ZeroTier and DNS issues



  • I discovered an issue this morning when trying to ping from one server to another. The IP that came back was an unexpected 10.x.x.x address. Well after some digging I realized that the server in question has ZT on it.

    ZT of course has assigned this machine an IPv4 and IPv6 address. This adapter has registered itself into my corporate DNS server.

    How do I get that adapter to not register with DNS? I tried following these directions, but when I click on the Advanced button under IPv4 > DNS tab, I get a popup "The adapter requires at least one IP address. Please enter one."
    My adapter is setup for DHCP (and has one), so I'm kinda stuck.

    Ideas?

    Doesn't the same issue happen to those using Pertino?



  • Pertino has this too. They addressed it with a ton of DNS magic under the hood (that I helped to design. )



  • Pertino actually hijacks the DNS to handle this and does some pretty complex stuff to get it to work. That's why AD DNS servers have to be registered in Pertino.



  • By registered, I assume you mean that at least one of your AD DNS servers has to be part of the Pertino network?



  • In Pertino, in a more traditional network (not the totally remote type that NTG runs) where you have mostly local client computers to the server, and a few remote (via Pertino), does DNS have both IPs (local network and Pertino IPv4) addresses registered in DNS?

    And if so, how do local clients know to use the local IP instead of the remote IP from DNS?

    Is the DNS server smart enough to see if there is a local IP (local to the client) for the machine in question before responding to the client? What if you have a multi-segment LAN, so the IP is no longer local, but still not wanting to use the Pertino IPv4 - i.e. anything local can't reach Pertino IPs.



  • @Dashrender said:

    By registered, I assume you mean that at least one of your AD DNS servers has to be part of the Pertino network?

    No, it has formal AD handling. You can have up to three AD DCs registered with Pertino. It is "AD Aware" and handles them specially hijacking their DNS and altering it as needed.



  • @Dashrender said:

    In Pertino, in a more traditional network (not the totally remote type that NTG runs) where you have mostly local client computers to the server, and a few remote (via Pertino), does DNS have both IPs (local network and Pertino IPv4) addresses registered in DNS?

    If you are using their AD Connector, yes.



  • @Dashrender said:

    And if so, how do local clients know to use the local IP instead of the remote IP from DNS?

    Pertino DNS Hijacking.



  • @Dashrender said:

    Is the DNS server smart enough to see if there is a local IP (local to the client) for the machine in question before responding to the client? What if you have a multi-segment LAN, so the IP is no longer local, but still not wanting to use the Pertino IPv4 - i.e. anything local can't reach Pertino IPs.

    It does link detection.



  • Ug - well this doesn't help me with regards to ZT. 😞



  • @Dashrender said:

    Ug - well this doesn't help me with regards to ZT. 😞

    Nope, Pertino faced this and the challenge was huge. It is something everyone in full mesh networks face. It is a huge part of what makes Pertino an enterprise product.



  • At $3.50/device/month - it's pretty damned expensive. Hell when you compare it to something like O365, it's ungodly expensive!


  • Banned

    I have to agree.

    For the price of Pertino for our clients, they can buy a fricken Sonicwall with all the crazy licenses for gateway AV and still get VPN connectivity.

    Bearing in mind, they could buy the Sonicwall each year...brand new.



  • @Dashrender said:

    At $3.50/device/month - it's pretty damned expensive. Hell when you compare it to something like O365, it's ungodly expensive!

    They can charge what they want, they have no competition 🙂


  • Banned

    Not yet.

    The problem with Pertino is they are enjoying the monopoly, until someone breaks that monopoly and forces them to change tactic, by then they might have already lost too many leads due to their pricing.



  • For everyone "stuck" with Pertino, I encourage you to check out ZeroTier. (www.zerotier.com) It's free for up to 10 devices so you can tinker around with it... If you decide to go with ZT, it is $4 per Network that you create... no per device charges.

    Check it out and see if it will work for you... (God, I sound like a sales rep, lol... I'm not, I promise... I just really like their service!)



  • @dafyre said:

    For everyone "stuck" with Pertino, I encourage you to check out ZeroTier. (www.zerotier.com) It's free for up to 10 devices so you can tinker around with it... If you decide to go with ZT, it is $4 per Network that you create... no per device charges.

    Check it out and see if it will work for you... (God, I sound like a sales rep, lol... I'm not, I promise... I just really like their service!)

    That's what @Dashrender is having issues with right now.



  • ZeroTier does not appear to have Pertino functionality and it is Pertino functionality that he needs.



  • @Dashrender how many end points would you need to put on Pertino?



  • The owner, soon to be division CEO of Lastpass was on Security Now yesterday.

    One of the things he mentioned was that he hoped to get Himachi under his umbrella and bring it back to life. I'm not sure what that has to do with identity, but he felt that they were related and could bring new life to LogMeIn.



  • @Dashrender said:

    The owner, soon to be division CEO of Lastpass was on Security Now yesterday.

    One of the things he mentioned was that he hoped to get Himachi under his umbrella and bring it back to life. I'm not sure what that has to do with identity, but he felt that they were related and could bring new life to LogMeIn.

    Hamachi has identical issues to ZeroTier here and LMI has no engineering talent left or else they would get LMI working instead of it slowly dying off. Hamachi has been dead for nearly a decade, it's time to bury those products.



  • One thing you may want to check is that your LAN / Wireless connections are above the ZeroTier interface under Network Connections -> Advanced Settings



  • @scottalanmiller said:

    @Dashrender said:

    The owner, soon to be division CEO of Lastpass was on Security Now yesterday.

    One of the things he mentioned was that he hoped to get Himachi under his umbrella and bring it back to life. I'm not sure what that has to do with identity, but he felt that they were related and could bring new life to LogMeIn.

    Hamachi has identical issues to ZeroTier here and LMI has no engineering talent left or else they would get LMI working instead of it slowly dying off. Hamachi has been dead for nearly a decade, it's time to bury those products.

    I hear what you are saying - I think this is why LMI bought Lastpass. The LP guys still have fire in their belly. Hopefully they can turn things around...

    The problem I have with them is their pricing structure. The product has always been solid for me.



  • @dafyre said:

    One thing you may want to check is that your LAN / Wireless connections are above the ZeroTier interface under Network Connections -> Advanced Settings

    One Million +'s to you bro! I'm sure that will majorly help some issues!



  • @Dashrender said:

    I hear what you are saying - I think this is why LMI bought Lastpass. The LP guys still have fire in their belly. Hopefully they can turn things around...

    Engineering can't fix ethics. LastPass has zero ability to fix LogMeIn.



  • @Dashrender said:

    The problem I have with them is their pricing structure. The product has always been solid for me.

    The problems we have are these, in this order:

    • Ethics
    • Pricing
    • Product

    In theory they can fix the last two, but seems totally unlikely at this point. The first is a core "that is who they are as a business" issue that can't be fixed.



  • Another thing (while not a clean solution), you could also test using netbios names as opposed to FQDNs. I am asking the ZeroTier guys what we can do about this. 🙂



  • @scottalanmiller said:

    @Dashrender said:

    I hear what you are saying - I think this is why LMI bought Lastpass. The LP guys still have fire in their belly. Hopefully they can turn things around...

    Engineering can't fix ethics. LastPass has zero ability to fix LogMeIn.

    and mentioning ethics, I'm assuming you're talking about how they promised LMI Free would be free forever.



  • @dafyre said:

    Another thing (while not a clean solution), you could also test using netbios names as opposed to FQDNs. I am asking the ZeroTier guys what we can do about this. 🙂

    Why are they not in the community?


  • Banned

    @Dashrender said:

    and mentioning ethics, I'm assuming you're talking about how they promised LMI Free would be free forever.

    Technically it was free forever, til the end of the LMI free products life.


Log in to reply