If I set up a Zerotier network on my local controller, and then later add a network managed DNS server - the docs seem to say this only gets applied when a client joins the network (and if manage DNS is allowed). But I may need to give it a different DNS server as we update network infrastructure. Is there no way to push the change out to clients that are currently joined?
Any and all networking configuration changes are sent from the network controllers to all authorized members on a network.
One more question then, am I able to send a DNS server that isn’t on ZeroTier (but is routed via a managed route)? I ask because with a simpler test network on Windows clients, I can do
ipconfig /all
and see the IPv4 IP under “DNS Servers”.
But for my other network, when I add a different server that is on a routed network but not ZeroTier, I only see IPv6 entries and not the IP address I added to the network.
On Windows, ZeroTier uses a windows feature called NRPT to manage the DNS servers for a single subdomain. It’s not listed via the normal means you’d find on a network adapter. From an administrator PowerShell prompt, you can issue the following command and it will show the DNS configuration for that subdomain: get-dnsclientnrptrule
The address does not need to be on or routed via the ZeroTier network. The machine just needs to be able to reach the machine.
Thank you, I see that with the get-dnsclientnrptrule. However, this doesn’t seem to direct DNS traffic over that interface, instead I seem to get my wifi DNS for traffic that is routed over the zerotier interface. This is quite different than say OpenVPN which will push the DNS server and the OS will use that one.
If I try and check my nslookup, I hit my local wifi as the DNS server, rather than my specified DNS server. If I edit my WiFi manually to use my DNS server, then the traffic passes over the zerotier network (per traceroute, and the server nslookup shows).
So I guess I’m a little confused how this push is supposed to work?
It doesn’t force DNS requests to go over any particular interface. It uses standard IP routing rules to reach the address. It could be reachable over any physical or virtual adapter.
It does not push a DNS server for the OS to use for all requests. It only applies to the search domain specified in the network configuration. For example, you set your network configuration to have foo.com served over 10.1.2.3. Requests to something.foo.com will go to 10.1.2.3 while all other requests go to the normal nameservers configured on the system
Also, sometimes command line tools like nslookup, dig, etc don’t always tie in to the NRPT rules (or similar systems on other OSes).
Ok, well this NRPT is new to me, but I have bind views for DNS. On the external view, we don’t publish DC records for the _ldap._tcp.dc._msdcs.Domain_Name , but we do for the internal view. If you come in over the ZT network (or VPN network more traditionally) you can then authenticate to Windows and Samba via the same DNS server, just because it comes in a specific network. And this at least sort of works with me manually setting the WiFi DNS to the internal DNS server. I’m guessing it’s not totally working because while nslookup will see the _ldap._tcp.dc._msdcs.Domain_Name entries, File Explorer to Samba doesn’t seem to given the auth errors it’s throwing.
I basically want on my config for foo.bar.com to be served at DNSSERVERIP. I am just confused about how to accomplish this. For some reason, this always “just worked” for OpenVPN based VPN tools, so I’m trying to figure out how to get Windows to do the same thing with ZeroTier.
So it sounds like you’re running under an AD domain. There may a group policy setting to enable the local NRPT rules. I’m unsure of what it is though
Ok, I really don’t entirely know what OpenVPN does differently here, but I did make a lot of progress doing
netsh interface ipv4 set dns name=”ZeroTier One [mynetworkID]” static DNSServer IP Address.
nltest /dsgetdc:fqdndomain
works with that. So I’m kind of wondering why Zerotier doesn’t do the far simpler equivelent of that command for the interface? Anyway, I think I can work around this via my CM and scripting.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.