Windows AD DNS Server Per NIC Responses with ZeroTier
-
@dafyre said:
Yes, exactly... and 196.168.2.x... to get 192.168.2.x....
well, my example was specifically in the expectation that DNS only existed in the 192.168.1.x network, not the .2.x network... but sure, in a larger network, with multiple DNS servers across multiple connected networks, you would want a way to say, if the DNS request is coming from what we declare is an internal network, always give an internal IP if one is available in DNS.
-
@Dashrender Okay. Good point .8-)
-
Paging @adam-ierymenko from ZeroTier.
-
Windows DNS can't do that. Nor would you really want to clutter DNS like that.
I think something to do NAT on the addresses is really what you need
-
I suppose that you could do it by having different DNS servers, like add a BIND server to handle one of the subnets.
-
From the other thread, ZT doesn't provide a DNS server address (at least in default mode). Perhaps if you're providing the IP info to the clients you can provide a DNS server that would be used.
-
What are the DNS issues that have arisen? In theory ZeroTier does link detection to find the best path to a node. Is DNS detection necessary?
-
For me it wasn't an issue on the ZT side, it was that clients on my local network that don't have ZT installed are getting the ZT ip address when querying DNS.
-
@Dashrender said:
For me it wasn't an issue on the ZT side, it was that clients on my local network that don't have ZT installed are getting the ZT ip address when querying DNS.
Oh, that would do it. ZeroTier seems, much like Pertino, like it will work far better if you "install everywhere", at least in regards to end user devices, rather than selectively. Since you don't pay "per device" for the software it does not have the financial concerns that Pertino does for doing that. And as it has that low level detection of best path it should not carry any significant network penalties.
I would run it on the SAN, of course, but you know what I mean.
-
I actually was thinking about things like two separate NICs in a DNS server that sits on 2 networks that don't have access to one another.
I don't want the DNS server giving out 192.168.50 addresses on the 192.168.30 subnet.
-
@dafyre said:
I actually was thinking about things like two separate NICs in a DNS server that sits on 2 networks that don't have access to one another.
I don't want the DNS server giving out 192.168.50 addresses on the 192.168.30 subnet.
What is the underlying purpose of the dual homing?
-
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
-
@dafyre said:
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
Why are the subnets unrelated if single devices have to sit on both of them? They must be somehow related. Why isn't there a third, service network for the shared services? Once you multi-home you are tying the networks together, just in a poor way.
-
@scottalanmiller said:
@dafyre said:
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
Why are the subnets unrelated if single devices have to sit on both of them? They must be somehow related. Why isn't there a third, service network for the shared services? Once you multi-home you are tying the networks together, just in a poor way.
Only if you are using a device for routing. And that is not what I want done...
What I want is Split-Brain DNS (coming Feature in Server 2016, http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx)... Guess I gotta wait a few more weeks.
My primary use case would be for something like with ZeroTier, but I could see it being useful under certain types of lab conditions as well.
-
But why don't you want that done? You are leading with your tech want, but what is the business need? What is the business factor pushing you to dual homing?
-
Just to be clear, I've answered my question -- I didn't know what it was called, but it is called Split-Brain DNS. If you are a Windows shop, you get that feature in Server 2016.
===
You know as well as I do that a Lab environment needs to be isolated from the network, and it some shops, the lab network doesn't even have internet access. I'd like to have my lab network connected to a multihomed DNS server simply because I can. I want to know if the tech can do what I want it to do. No other reason is necessary.
-
@dafyre said:
You know as well as I do that a Lab environment needs to be isolated from the network, and it some shops, the lab network doesn't even have internet access. I'd like to have my lab network connected to a multihomed DNS server simply because I can. I want to know if the tech can do what I want it to do. No other reason is necessary.
That's fine. If it is a lab you can obviously do whatever you want to do.
For isolation, though, just to be clear and for anyone who reads this and gets the wrong idea from the statement made above, dual homing has always been avoided for security reasons. So if the goal is to isolate a lab from product, or whatever, that is why you avoid dual homing and use a service network. Because the dual homing exposes the product to the lab more, rather than less, than a service network.
I just don't want others reading along and not realizing that this is a lab for a lab's sake and thinking that there is a standard product network design pattern here.
-
@dafyre said:
You know as well as I do that a Lab environment needs to be isolated from the network.... can. I want to know if the tech can do what I want it to do. No other reason is necessary.
This is the bit that I was concerned about. Lacking the lab isolation that I was suggesting. I realize not everyone needs their lab fully isolated, just seems simpler since it would be safer, easier and fix the issue that this thread was about all in one step. I'm saying that a fully isolated lab is easier.
-
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
-
@Dashrender said:
Also, wouldn't this lab still be fully part of the AD network since it's using the same DNS servers? If the answer is yes, then it's not really a lab, it's an extension of the production network.
No, not in that way. AD would be extended by LDAP and Kerberos. DNS is just a lookup service. Although this would theoretically expose information about AD, not very much. For full separation you would go with separate DNS in each place. But sharing DNS is pretty trivial as exposure goes.