Hairpin routing

ntoxicator

I use name.local here myself... works fine

I just create A-records

to do internal DNS-A record within Windows Server DNS, there is a guide out there

Essentially need to create an internal DNS A-Record to point to the internal IP address of the own cloud server.

Then on the domain Registrar website; create an external DNS A-record and point it to your External WAN address 12.12.12.12 as given in example.

Be sure to have appropriate firewall rule and port forwarding configured to accept traffic on interface for 12.12.12.12 and redirect the requests on destination ports to the internal owncloud IP address

scottalanmiller

@Dashrender said:

In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.

.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.

Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.

The recommendation since .local is to have a unique domain that you own but is not .local.

Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.

scottalanmiller

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

JaredBusch

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Dashrender

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Have you tested it? is it really slower?

scottalanmiller

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Yup, uses extra CPU and whatever. Shouldn't be dramatic, but it's there.

JaredBusch

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Have you tested it? is it really slower?

Yes Pertino is slow. Always has been. Not horrible, but slower than direct.

scottalanmiller

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Have you tested it? is it really slower?

Has to be slower, latency is unavailable. Is it noticeably slower? That may or may not be. It will use more CPU for sure.

scottalanmiller

@JaredBusch said:

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Have you tested it? is it really slower?

Yes Pertino is slow. Always has been. Not horrible, but slower than direct.

Kind of an average, but our Pertino would pretty typically add 50ms, which for storage can be noticed in many cases. We've seen 400ms happen a lot, but not an average. It's enough to feel for storage.

Dashrender

@scottalanmiller said:

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Have you tested it? is it really slower?

Has to be slower, latency is unavailable. Is it noticeably slower? That may or may not be. It will use more CPU for sure.

Thank you for asking the question I meant to ask

JaredBusch

@scottalanmiller said:

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

I am not going to put ZT or Pertino on the ownCloud server because there is zero need for it. That data is all SSL encrypted and has no need to go through any kind of other tunnel.

That makes sense. Very different from "doesn't support it"

It is also a slowdown that is not needed.

Have you tested it? is it really slower?

Has to be slower, latency is unavailable. Is it noticeably slower? That may or may not be. It will use more CPU for sure.

When I misconfigured Pertino once after first getting it, and the entire office was routing a single application over Pertino, it killed connections. The latency is what killed it.

stacksofplates

@scottalanmiller said:

@Dashrender said:

In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.

.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.

Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.

The recommendation since .local is to have a unique domain that you own but is not .local.

Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.

There are still people touting this stuff all over the place.

http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html

This site says ICANN is selling .local, but I can't find anything on that at all.

http://blog.varonis.com/active-directory-domain-naming-best-practices/

Jason

We use .local but also have a lot of macs and it sucks.

Recommendation from MS anymore is internal.domain.com or something similar

scottalanmiller

@johnhooks said:

@scottalanmiller said:

@Dashrender said:

In the Windows 2000 days the suggestion was to use your domain name (where Split brain/Split horizon came from). Then in Windows 2003 days MS changed and suggested that companies use company.local. This of course wouldn't route over the internet, yet so I heard caused all kinds of other problems. In either 2008 or 2012, don't recall which, MS stopped suggesting the use of company.local. I have no idea what the current recommendation is.

.local had no problems and routes fine. It can't be looked up by public DNS servers, which is a good thing not a bad one. Yes, MS made the split horizon mistake in 2000, that was a decade and a half ago and has long since not done that. It's a horrible practice with endless problems.

Any problems with .local I'm confident were myths. Like that it could not route. It works flawlessly until you have Macs which use .local specifically to break AD as part of an MS / Apple feud from long ago.

The recommendation since .local is to have a unique domain that you own but is not .local.

Split horizon has not been considered remotely acceptable since 2003 era or earlier. There's really no upside. And as there is everything warning against it and nothing recommending it, it's quite shocking that it happens. It's the most basic thing that they have always warned about in AD training.

There are still people touting this stuff all over the place.

http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html

This site says ICANN is selling .local, but I can't find anything on that at all.

http://blog.varonis.com/active-directory-domain-naming-best-practices/

You have not been supposed to use .local for some time now, but no one is selling it, it is just a preventative measure to not have .local from that perspective. It is Apple trying to break AD is why it should be avoided. If you don't run Macs, .local works flawlessly on Windows networks.

scottalanmiller

@Jason said:

We use .local but also have a lot of macs and it sucks.

Recommendation from MS anymore is internal.domain.com or something similar

A lot of people use ad.domain.com mostly because it is short.

JaredBusch

@scottalanmiller said:

@Jason said:

We use .local but also have a lot of macs and it sucks.

Recommendation from MS anymore is internal.domain.com or something similar

A lot of people use ad.domain.com mostly because it is short.

That is what I use on new stuff, for exactly that reason, it is short.

Dashrender

@JaredBusch said:

@scottalanmiller said:

@Jason said:

We use .local but also have a lot of macs and it sucks.

Recommendation from MS anymore is internal.domain.com or something similar

A lot of people use ad.domain.com mostly because it is short.

That is what I use on new stuff, for exactly that reason, it is short

literally ad.domain.com?

Jason

This post is deleted!

scottalanmiller

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@Jason said:

We use .local but also have a lot of macs and it sucks.

Recommendation from MS anymore is internal.domain.com or something similar

A lot of people use ad.domain.com mostly because it is short.

That is what I use on new stuff, for exactly that reason, it is short

literally ad.domain.com?

Where "domain.com" is your domain, yes.

JaredBusch

@scottalanmiller said:

@Dashrender said:

@JaredBusch said:

@scottalanmiller said:

@Jason said:

We use .local but also have a lot of macs and it sucks.

Recommendation from MS anymore is internal.domain.com or something similar

A lot of people use ad.domain.com mostly because it is short.

That is what I use on new stuff, for exactly that reason, it is short

literally ad.domain.com?

Where "domain.com" is your domain, yes.

Yes.