Really happy to see the new DNS options but i’m guessing i’m missing something as it doesn’t appear to work
I’ve set a “search domain” and a DNS server but it’s not working at all
Any guidance or documentation available?
Hola!
If using Windows -
Open up an Administrator CMD or Powershell window.
Run this command to see the RAW JSON output:
zerotier-cli -j listnetworks
Scroll up to find “dns”: {
Just below that you’ll see the search domain (“domain”: ) and the servers (“servers”: ).
You WILL NOT find the DNS servers or search domain assigned to the network adapter itself.
Also, if trying to connect to a ZT member just use the hostname not the FQDN.
1 Like
Hi,
The search domain and dns servers are present and correct but not applying to the adapter
“dns”: {
“domain”: “xxx.xxx”,
“servers”: [
“10.20.0.1”,
“10.20.8.1”
]
},
Did you enable DNS on the client end?
zerotier-cli set $networkID allowDNS=1
Also, DNS configuration won’t show up in the adapter preferences, if that’s where you’re looking for it. It uses Windows’ Name Resolution Policy Table to configure the DNS for a specific domain. You can access that information by opening a powershell admin window and executing: Get-DnsClientNrptRule
Hi Grant,
Yeah i can see the rule in Powershell and DNS is enabled, it just refuses to resolve anything
I’ve checked that the DNS is responding and it is, windows just doesn’t seem to be forwarding the requests
I’m not sure what the problem could be, then. It just works on my end, so I’m unable to reproduce your issue. Is the DNS server listening on the configured address? Are you using the fully configured host + domain name? That’s all I can think of off the top of my head.
It does seem strange,
my dns server is definately working as “nslookup domain. server” returns fine
i’ve been doing a little experimentation with NRPT rules, and none of them seem to work regardless of what i enter, i can see from the windows event log that the DNS requests are made, but the 3011 and 3020 events are never seen
Could this be because my PC is domain joined? (not the same domain)
Is there any particular reason that ZT chose to use NRPT rules over setting the DNS and suffix on the adapter? as setting those does immediately work
Being joined to a domain could be a possibility. Perhaps you have a group policy preventing the machine from using the NRPT rules.
Ah, while i can definately say we haven’t explicitly created a rule to say we “can’t” use them,
i don’t know if there is anything to set to allow the use of them
I’ll do some digging and let you know
Ok, So i’ve just tested Nrpt from a totally clean “out of the box” laptop and i can’t resolve using Nrpt Rules,
if i apply the DNS servers IP’s and suffix to the ZeroTier adapter it works as expected
Not sure what’s going on with your configuration. All is working from where I stand:
PS C:\WINDOWS\system32> get-dnsclientnrptrule
Name : {9C276D8D-0F2E-46AA-ABB3-8A4CD51C4290}
Version : 2
Namespace : {.dnstest.zt}
IPsecCARestriction :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessProxyName :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : 192.168.192.171
DnsSecEnabled : False
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding : Disable
DisplayName :
Comment : d5e04297a1dd5aea
PS C:\WINDOWS\system32> ping www.dnstest.zt
Pinging www.dnstest.zt [192.168.192.171] with 32 bytes of data:
Reply from 192.168.192.171: bytes=32 time=106ms TTL=64
Reply from 192.168.192.171: bytes=32 time=109ms TTL=64
Reply from 192.168.192.171: bytes=32 time=104ms TTL=64
Reply from 192.168.192.171: bytes=32 time=108ms TTL=64
Ping statistics for 192.168.192.171:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 104ms, Maximum = 109ms, Average = 106ms
PS C:\WINDOWS\system32
Hi Grant,
I think i may have found the root of the issue, since we last spoke i’ve tested on a number of machines, a mixture of OOB windows pro, home and Server 2012, 2016 and 2019
None of them were able to resolve DNS, however, that’s not to say it can’t work, i think we’re just missing a step, a step that only appears to need to be set once, so could have been set on yours a long time ago possibly as a part of another process or configuration
Please could you post the results of the following two commands as i think one of them may hold the key
Get-DnsClientNrptGlobal
Get-DnsClientNrptPolicy -Effective
This is what i see from Get-DnsClientNrptGlobal
PS C:\Windows\system32> Get-DnsClientNrptGlobal
EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback
Disable Disable Disable
And i get no results at all from Get-DnsClientNrptPolicy -Effective
Thanks
Chris
Here’s what I get from those commands:
PS C:\WINDOWS\system32> Get-DnsClientNrptGlobal
EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback
---------------------- ----------- -----------------------
Disable Disable Disable
PS C:\WINDOWS\system32> Get-DnsClientNrptPolicy -Effective
Namespace : .dnstest.zt
QueryPolicy : QueryIPv6Only
SecureNameQueryFallback : FallbackPrivate
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : 192.168.192.171
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding :
Hi Grant,
My “Get-DnsClientNrptGlobal” results are the same but my “Get-DnsClientNrptPolicy -Effective” result is empty
The Nrpt rules seem to be predominantly based around the windows direct access features, is this something that you currently use?
It’s clear that something in windows needs to be configured for it to use the Nrpt rules but it’s not a default setting as even an “Out of the box” OS won’t activate them, i suspect that this will be the same for a high percentage of users
In the interim i have created a small windows service that monitors and applies DNS settings directly to the adapter based on the results from a “listnetworks” command against the zerotier-cli tool but it’s an additional install which i’d prefer to avoid
If you would like to test further i’d be happy to help and can provide you access to a clean windows install to test on,
Thanks
Chris
All we’re doing is using the appropriate system calls to configure the DNS for a search domain. It works out of the box on a fresh Windows install for us. I’m not sure what’s different on your end.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
I’m having the exact same issue as Chris was having here: New DNS Features don't appear to work
Get-DnsClientNrptRule shows the rule active however Get-DnsClientNrptPolicy -Effective is blank and DNS is not resolving.
Is there anything that can be done for me to help troubleshoot this issue?
Thanks
@zt-travis, much apreciated
@chris.salter did you get any further on troubleshooting this issue? I ran rsop and nothing jumps out at me as blocking the dns policy however it’s not working on my domain joined workstations. I am able to make it function on a sandbox system that is a clean install outside the domain.
I am using a legacy .local domain name but i have tried with other tld’s outside my own domain name and get the same behaviour.
Thanks