ZeroTier Question
-
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
Separate out in what way? How would you define it? DNS has a very rigid and reliable structure today that was designed carefully. DNS servers can, if you want to get one that can be modified, hand out different responses based on different request criteria today, but no one does this as it's so uncommonly needed. There are better fixes to nearly any host resolution issue.
-
@scottalanmiller said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
Separate out in what way? How would you define it? DNS has a very rigid and reliable structure today that was designed carefully. DNS servers can, if you want to get one that can be modified, hand out different responses based on different request criteria today, but no one does this as it's so uncommonly needed. There are better fixes to nearly any host resolution issue.
I could have better worded that... a DHCP Server adjusts its responses based on incoming criteria... If it comes in on ETH1, then give out 192.168.10.x ... If it comes in on ETH2, give out 192.168.99.x (or VLANs or what-not).
You just said what I said... DNS servers could be modified to do this. While it may be uncommonly needed...I can see uses in just about every IT job I've had.
-
@JaredBusch said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
That is most certainly not an easy fix. You are saying that the entire DNS design be rewrote, discussed, tested, ratified, and then rolled out to every device on the planet that uses DNS.
Hello, reality much?
If I were a programmer, I'd fix it for you. That is also why I specified it is PROGRAMAATICALLY not that different or difficult. And I'm not talking about rewriting the entire DNS RFC or anything like that. I am speaking to specific software based features. Software can be modified without having to rewrite the entire protocol stack from scratch.
You start talking about ratification and all that mess, that's for the paper pushers and think tanks. I've no interest in that, I am simply talking about adding a feature into a piece of software... If every other device on the planet wants to keep doing DNS the old way, it doesn't break anything.
-
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
That is most certainly not an easy fix. You are saying that the entire DNS design be rewrote, discussed, tested, ratified, and then rolled out to every device on the planet that uses DNS.
Hello, reality much?
If I were a programmer, I'd fix it for you. That is also why I specified it is PROGRAMAATICALLY not that different or difficult. And I'm not talking about rewriting the entire DNS RFC or anything like that. I am speaking to specific software based features. Software can be modified without having to rewrite the entire protocol stack from scratch.
You start talking about ratification and all that mess, that's for the paper pushers and think tanks. I've no interest in that, I am simply talking about adding a feature into a piece of software... If every other device on the planet wants to keep doing DNS the old way, it doesn't break anything.
Well in that case, you're talking about ZT installing it's own DNS solution that your machine is forced to use, and removing the responsibility from typical DNS servers - but I don't know how that would work either... so now I think I hear you saying that ZT would need to make a stand alone ZT DNS server that knows how to response correctly - one of these solutions is kinda what Pertino did.
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
-
@Dashrender said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@dafyre said in ZeroTier Question:
@JaredBusch said in ZeroTier Question:
@adam.ierymenko said in ZeroTier Question:
DNS is fundamentally not designed for concurrent use on more than one network.
This exactly. And the problem is that people keep trying to make it do it.
While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.
That is most certainly not an easy fix. You are saying that the entire DNS design be rewrote, discussed, tested, ratified, and then rolled out to every device on the planet that uses DNS.
Hello, reality much?
If I were a programmer, I'd fix it for you. That is also why I specified it is PROGRAMAATICALLY not that different or difficult. And I'm not talking about rewriting the entire DNS RFC or anything like that. I am speaking to specific software based features. Software can be modified without having to rewrite the entire protocol stack from scratch.
You start talking about ratification and all that mess, that's for the paper pushers and think tanks. I've no interest in that, I am simply talking about adding a feature into a piece of software... If every other device on the planet wants to keep doing DNS the old way, it doesn't break anything.
Well in that case, you're talking about ZT installing it's own DNS solution that your machine is forced to use, and removing the responsibility from typical DNS servers - but I don't know how that would work either... so now I think I hear you saying that ZT would need to make a stand alone ZT DNS server that knows how to response correctly - one of these solutions is kinda what Pertino did.
It seems like I remember a few Pertino folks on here having some issues with Pertino and DNS...
I'm not talking about having ZT write their own dns solution. I'm talking about modifying existing software to fix problems like this... Microsoft calls it DNS Policies and it's coming in Server 2016 (https://blogs.technet.microsoft.com/networking/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies/)
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
In Windows, it goes the other way...
zt_ip_address hostname.mydomain.org
-
@dafyre said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
In Windows, it goes the other way...
zt_ip_address hostname.mydomain.org
Same anywhere, it's a standard.
-
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
Do you have time to trouble shoot this today? I'm really curious to find out what is giving you the DNS replies you are getting.
-
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
Do you have time to trouble shoot this today? I'm really curious to find out what is giving you the DNS replies you are getting.
I have held off on making the hosts file change. As it was my error, I forgot to save the change to his ZT nic
-
@WLS-ITGuy said in ZeroTier Question:
@Dashrender said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
I suppose my other option is to do mapped drives via ZT IP address and remove the static DNS.
And hosts files work great, too.
So I am getting a few users (2 to be exact) who are still experiencing issues. I made the A record for the exchange server, and verified that it indeed has ZT on it.
As I have never messed with Host file records, how does one put a pointer in there?
<A Record name> <ZT IP ADDRESS>
?
Do you have time to trouble shoot this today? I'm really curious to find out what is giving you the DNS replies you are getting.
I have held off on making the hosts file change. As it was my error, I forgot to save the change to his ZT nic
Whoops!
-
That might do it
-
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
-
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
-
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
-
@dafyre said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
Maybe, but it depends how they are presented if DNS is needed. If DNS is needed, why not have a different DNS server for that VLAN?
-
@dafyre said in ZeroTier Question:
@scottalanmiller said in ZeroTier Question:
@WLS-ITGuy said in ZeroTier Question:
A little explanation of our LAN. We have 3 VLAN's
Wired - 172.16.1.x
Secured Wireless - 172.17.1.x
Student/Guest - 172.18.1.xThose that are on the Student/Guest VLAN are saying that exchange/OWA is slow. I would imagine that this is because of the A records I put in for the Exchange Server. No one reports any issues on the Wired/Secured Wireless connections.
Any thoughts?
Any reason that the guest network needs access to the internal DNS server?
It sounds like he may be working for a school or something.... They probably have need of a few internal resources.
But they should be gaining them through a secure external IP range, not the internal one. treating that public network as just that, fully public means that access to the internal resources could only happen through published IPs on the public internet.
If they have direct access to the internal network via the public Wifi - what kind of protection exists between those two networks? true, they could be limited by specific ports locked down between them, but then you're managing two sets of IPs instead of one - i.e. One set for people working from starbucks and another for the public wifi network you have.
-
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
-
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
DNS on the public side should do the trick, right?
-
@WLS-ITGuy said in ZeroTier Question:
We have a wireless controller that keeps the Secured and Student VLANs separate. I have access rules that allow certain IPs/ports through to the Secured side.
If that helps.
This is definitely one way to handle it, but because of that way, you have some of the problems you have. Personally, I'd make that public network completely it's own thing. The VLAN would terminate to it's own port on the firewall (either real or virtual port) and if possible it's traffic would go to the internet over it's own dedicated IP.
This allows you to tread that network as if it wasn't part of your network at all. Those users would get an IP for DNS of say, Google (8.8.8.8) or your ISP. They would then flow through your firewall to get to whatever services are allowed to normal internet folks and you only have to worry about what's inside your network using your DNS and resolution problems.
As mentioned before, if you have non ZT devices uses your internal DNS server, and you register ZT IPs into those DNS servers, those not ZT devices will get the round-robin effect of DNS answers and will sometimes receive the ZT IPs instead of the LAN IPs, and you'll have issues.
Now you could solve this buy installing a gateway device on your main network, and have the router between the Public network and the wired network have a route to that gateway appliance allowing traffic a path to find the ZT IPs - but man.. Personally not a fan of that idea.