Ok, So i’ve just tested Nrpt from a totally clean “out of the box” laptop and i can’t resolve using Nrpt Rules,
if i apply the DNS servers IP’s and suffix to the ZeroTier adapter it works as expected
Not sure what’s going on with your configuration. All is working from where I stand:
PS C:\WINDOWS\system32> get-dnsclientnrptrule
Name : {9C276D8D-0F2E-46AA-ABB3-8A4CD51C4290}
Version : 2
Namespace : {.dnstest.zt}
IPsecCARestriction :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessProxyName :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : 192.168.192.171
DnsSecEnabled : False
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding : Disable
DisplayName :
Comment : d5e04297a1dd5aea
PS C:\WINDOWS\system32> ping www.dnstest.zt
Pinging www.dnstest.zt [192.168.192.171] with 32 bytes of data:
Reply from 192.168.192.171: bytes=32 time=106ms TTL=64
Reply from 192.168.192.171: bytes=32 time=109ms TTL=64
Reply from 192.168.192.171: bytes=32 time=104ms TTL=64
Reply from 192.168.192.171: bytes=32 time=108ms TTL=64
Ping statistics for 192.168.192.171:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 104ms, Maximum = 109ms, Average = 106ms
PS C:\WINDOWS\system32
Hi Grant,
I think i may have found the root of the issue, since we last spoke i’ve tested on a number of machines, a mixture of OOB windows pro, home and Server 2012, 2016 and 2019
None of them were able to resolve DNS, however, that’s not to say it can’t work, i think we’re just missing a step, a step that only appears to need to be set once, so could have been set on yours a long time ago possibly as a part of another process or configuration
Please could you post the results of the following two commands as i think one of them may hold the key
Get-DnsClientNrptGlobal
Get-DnsClientNrptPolicy -Effective
This is what i see from Get-DnsClientNrptGlobal
PS C:\Windows\system32> Get-DnsClientNrptGlobal
EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback
Disable Disable Disable
And i get no results at all from Get-DnsClientNrptPolicy -Effective
Thanks
Chris
Here’s what I get from those commands:
PS C:\WINDOWS\system32> Get-DnsClientNrptGlobal
EnableDAForAllNetworks QueryPolicy SecureNameQueryFallback
---------------------- ----------- -----------------------
Disable Disable Disable
PS C:\WINDOWS\system32> Get-DnsClientNrptPolicy -Effective
Namespace : .dnstest.zt
QueryPolicy : QueryIPv6Only
SecureNameQueryFallback : FallbackPrivate
DirectAccessIPsecCARestriction :
DirectAccessProxyName :
DirectAccessDnsServers :
DirectAccessEnabled : False
DirectAccessProxyType :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired :
NameServers : 192.168.192.171
DnsSecIPsecCARestriction :
DnsSecQueryIPsecEncryption :
DnsSecQueryIPsecRequired :
DnsSecValidationRequired :
NameEncoding :
Hi Grant,
My “Get-DnsClientNrptGlobal” results are the same but my “Get-DnsClientNrptPolicy -Effective” result is empty
The Nrpt rules seem to be predominantly based around the windows direct access features, is this something that you currently use?
It’s clear that something in windows needs to be configured for it to use the Nrpt rules but it’s not a default setting as even an “Out of the box” OS won’t activate them, i suspect that this will be the same for a high percentage of users
In the interim i have created a small windows service that monitors and applies DNS settings directly to the adapter based on the results from a “listnetworks” command against the zerotier-cli tool but it’s an additional install which i’d prefer to avoid
If you would like to test further i’d be happy to help and can provide you access to a clean windows install to test on,
Thanks
Chris
All we’re doing is using the appropriate system calls to configure the DNS for a search domain. It works out of the box on a fresh Windows install for us. I’m not sure what’s different on your end.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.
I’m having the exact same issue as Chris was having here: New DNS Features don't appear to work
Get-DnsClientNrptRule shows the rule active however Get-DnsClientNrptPolicy -Effective is blank and DNS is not resolving.
Is there anything that can be done for me to help troubleshoot this issue?
Thanks
@zt-travis, much apreciated
@chris.salter did you get any further on troubleshooting this issue? I ran rsop and nothing jumps out at me as blocking the dns policy however it’s not working on my domain joined workstations. I am able to make it function on a sandbox system that is a clean install outside the domain.
I am using a legacy .local domain name but i have tried with other tld’s outside my own domain name and get the same behaviour.
Thanks
No, i gave up asking
I just ended up creating a small windows service that reads the config of any currently connected networks and if dns is enabled applies the DNS settings directly to the adapter
I’ll be happy to post the source code if required
@chris.salter I would very much appreciate that, I was going to knock something up in Powershell and have it run on the task scheduler but if you have something already written i’d appreciate the code.
I know I can make the feature work on a fresh OOB Windows 10 Pro VM that isn’t domain joined, i’ll build out an OOB AD environment next week to see if this is an issue that relates to GPO, or if this is an issue that relates to a fundamental flaw in understanding of how DNS policies can be used in an AD environment.
Quick update, I built a sandbox AD and workstation setup.
A fresh OOB directory with default GPO and a fresh domain joined Windows 10 20H2 workstation are working as intended, this seems to be an issue elsewhere.
I’ll try to narrow it down, is there any debug level output for the windows zerotier client?
Thanks
1 Like
Nothing I can think of that would be helpful. Per ZeroTier’s view, it sets everything correctly. It’s something in windows GPOs that appears to be preventing the setting from activating, as you have shown in your test with a sandboxed AD setup.
I agree, it’s definitely not an issue with ZeroTier, I have it narrowed down to a single GPO with about 100 settings defined, i’m stepping through each setting to see which one breaks the functionality so it can be better documented.
I’m not 100% sure, but I ran out of testing time today, I think it’s the following GPO: Computer Configuration>Administrative Templates>Network>Network Connectivity Status Indicator>Specify global DNS
It’s not enough to set it to Not Configured, in my testing I had to manually edit the Registry.pol with LGPO and remove the leftover block:
Computer
SOFTWARE\Policies\Microsoft\Windows NT\DNSClient\DnsPolicyConfig
CREATEKEY
I’ll finish up testing tomorrow and update here once i’m sure.
I confirmed the above policy causes the issue, if you unset the policy in GPO you also need to run a registry cleanup and remove the key:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
Thanks
2 Likes
I have the same issue where I have done everything to enable DNS servers on the Zerotier side but it isn’t working. I checked our GPO and we aren’t specifying a Global DNS and I checked that registry key and it is empty.
I have the same issue where Get-DnsClientNrptPolicy - Effective returns nothing while Get-DnsClientNrptRule shows the config pushed by Zerotier.
@chris.salter I’m interested in your source code. Need a solution to this and ZeroTier doesn’t seem very interested in resolving the problem.
Stephen