netbirdio / netbird

Connect your devices into a secure WireGuard®-based overlay network with SSO, MFA and granular access controls.
https://netbird.io
BSD 3-Clause "New" or "Revised" License
11.08k stars 509 forks source link

Windows DNS isues on AD DC and AD joined Windows machines #987

Open bbaumgartl opened 1 year ago

bbaumgartl commented 1 year ago

It seems like that the netbird search domain is ignored on a Windows Server Active Directory Domain Controller.

After connecting netbird the log states that the search domain was added:

2023-06-23T11:44:27+02:00 INFO client/internal/dns/host_windows.go:181: updated the search domains in the registry with 1 domains. Domain list: [netbird.cloud]

But it does not show up in ipconfig /all under DNS Suffix Search List or Connection-specific DNS Suffix:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : windows-server
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Unknown adapter wt0:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WireGuard Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 100.71.19.142(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 162275179
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-98-15-90-AC-1F-6B-60-F5-72
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

And DNS queries with only the hostname fail:

PS C:\Users\administrator> Resolve-DnsName -Name peer-a
Resolve-DnsName : peer-a : DNS name does not exist
At line:1 char:1
+ Resolve-DnsName -Name  peer-a
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (peer-a:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Using the FQDN does work though:

PS C:\Users\administrator> Resolve-DnsName -Name peer-a.netbird.cloud
Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
peer-a.netbird.cloud                           A      300   Answer     100.71.126.42
bbaumgartl commented 1 year ago

I tried the same configuration on an AD joined Windows 10 machine. DNS resolution for netbird works, but the local AD domain doesn't resolve anymore. It looks like netbird changes the DNS configuration (in the adapter properties) from Append primary and connection specific DNS suffixes to Append these DNS suffixes (in order) (like it is described here https://answers.uillinois.edu/illinois/page.php?id=114224). This somehow means that Windows is only using the suffixes from this list and on a Windows AD DC this seems to have no effect at all (after changing the setting manually while testing it somehow worked but reconnecting netbird broke it again).

I tried two different manual dns configurations with netbird connected:

  1. Activating Append primary and connection specific DNS suffixes and setting DNS suffix for this connection on the wt0 adapter to netbird.cloud. This appends netbird.cloud to the DNS Suffix Search List in ipconfig /all.
  2. Adding domain.local to Append these DNS suffixes (in order) after netbird added netbird.cloud to the list.

Both seem to work (local AD domain and netbird domain are added to the search list and can be resolved) on the Windows AD DC and Windows 10 machine. Maybe one could be a possible solution?

bbaumgartl commented 1 year ago

Another thing i noticed is that connecting netbird registers the netbird IP address in the local DNS server. This causes local network clients to sometimes get the netbird IP instead of the local IP and thus can't connect to the server. There is an option in the adapter properties (Register this connection's addresses in DNS) which should avoid this. Maybe this is something that can be set after the adapter is created?

image
MobileManiC commented 1 year ago

Yes, waiting for that fix as well... This makes NetBird effectively unusable in AD environment, because short names are usually heavily utilized in avarage business usecases (seems that even some Win10/11 domain communication itself expects AD servers to be accessible by their short name).

MobileManiC commented 1 year ago

Btw. I think the solution 1. ("Append primary and connection specific DNS suffixes") is proper one

hesshaus commented 6 months ago

Can confirm this is an issue in AD environments. The suggestions above did fix these issues, however, they are temporary (upon reboot or restarting the netbird client). Would love to roll this solution out but this is a major hurdle.

MobileManiC commented 6 months ago

I think this is already resolved for a long time. Have you tried to install current version and configure DNS properly on the server side?

bbaumgartl commented 6 months ago

I just briefly checked it and it seems that the first two points (windows server netbird dns resolution, ad joined windows machine local dns resolution) seem to work now.

The third point (netbird ip is registered in the local domain as ip address) seems to be still an issue.

florian-obradovic commented 3 weeks ago

"The third point (netbird ip is registered in the local domain as ip address) seems to be still an issue."

This is standard behaviour for windows: https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/enable-disable-dns-dynamic-registration

"Windows supports Domain Name System (DNS) updates per RFC 2136. By default, this behavior is enabled for Windows DNS clients."

You could disable this via GPO: Computer Configuration > Administrative Templates > Network > DNS Client > Dynamic Update Set it to disabled: CleanShot 2024-10-12 at 14 55 04@2x

florian-obradovic commented 3 weeks ago

I came across this issue and have the same issue on all AD joined machines (Windows 10/11, Server OS). All Netbird specific DNS settings are ignored on AD joined or Entra-ID hybrid joined machines. WORKGROUP or Entra-ID only joined machines work fine.

Looks like the NRPT Rules are ignored: Get-DnsClientNrptRule CleanShot 2024-10-12 at 16 06 16@2x

nslookup or Resolve-DnsName work if you specify the Netbird default DNS IP: CleanShot 2024-10-12 at 16 07 27@2x

It works on machines without domain join: CleanShot 2024-10-12 at 16 09 32@2x

florian-obradovic commented 3 weeks ago

I found some hints in a Tailscale issue.

The Nrpt-Rule Netbird creates, is ignored if this key exists which is the default in every Active Directory domain, even without any DNS client specific GPOs applied (I tested it...) HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig

From the documentation: "<4> Section 2.2.2.1: The Name key specification is Software\Policies\Microsoft\WindowsNT\DNSClient\DnsPolicyConfig{Name}. In the presence of both specified keys, Windows ignores the System\CurrentControlSet\services\Dnscache\Parameters key."

So, the NrptRule is ignored: (_Computer\HKEY_LOCALMACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig\NetBird-Match) CleanShot 2024-10-12 at 20 12 20@2x

Steps to test:

  1. Backup and delete the full key _HKLM\SOFTWARE\Policies\Microsoft\Windows NT**DNSClient**__
  2. Delete the whole key or or at least ..DNSClient**DnsPolicyConfig**
  3. Make sure you have no network connection to the AD to avoid any GPOs getting re-applied :)
  4. Disconnect Netbird, restart the service Restart-Service Netbird or reboot the machine
  5. Connect Netbird and DNS is working ✅ CleanShot 2024-10-12 at 20 26 33@2x

Possible solution Creating DNS Client NRPT Rule like this doesn't work ❌:

Add-DnsClientNrptRule -Namespace "onetpg" -NameServers "100.116.255.254"
Get-DnsClientNrptRule -Name "{265F11C4-B797-48F6-BF9D-24CFD59DC369}"

I think we need a DnsClientNrptPolicy I think but I'm unsure how to create them correctly... there is no Add-DnsClientNrptPolicy commandlet

I created registry key manually and it works :) My Nebird domain suffix is onetpg (Example: server01.onetpg so it's: _Name=hex(7):2e,00,6f,00,6e,00,65,00,74,00,70,00,67,00,00,00,00,00 = **.onetpg**_

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig\Netbird-onetpg]
"ConfigOptions"=dword:00000008
"Name"=hex(7):2e,00,6f,00,6e,00,65,00,74,00,70,00,67,00,00,00,00,00
"IPSECCARestriction"=""
"GenericDNSServers"="100.116.255.254"
"Version"=dword:00000002

CleanShot 2024-10-12 at 20 45 03@2x CleanShot 2024-10-12 at 20 45 56@2x

GPO - Group Policy CleanShot 2024-10-12 at 22 05 30@2x

Proposed fix @mlsmaycon:

  1. If HKLM\Software\Policies\Microsoft\WindowsNT\DNSClient\DnsPolicyConfig exists, we need to add all Netbird specific DNS settings / Nameservers to the policy store instead of the local one (HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\DnsPolicyConfig)
  2. Refresh group policy: https://github.com/tailscale/tailscale/commit/4d0d4e0b69cde02b6e9b3191e3ffa1eaacbe0202#diff-a3c40a24112fd7205c9cf7de4f44d040b2e7f50db1496f778c09931df7a425e1R41

Infos

florian-obradovic commented 1 week ago

@mlsmaycon did you have a chance to look at this? I bet this could block a rollout for many corps with Windows environments.