ZeroTier and DNS
-
@adam.ierymenko said:
I'm thinking that there's a need here for some kind of DNS solution to work with ZeroTier, but in the interest of sanity and avoiding feature explosion I'm reticent to actually build it into ZeroTier itself. Instead I think it should maybe be another app, something that serves DNS locally and makes decisions about where to get the actual DNS information from.
I wonder if anyone's already written anything like this? I know on *nix we have dnsmasq and other similar services.
Much as Pertino did. They leverage your existing Windows DNS servers and have a special app that runs inside the Pertino network and handles your DNS.
-
With ZT installed on one of my servers, and that interface getting DHCP from ZT, the interface is registering itself in my AD's DNS system. Non ZT machines are now resolving to the ZT IP address instead of the local network IP. Though it seems non deterministic, that just might be my limited exposure so far.
-
@Dashrender said:
With ZT installed on one of my servers, and that interface getting DHCP from ZT, the interface is registering itself in my AD's DNS system. Non ZT machines are now resolving to the ZT IP address instead of the local network IP. Though it seems non deterministic, though that just might be my limited exposure so far.
That's what we found with the Pertino system too.
-
Does anyone know if this comes up in other situations? Seems like the one-layer-down issue is getting AD to work in a multi-network environment.
-
Obviously if you go 'all in' with SDN then your private IPs will just work always, but not everyone can do that.
-
@adam.ierymenko said:
Does anyone know if this comes up in other situations? Seems like the one-layer-down issue is getting AD to work in a multi-network environment.
That is correct. But generally you don't run into these issues except when building a full mesh.
-
@adam.ierymenko said:
Does anyone know if this comes up in other situations? Seems like the one-layer-down issue is getting AD to work in a multi-network environment.
I'm trying to recall how this is solved in a traditional VPN setup. VPN server on the edge of my network, I connect while I'm at home. The IP I get from the VPN server includes my office's DNS server as well as an IP. But even then, I've had issues where things don't resolve correctly, so I'm sure this isn't a new problem.
-
@Dashrender said:
I'm trying to recall how this is solved in a traditional VPN setup. VPN server on the edge of my network, I connect while I'm at home. The IP I get from the VPN server includes my office's DNS server as well as an IP. But even then, I've had issues where things don't resolve correctly, so I'm sure this isn't a new problem.
DHCP because you only connect to the VPN when remote. You are handling the whole process manually and just don't realize that that is what is happening. You are manually choosing to tell the system when you are or are not in the office.
-
@scottalanmiller said:
@Dashrender said:
I'm trying to recall how this is solved in a traditional VPN setup. VPN server on the edge of my network, I connect while I'm at home. The IP I get from the VPN server includes my office's DNS server as well as an IP. But even then, I've had issues where things don't resolve correctly, so I'm sure this isn't a new problem.
DHCP because you only connect to the VPN when remote. You are handling the whole process manually and just don't realize that that is what is happening. You are manually choosing to tell the system when you are or are not in the office.
I don't follow. While my post started out asking how we solved this with before, I ended by saying it really never was solved.
The DNS servers provided to the VPN client weren't reliably more authoritative with responses than the local connection DNS servers. I basically had to setup a host file for anyone who was mobile to ensure IP connectivity for them.
-
@Dashrender said:
The DNS servers provided to the VPN client weren't reliably more authoritative with responses than the local connection DNS servers. I basically had to setup a host file for anyone who was mobile to ensure IP connectivity for them.
That should not happen. I've done VPNs for decades and never ran into that issue. What was causing DNS to not work well when on the VPN?
-
@scottalanmiller said:
@Dashrender said:
The DNS servers provided to the VPN client weren't reliably more authoritative with responses than the local connection DNS servers. I basically had to setup a host file for anyone who was mobile to ensure IP connectivity for them.
That should not happen. I've done VPNs for decades and never ran into that issue. What was causing DNS to not work well when on the VPN?
Maybe the fact that I have a split brain DNS?
-
@Dashrender said:
Maybe the fact that I have a split brain DNS?
Split horizon, I hope that you mean. Split brain would mean that it is confused and handing out bad entries from a confused cluster failover.
-
Why are you using split horizon?
-
@scottalanmiller said:
Why are you using split horizon?
I've actually never heard this term before - I've only ever seen split brain.
Just to make sure we're on the same page (and correct my term usage):
I have internal DNS for the same FQDN space and a separate DNS on the internet.
-
@Dashrender said:
I've actually never heard this term before - I've only ever seen split brain.
Split Brain is a cluster failure condition.
-
@Dashrender said:
I have internal DNS for the same FQDN space and a separate DNS on the internet.
Yup, that is Split Horizon.
Although I could see why that would be mistaken as a failure condition.
-
What is the purpose in your split horizon? Why are you serving out something to the public from your internal DNS servers?
-
Here is Microsoft calling it Split Brain.
http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx -
Very weird. I guess they are either just confused or they are trying to make a point that it is a failure condition that should be avoided.
-
If you do a google search for split brain DNS, you come up with many people using the term to describe this setup.
