing of its own network.
Under the hood: PowerDNS for authoritative zones, ISC Kea for DHCP, dnsdist for resolver front-ends, and a WireGuard mesh that links members across sites and CGNAT with no exposed public IPs. The coordinator stores canonical state in PostgreSQL; member agents apply pushed configs — subnets, zones, classes, reservations — on every affected node in seconds.
The management plane gives you multi-tenant views and zones, hierarchical IPAM containers with real CIDR topology, DHCP scopes and leases with failover-aware Kea runtime config, shared host records that resolve across views, bulk-hostname templating, and fine-grained RBAC / ABAC on every resource — down to per-zone and per-subnet actions.
Everything runs in Docker, on the hardware you already have. Project Octet is built for network teams who want to keep their DDI close to the metal — auditable, portable, and under their own control — without giving up the polish of a modern control plane.
Views, zones, and records with Infoblox-style namespace isolation. Authoritative PowerDNS plus dnsdist front-ends, shared host records across views, bulk import from Infoblox CSV or BIND, apex NS publishing, and per-zone override rules.
ISC Kea with API-first runtime config — no restarts on subnet or reservation changes. Per-scope classes and options, bulk-hostname templating, DDNS to matching forward zones, and failover pairs that sync state through the lattice event log.
Hierarchical network containers with real CIDR topology, address-level detail panels, and fingerprint reconciliation between discovered, reserved, and assigned hosts. Track every IP back to the record, scope, or lease that claimed it.
A WireGuard overlay knits members across sites and CGNAT together. CGNAT-safe addressing, no public IPs required, no third-party relay. Same-host Docker members join the mesh as first-class peers.
Every state change — zone, record, scope, lease, reservation — lands in an append-only event log. Members replay the log to converge. Sites can diverge under a partition and rejoin cleanly, with an auditable history of exactly what changed and when.
RBAC and ABAC on every resource, down to per-zone and per-subnet actions. Named roles, scoped tokens for automation, full audit trail, and no shared root account. Sign in with local users today; SSO integrations on the roadmap.
Start with a single host. Grow into a multi-site lattice when you're ready. Nothing about the architecture forces a bigger footprint than you need on day one.
Shape 01
Coordinator, one DNS member, one DHCP member — all on one box via
docker compose up. Ideal for home labs, testbeds, and evaluating the product.
Shape 02
Two physical hosts in the same region running a coordinator + standby database replica, paired DNS members, and a Kea failover scope pair — continuity through any single-host failure, same UI, same lattice.
Shape 03
Members spread across branch offices, data centers, cloud VPCs — joined by the WireGuard mesh. Each site keeps its own DHCP and local recursor; zones and IPAM converge through the shared event log.
LastOctet is a small team working directly with early customers. If you talk to us, you're talking to the people building the product.
CEO
CTO
CFO
VP of Customer Relations
We're working with early partners to roll Project Octet into production DDI stacks. If that's you, we'd like to hear about it.