DNS management helper or app/service

[dafyre]

Hey Adam,

The ZT system works great, except for one thing...When we are connected to our ZT networks, we have to use HOST files, etc. in order to provide DNS services to our systems... This is fine for Desktop OSes, but does not work well on Android (or I assume iOS) devices.

Can you add this feature into the Web UI for us to specify our own DNS server to use?

[adamierymenko]

This is a big topic. It's really more than a feature request, more like a request for a companion product (or plug-in?) to manage "split brain DNS" and similar issues. We've considered building such a thing since if you're doing multiple virtual networks and VPNs that is often very useful.

Right now ZeroTier gives you a straight virtual Ethernet switch and does nothing for DNS. That means that you're left to set that up yourself, and how to do that differs by OS. Problem is that if you use a DNS server on a ZeroTier network and then disconnect from that network your DNS stops working, which is annoying.

I retitled and am backlogging as a feature request.

[adamierymenko]

The root issue is that DNS is not designed for use in a multiple-network environment. It's a very old protocol.

[dafyre]

Edit: I didn't realize that this was my topic renamed, lol.

That is why I put in a feature request to give those of us that have one ready for this will be able to use it. We can spin up our own DNS servers, etc... We just need for that optioned to be pushed out to the client devices when they are connected via ZT, and have it removed when they are not. Much like you do with the ZT Managed IP addresses.

On Mon, Jul 25, 2016 at 11:38 AM, Adam Ierymenko notifications@github.com wrote:

The root issue is that DNS is not designed for use in a multiple-network environment. It's a very old protocol.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/zerotier/ZeroTierOne/issues/360#issuecomment-234991026, or mute the thread https://github.com/notifications/unsubscribe-auth/AMv-Ttf0YOeJXYmSF9ygVmRLMBw-rEArks5qZNh0gaJpZM4JQufo .

[dafyre]

But you are right -- DNS is designed for it to be set up by us... It's easy enough to stand up a DNS server in Windows or Linux to handle stuff just for ZT, and ZT only.

That's why I think it would be easier if we just had an option in the Web UI for specifying our own DNS servers.

If someone builds their network in such a way that a ZT Gateway setup can be used, then there's not an issue of split brain DNS, as everything belongs to the same IP space.

If a ZT Gateway is not setup, then a simple DNSMasq server or Windows (standalone) DNS server could be used for this.

[luckman212]

What I did was put A records for a few specific ZT hosts in a subdomain of a public domain that I control e.g. host foo would be foo.zt.contoso.com. This doesn't always work as some resolvers will not return RFC1918/AS112 results, but if you have control of the local resolvers on the networks you frequent then you can usually override this behavior. Not a perfect solution but works most of the time for me.

[jaxidian]

DNS is definitely my primary pain point with ZT. However, I'd prefer to not have to run my own DNS but rather have the "split brain DNS" setup that @adamierymenko referred to.

I understand that I don't understand enough to talk too low-level here but I would envision an ideal implementation would allow me to choose which network clients participated in the shared DNS resolution with the split-brain DNS simply being handled by the ZT client (or optional companion). I'm sure there are lots of reasons this is a bad idea but as a consumer who manages a few DNS servers himself, I'd still greatly prefer this for my simple ZT needs.

And of course allow for configurable DNS IPs to be filled in mutually-exclusive to this split-brain setup for those who really do want to run DNS on the network. I'd envision the ZT client would just fill this in as a static DNS entry the same way it fills in static IPs (as an alternative to actual DHCP being run on the ZT networks).

[dch]

Given how infrequently addresses are assigned - AFAICT only on joining a given network or if an admin changes the network assignments, and that I do this using the API at present, I'm just poking the records into our DNS setup directly then. You can use e.g. local-data sections in unbound DNS server do to this, and to restrict requests via an ACL to a given ZT network.

An option for ZT might be to provide an outgoing webhook API to be pinged when something changes, or to wire up a changes feed that other systems can subscribe to. I'm not familiar with rethinkdb itself, but very familiar with CouchDB's one, and this would be an excellent way of offloading extensibility for many many integration features to the community.

[melo]

+1 on the last comment from @dch... I don't think Zerotier should do DNS at all, but it should enable others to take care of this. If Zerotier provided a per-network changes feed of topology changes, then those who wanted could build others tools, like DNS servers, or service discovery services, on top of it.

I can see the value of piping the Zerotier changes feed into a Consul service :)

[io41]

OpenVPN server has options to "push" DNS config to clients. What clients do with that, is up to them. This does mean that no matter whether the client is on a mobile device, or work station, once connected to the VPN, they can use VPN based DNS.

(Some clients, such as Viscosity, have a config option that allows one to specify for which domains you want to use the DNS VPN.)

Without support from ZeroTier to push (and optionally apply) DNS configs, it's impossible to do use ZeroTier as a replacement for something like OpenVPN. It's easy enough to package DNSMasq up to do split DNS for a work station, for some VPN domain, but when it comes to locked down mobile operating systems, such as iOS, changing DNS when connecting/disconnecting from a VPN is impossible without direct support of the client.

[paul-chambers]

From my perspective, Zerotier has only solved half the problem - assigned an IP addresses automatically - but lacks a mechanism to expose the name->IP mapping that corresponds to the assignment. The information is there - it can be queried through the API - but it's not exposed in a way we can use it directly - e.g. DNS service, or support for RFC2136 and friends, to push the updates to other DNS servers in a standard way.

In my opinion, Zerotier deserves an integrated DNS service that's as distributed and robust as Zerotier itself. Something similar in spirit to dnsmasq, which merges DHCP functionality with DNS lookups for the name->IP leases.

I mean no disrespect (Zerotier is awesome!) but being forced to manually create HOSTS files or A records is a workaround for its absence,

[paulp]

Not to be all me-too, but I'd like to express my profound agreement with the preceding comment by @paul-chambers. This is exactly the missing piece of what could become an incredible simplifier for today's unreasonably complicated Internet. The pain is especially acute with mobile devices, where there's really no sensible way to make DNS work correctly and automatically unless a single DNS server can answer all queries internal and external, and that server can be provided via DHCP. [Edit: I'd forgotten as I was writing that the preceding comment by @io41 also talked about this. So let's call this a pure me-too comment and take it off my lifetime quota.]

[ghost]

Putting everything in public DNS isn't the answer, and neither is distributing a hosts file.

Currently using Softether, which just does a DHCP request over the tunnel, so the client gets DNS, NTP, search domain, WPAD, etc., in one hit.

Ideally, just being able to set the most common DHCP-issued-settings would be good, then they could be assigned in the same way that network addresses are in ZT now.

Realistically, if you're setting up bridged ZT networks and taking over the default route on a client machine, you need to be able to provide either bridged DHCP from the network you're bridged to, or being able to push pretty much all DHCP-assignable settings via the ZT interface.

Doing a config push is perhaps preferable, as changes you make to your network (like DNS/WPAD) could get reflected instantly, rather than having to wait for a lease to get renewed.

[ryanschneider]

Figured I'd weight in here too. I'm considering replacing OpenVPN with ZeroTier to access some private networks, but am struggling with how to handle DNS.

In my case, I already have a DNS server w/ an internal zone file, I just want the client to be configured to point to that DNS server while connected to the ZT network.

So for me, the best approach seems that if the zero tier client exposed some events when network conditions changed this could be handled via some sort of 3rd party sidecar process installed alongside ZeroTier One. I guess I could poll /network/################ locally instead, but getting the state pushed seems cleaner.

This is also orthogonal to the webhook or other approach for updating servers about network topology changes.

So, in short I think if there existed:

• a webhook system on the network controller to expose network-level events to server apps
• a mechanism for the zero tier client to notify other local processes about network join/leave events

Then a ton of useful tools could be built on top of that. Both feel "add on" enough to only be available in the paid version, IMO.

[laduke]

What would be an example of a useful webhook that Central/my.zerotier.com could send?

[ryanschneider]

The most obvious one I can think of would be every time a network member's status changed.

Basically if the contents of /controller/network/<network ID>/member/<address> changed, push those contents to the webhook.

This could be used to populate some sort of service discovery registry or DNS zone file automatically.

[ghost]

Although some notification mechanism (webhook, or otherwise) would undoubtedly be useful for first and third party extensions, I think this is may be overcomplicating something fundamental like setting client DNS servers.

The client does pretty much everything else you'd expect of a network hypervisor, except the assignment of DNS. That's literally the only thing preventing our organisation switching to this software (and paying for it).

There are other hacks like permanently setting a client machine's resolvers and search domain to those on your internal network, but;

• It doesn't work on all mobile devices
• It leaves a user pretty much stuck if they can't connect to ZT for whatever reason
• It would break captive portals for networks that require authentication

I can totally understand why DNS wasn't considered for IoT projects (where other service discovery can be baked into products), but your software also has huge potential for corporate SDN and VPN projects, but we'd need to be able to specify our own DNS servers on our internal networks at the very minimum (including having them removed should the ZT network go down or become unavailable).

More ideally, either the ability to configure a true bridge where even DHCP requests make it over the tunnel, or a larger compliment of DHCP options (as mentioned in my last post) available to be provisioned along with addresses and DNS.

[io41]

According to the settings, if I'm interpreting it correctly, it looks like this is something that's in the pipeline...

[ghost]

Aye, I saw that - unsure whether this means it's a hosted DNS service, or it's the ability to nominate DNS servers from inside the ZT network. Anyone in the know willing to comment?

[jdrews]

Pushing DNS servers to ZT nodes would be useful!

[io41]

It's been at least 6 months ago since DNS support was "coming soon"... and almost 2 years since this ticket was opened...

Dear ZeroTier Staffers, are there any plans to pick this ticket up off the backlog?

[RyanBreaker]

For the record, there is this project available. I was going to give it a try on my personal network today. https://github.com/uxbh/ztdns

[ChrisMagnuson]

@RyanBreaker One of the main features needed is management of the ZT nodes DNS servers, the project you link to provides a dns server to resolve names as entered on the ZT console to IP addressed, which is interesting, but not the scope of what is being referred to in this issue.

If this issue had a resolution we would likely use that mechanism of pushing DNS servers to ZT nodes to then point nodes to a DNS server running the project you pointed to. Complementary ideas but not quite the same.

[RyanBreaker]

@ChrisMagnuson Ahh apologies, I misread. Thank you for clarifying.

[jdrews]

Any updates to DNS support in ZeroTier?

[dch]

Try https://github.com/uxbh/ztdns if there’s nothing official yet. I’d really like this built in. On Wed, 12 Sep 2018, at 07:01, Jon Drews wrote:

Any updates to DNS support in ZeroTier?

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/zerotier/ZeroTierOne/issues/360#issuecomment-420512808

[io41]

@dch please read the comments above before posting. That's already been suggested and is NOT what this issue is about.

[laduke]

Hey, if your clients happen to be using "full tunnel mode", you can re-direct dns requests with the network rules.

redirect 3ee751ebd0 ethertype ipv4 and dport 53;

I needed to add some nat rules to iptables on the dns server to get the replies back to the client

iptables -t nat -A PREROUTING -i ztzlghsivo -p udp --dport 53 -j DNAT --to 10.147.20.37:53
iptables -t nat -A PREROUTING -i ztzlghsivo -p tcp --dport 53 -j DNAT --to 10.147.20.37:53

nslookup from my laptop

nslookup some-host.internal
Server:     8.8.8.8
Address:    8.8.8.8#53

Name:   some-host.internal
Address: 10.13.13.13

[coreybrett]

When will split-brain DNS be available on the Windows platform?

[rcmcdonald91]

Any updates on this?

[adamierymenko]

Considering this a dupe or sub-issue of #322

[paul-chambers]

Issue #322 is about DHCP support, not name resolution of ZeroTier endpoints via DNS lookup.

I don't understand why this has been closed.

[marshalleq]

I'm going to have a go at just disabling Zero Tier DHCP, then using DHCP on my firewall, which would assign it's DNS. I think that's the only real way around this. Will be interesting if the clients get an actual IP address, but I assume they will - ZeroTier is pretty much a vlan right?

[dimkasta]

There's no need for a split-brain or anything. A simple dnsmasq-like service is enough.

1) Define names for each connected client on the web interface 2) Upon connection to the vpn, the client starts a local dns server like dnsmasq and configures it using the web interface name entries. 3) For everything else, the pre-existing dns server of the machine is registered as upstream. This way everything not found in the client's dns is forwarded to the client-network's dns servers.

[lalo-uy]

There's no need for a split-brain or anything. A simple dnsmasq-like service is enough.

1. Define names for each connected client on the web interface
2. Upon connection to the vpn, the client starts a local dns server like dnsmasq and configures it using the web interface name entries.
3. For everything else, the pre-existing dns server of the machine is registered as upstream. This way everything not found in the client's dns is forwarded to the client-network's dns servers.

You can do that on Android & iOS?

[dimkasta]

Probably not.

Another approach would be to use the wireguard way. Meaning that it's up to the client application/script to force a new set of dns servers when the tunnel is connected. This way it will not have to be implemented as a service on the zt side. The dns ips can be configured on the client app when it is set up to join the network. When it disconnects, it reverts to the old setting

[laduke]

👋 https://www.zerotier.com/2020/10/09/zerotier-1-6-0-beta1-released/

The ability to push DNS configuration to members, a long requested feature that will be valuable in enterprise environments with internal DNS servers or Windows domain controllers. The network controller side of this can be edited in ZeroTier Central by adding ?dns=1 to the end of the /network/ URL when viewing or editing a network. This will reveal a DNS configuration box in the network settings area beneath multicast configuration. On the client you must allow DNS setting management for a network in the ZeroTier UI or via the command-line interface with zerotier-cli set allowDNS <true|false>.

[dimkasta]

Very good news. Does the current android client support this?

[glimberg]

@dimkasta Android & iOS have had the ability to set custom DNS servers for a while now. We haven't yet rolled out versions of those that support the network controller based DNS servers quite yet. Will likely release betas of those along with 1.6.0 Beta 2.

[dimkasta]

@glimberg Thanks for your fast response. I have seen the setting, but unfortunately it does not work on our samsung phones. From what I've read it's some bug on the Samsung android implementation, unless I am missing something.

[glimberg]

@dimkasta I know nothing about the bug you're talking about. Works on the Samsung I have for testing on Android.

[sagan]

Is it possible that ZeroTier provides integration support for common DNS providers (Like CloudFlare, which has an API), so that the user only need to enter the CloudFlare API key and their own domain name in ZeroTier Web dashboard. Next time, when a new device is authorized and given a name by user, it automatically adds or updates the "device-name.devices.example.com" DNS A record pointing to the associated IP of the device.