ZeroTier Question
-
You ran into the exact thing I have been repeatedly saying. you have to have ALL DNS updated.
-
@dafyre Your OS's DNS resolver decides how DNS works. ZeroTier gives you a port to a virtual LAN, nothing more.
-
@Dashrender ZT does precisely nothing to DNS... at least right now.
-
@adam.ierymenko said in ZeroTier Question:
@dafyre Your OS's DNS resolver decides how DNS works. ZeroTier gives you a port to a virtual LAN, nothing more.
Right. We can enter DNS servers on the ZT Nic settings so that we can hit our internal DNS servers while not physically connected to the LAN. As mentioned by @JaredBusch that can cause issues with DNS giving out internal IP addresses rather than ZT IP addresses if the DNS servers can't handle split-brain (this is coming for Windows in Server 2016, IIRC).
Edit: This is not a ZT problem, as ZT works fine if you do IP addresses or hosts files.
-
@adam.ierymenko said in ZeroTier Question:
@Dashrender ZT does precisely nothing to DNS... at least right now.
How do set the resolver to make it use the domain's(inside ZT) DNS first, and the NIC's DHCP assigned DNS second?
-
@Dashrender said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
@Dashrender ZT does precisely nothing to DNS... at least right now.
How do set the resolver to make it use the domain's(inside ZT) DNS first, and the NIC's DHCP assigned DNS second?
In Windows, you assign the ZT IP address of the DNS server in the interface properties (see my images from earlier) and then just make sure that the ZT Nic is at the top of the order.
-
@adam-ierymenko
I have to assume this DNS problem exists for everyone, not just windows domains.You're on a linux laptop at star bucks. You want to access resources that are only known by internal DNS within your organization. So the DNS requests must be sent to the companies internal DNS first. If that server fails, then failover to the DNS provided by Star Bucks.
-
@Dashrender said in ZeroTier Question:
@adam-ierymenko
I have to assume this DNS problem exists for everyone, not just windows domains.You're on a linux laptop at star bucks. You want to access resources that are only known by internal DNS within your organization. So the DNS requests must be sent to the companies internal DNS first. If that server fails, then failover to the DNS provided by Star Bucks.
In Linux, you'd make sure the ZT DNS is the first one in the list in /etc/resolv.conf [and wherever else you have to specify it to make it actually stay at reboots].
-
@dafyre said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
@Dashrender ZT does precisely nothing to DNS... at least right now.
How do set the resolver to make it use the domain's(inside ZT) DNS first, and the NIC's DHCP assigned DNS second?
In Windows, you assign the ZT IP address of the DNS server in the interface properties (see my images from earlier) and then just make sure that the ZT Nic is at the top of the order.
Right, I was really asking a rhetorical question (or more accurately - one that we already answered). This as mentioned in my previous post, this isn't a Windows only problem - but a problem for anyone where the internet DNS servers can't answer DNS queries correctly, because the answers aren't on the public internet.
Considering how fundamental this issue is after you actually get traffic flowing over the solution, I'm a bit surprised there isn't specific documentation as part of the project to solve this problem.
If the ZT personal aren't running into this issue - why aren't they?
Is it because they have no internal/private network? All DNS is public DNS, so any DNS talking to the world will get the requested information? How are you registering the ZT IPs in that DNS setup?
I realize this post my be construed as mean - please understand that I simply see it as a hard question - one of the things that makes SDNs hard.
Clearly with Pertino they had to do some black magic vudu to make it work.
-
@Dashrender Pertino as far as I know implemented some kind of local split brain DNS proxy. That's not quite black magic but it's a pain.
What we do is to actually put private ZT IPs in our public DNS, e.g.
<host>.int.zerotier.com
whereint.zerotier.com
is the internal LAN. But I'm not sure that'll work for Active Directory. -
DNS is fundamentally not designed for concurrent use on more than one network.
-
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
-
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
-
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
I agree with this idea, but it would require RFCs to get done.
-
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
That is most certainly not an easy fix. You are saying that the entire DNS design be rewrote, discussed, tested, ratified, and then rolled out to every device on the planet that uses DNS.
Hello, reality much?
-
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
There is a huge difference here, DHCP is handing out requests in their respective scopes to allow network communications beyond layer 2.
DNS allows things to be found and Unifies Networks, It's assumed there there is routing setup between any and all the network in DNS, DNS is not "smart" in anyway it just response back with what it knows. It doesn't care who's asking.. What you are saying is filtering DNS based on subnet and that gets very complex and likely will be cases where it causes issues.
-
@dafyre said in ZeroTier Question:
... that can cause issues with DNS giving out internal IP addresses rather than ZT IP addresses ...
I think it is better to think of them as the "underlying" IP addresses.
-
@Dashrender said in ZeroTier Question:
@adam-ierymenko
I have to assume this DNS problem exists for everyone, not just windows domains.You're on a linux laptop at star bucks. You want to access resources that are only known by internal DNS within your organization. So the DNS requests must be sent to the companies internal DNS first. If that server fails, then failover to the DNS provided by Star Bucks.
But why? DNS works just fine as it is. Why would you want to "failover" to another DNS server? If the internal DNS fails to find what you are looking for, it should not exist. Under what situation would you look up an address that your own DNS server cannot find? And if your own DNS server can't find it, why would you want Starbuck's insecure DNS server returning things transparently to your end users as if it had returned something? that's a security issue that DNS doesn't have today.
-
The above idea would be a client side work around to domain overriding and the authoritative domains system. It would bypass security systems and be dangerous. It would mean that things like OpenDNS could not work.
-
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
Separate out in what way? How would you define it? DNS has a very rigid and reliable structure today that was designed carefully. DNS servers can, if you want to get one that can be modified, hand out different responses based on different request criteria today, but no one does this as it's so uncommonly needed. There are better fixes to nearly any host resolution issue.