ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    ZeroTier Question

    Scheduled Pinned Locked Moved IT Discussion
    zerotier
    279 Posts 9 Posters 196.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • WLS-ITGuyW
      WLS-ITGuy @scottalanmiller
      last edited by

      @scottalanmiller said in ZeroTier Question:

      @WLS-ITGuy said in ZeroTier Question:

      @scottalanmiller said in ZeroTier Question:

      @WLS-ITGuy said in ZeroTier Question:

      @scottalanmiller said in ZeroTier Question:

      @WLS-ITGuy said in ZeroTier Question:

      @scottalanmiller Outlook client doesn't connect. Keeps asking for password. Webmail says page not found.

      But these same services work for people on the same DNS when they are in the office?

      Works for me running a mac. Works for other machines that never leave the network. Those that never leave I didn't set to a static DNS on the ZT nic.

      But they are using the same DNS as the one on the ZT NIC, right?

      No. All DHCP machines getting DNS from DHCP scope

      But it is the same DNS right? No matter how they get it or on what connector it is, it's the same DNS handing out the same info, right? If not, that's a major issue.

      WEll, Shit! Now I am confused!

      LAN side - gets 172.16.0.10 172.16.0.15

      1 Reply Last reply Reply Quote 0
      • WLS-ITGuyW
        WLS-ITGuy
        last edited by

        Got it working!

        Had to make an A record entry in DNS.

        Not pretty but it works.

        dafyreD scottalanmillerS 2 Replies Last reply Reply Quote 1
        • dafyreD
          dafyre @Dashrender
          last edited by

          @Dashrender said in ZeroTier Question:

          @scottalanmiller said in ZeroTier Question:

          @WLS-ITGuy said in ZeroTier Question:

          Setting the ZT IP addresses of my two on-site DCs in the V-NIC on the client works. Should this be a short term fix only?

          Setting them as DNS? That seems like a good solid fix. So you are getting reliably good DNS results now? I think that you are good to go 🙂

          I see a problem - How does the mobile PC find the ZT controller when it out and about? When will the mobile PC decide to use the DNS servers provided by the real network card vs using the DNS provided by the ZT adapters?

          You really do need/want both to be able to work. So you go to a new location, you connect to their network, your computer needs to use DNS to find the ZT controller on the internet (unless they are considered static and the ZT software just has an IP for the controller - then nevermind), but assuming it's not FQDN based for controllers, you'll need to use the physical NICs DNS to find the controller, then after you ZT network is up, you can switch full time over to use the domain's DNS for anything/everything.

          @adam-ierymenko would be better able to describe how the connection process works... but from what I have seen once you are connected to the ZT Network and you have a DNS server setup on the ZT NIC, it will go through the ZT DNS server, and if that completely fails, then it will fall back to the DNS servers on your physical NIC (Wireless or Ethernet) then.

          A 1 Reply Last reply Reply Quote 0
          • dafyreD
            dafyre @WLS-ITGuy
            last edited by

            @WLS-ITGuy said in ZeroTier Question:

            Got it working!

            Had to make an A record entry in DNS.

            Not pretty but it works.

            As long as it works consistently and you understand WHY it works, you should be in good shape.

            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @WLS-ITGuy
              last edited by

              @WLS-ITGuy said in ZeroTier Question:

              Got it working!

              Had to make an A record entry in DNS.

              Not pretty but it works.

              Why is that not pretty? A missing A Record would be the ugly thing. 🙂

              DashrenderD 1 Reply Last reply Reply Quote 1
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by Dashrender

                @scottalanmiller said in ZeroTier Question:

                @WLS-ITGuy said in ZeroTier Question:

                Got it working!

                Had to make an A record entry in DNS.

                Not pretty but it works.

                Why is that not pretty? A missing A Record would be the ugly thing. 🙂

                ZT adapters don't always add the correct DNS entries to DNS - I think JB mentioned this earlier.

                What exactly did you add for the A record? The ZT IP of the Exchange server? (you did install ZT on the Exchange server, right? - I'm guessing you did since you have it working now.)

                A 1 Reply Last reply Reply Quote 0
                • JaredBuschJ
                  JaredBusch
                  last edited by

                  You ran into the exact thing I have been repeatedly saying. you have to have ALL DNS updated.

                  1 Reply Last reply Reply Quote 1
                  • A
                    adam.ierymenko @dafyre
                    last edited by

                    @dafyre Your OS's DNS resolver decides how DNS works. ZeroTier gives you a port to a virtual LAN, nothing more.

                    dafyreD 1 Reply Last reply Reply Quote 3
                    • A
                      adam.ierymenko @Dashrender
                      last edited by

                      @Dashrender ZT does precisely nothing to DNS... at least right now.

                      DashrenderD 1 Reply Last reply Reply Quote 3
                      • dafyreD
                        dafyre @adam.ierymenko
                        last edited by dafyre

                        @adam.ierymenko said in ZeroTier Question:

                        @dafyre Your OS's DNS resolver decides how DNS works. ZeroTier gives you a port to a virtual LAN, nothing more.

                        Right. We can enter DNS servers on the ZT Nic settings so that we can hit our internal DNS servers while not physically connected to the LAN. As mentioned by @JaredBusch that can cause issues with DNS giving out internal IP addresses rather than ZT IP addresses if the DNS servers can't handle split-brain (this is coming for Windows in Server 2016, IIRC).

                        Edit: This is not a ZT problem, as ZT works fine if you do IP addresses or hosts files.

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • DashrenderD
                          Dashrender @adam.ierymenko
                          last edited by

                          @adam.ierymenko said in ZeroTier Question:

                          @Dashrender ZT does precisely nothing to DNS... at least right now.

                          How do set the resolver to make it use the domain's(inside ZT) DNS first, and the NIC's DHCP assigned DNS second?

                          dafyreD 1 Reply Last reply Reply Quote 0
                          • dafyreD
                            dafyre @Dashrender
                            last edited by

                            @Dashrender said in ZeroTier Question:

                            @adam.ierymenko said in ZeroTier Question:

                            @Dashrender ZT does precisely nothing to DNS... at least right now.

                            How do set the resolver to make it use the domain's(inside ZT) DNS first, and the NIC's DHCP assigned DNS second?

                            In Windows, you assign the ZT IP address of the DNS server in the interface properties (see my images from earlier) and then just make sure that the ZT Nic is at the top of the order.

                            DashrenderD 1 Reply Last reply Reply Quote 1
                            • DashrenderD
                              Dashrender
                              last edited by

                              @adam-ierymenko
                              I have to assume this DNS problem exists for everyone, not just windows domains.

                              You're on a linux laptop at star bucks. You want to access resources that are only known by internal DNS within your organization. So the DNS requests must be sent to the companies internal DNS first. If that server fails, then failover to the DNS provided by Star Bucks.

                              dafyreD scottalanmillerS 2 Replies Last reply Reply Quote 0
                              • dafyreD
                                dafyre @Dashrender
                                last edited by

                                @Dashrender said in ZeroTier Question:

                                @adam-ierymenko
                                I have to assume this DNS problem exists for everyone, not just windows domains.

                                You're on a linux laptop at star bucks. You want to access resources that are only known by internal DNS within your organization. So the DNS requests must be sent to the companies internal DNS first. If that server fails, then failover to the DNS provided by Star Bucks.

                                In Linux, you'd make sure the ZT DNS is the first one in the list in /etc/resolv.conf [and wherever else you have to specify it to make it actually stay at reboots].

                                1 Reply Last reply Reply Quote 1
                                • DashrenderD
                                  Dashrender @dafyre
                                  last edited by Dashrender

                                  @dafyre said in ZeroTier Question:

                                  @Dashrender said in ZeroTier Question:

                                  @adam.ierymenko said in ZeroTier Question:

                                  @Dashrender ZT does precisely nothing to DNS... at least right now.

                                  How do set the resolver to make it use the domain's(inside ZT) DNS first, and the NIC's DHCP assigned DNS second?

                                  In Windows, you assign the ZT IP address of the DNS server in the interface properties (see my images from earlier) and then just make sure that the ZT Nic is at the top of the order.

                                  Right, I was really asking a rhetorical question (or more accurately - one that we already answered). This as mentioned in my previous post, this isn't a Windows only problem - but a problem for anyone where the internet DNS servers can't answer DNS queries correctly, because the answers aren't on the public internet.

                                  Considering how fundamental this issue is after you actually get traffic flowing over the solution, I'm a bit surprised there isn't specific documentation as part of the project to solve this problem.

                                  If the ZT personal aren't running into this issue - why aren't they?

                                  Is it because they have no internal/private network? All DNS is public DNS, so any DNS talking to the world will get the requested information? How are you registering the ZT IPs in that DNS setup?

                                  I realize this post my be construed as mean - please understand that I simply see it as a hard question - one of the things that makes SDNs hard.

                                  Clearly with Pertino they had to do some black magic vudu to make it work.

                                  A 1 Reply Last reply Reply Quote 1
                                  • A
                                    adam.ierymenko @Dashrender
                                    last edited by

                                    @Dashrender Pertino as far as I know implemented some kind of local split brain DNS proxy. That's not quite black magic but it's a pain.

                                    What we do is to actually put private ZT IPs in our public DNS, e.g. <host>.int.zerotier.com where int.zerotier.com is the internal LAN. But I'm not sure that'll work for Active Directory.

                                    1 Reply Last reply Reply Quote 1
                                    • A
                                      adam.ierymenko
                                      last edited by

                                      DNS is fundamentally not designed for concurrent use on more than one network.

                                      JaredBuschJ 1 Reply Last reply Reply Quote 2
                                      • JaredBuschJ
                                        JaredBusch @adam.ierymenko
                                        last edited by

                                        @adam.ierymenko said in ZeroTier Question:

                                        DNS is fundamentally not designed for concurrent use on more than one network.

                                        This exactly. And the problem is that people keep trying to make it do it.

                                        dafyreD 1 Reply Last reply Reply Quote 1
                                        • dafyreD
                                          dafyre @JaredBusch
                                          last edited by

                                          @JaredBusch said in ZeroTier Question:

                                          @adam.ierymenko said in ZeroTier Question:

                                          DNS is fundamentally not designed for concurrent use on more than one network.

                                          This exactly. And the problem is that people keep trying to make it do it.

                                          While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.

                                          DashrenderD JaredBuschJ J scottalanmillerS 4 Replies Last reply Reply Quote 1
                                          • DashrenderD
                                            Dashrender @dafyre
                                            last edited by

                                            @dafyre said in ZeroTier Question:

                                            @JaredBusch said in ZeroTier Question:

                                            @adam.ierymenko said in ZeroTier Question:

                                            DNS is fundamentally not designed for concurrent use on more than one network.

                                            This exactly. And the problem is that people keep trying to make it do it.

                                            While I do not disagree with you... The problem is (at least in my opinion) an easy to fix problem... Give the DNS the ability to separate stuff out... a DHCP server can do it... why not DNS? Programatically, it's not that different (not the same, by any stretch of the imagination)... but definitely doable.

                                            I agree with this idea, but it would require RFCs to get done.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 7
                                            • 8
                                            • 9
                                            • 10
                                            • 11
                                            • 12
                                            • 13
                                            • 14
                                            • 9 / 14
                                            • First post
                                              Last post