ZeroTier and DNS
-
@adam.ierymenko said:
Does anyone know if this comes up in other situations? Seems like the one-layer-down issue is getting AD to work in a multi-network environment.
I'm trying to recall how this is solved in a traditional VPN setup. VPN server on the edge of my network, I connect while I'm at home. The IP I get from the VPN server includes my office's DNS server as well as an IP. But even then, I've had issues where things don't resolve correctly, so I'm sure this isn't a new problem.
-
@Dashrender said:
I'm trying to recall how this is solved in a traditional VPN setup. VPN server on the edge of my network, I connect while I'm at home. The IP I get from the VPN server includes my office's DNS server as well as an IP. But even then, I've had issues where things don't resolve correctly, so I'm sure this isn't a new problem.
DHCP because you only connect to the VPN when remote. You are handling the whole process manually and just don't realize that that is what is happening. You are manually choosing to tell the system when you are or are not in the office.
-
@scottalanmiller said:
@Dashrender said:
I'm trying to recall how this is solved in a traditional VPN setup. VPN server on the edge of my network, I connect while I'm at home. The IP I get from the VPN server includes my office's DNS server as well as an IP. But even then, I've had issues where things don't resolve correctly, so I'm sure this isn't a new problem.
DHCP because you only connect to the VPN when remote. You are handling the whole process manually and just don't realize that that is what is happening. You are manually choosing to tell the system when you are or are not in the office.
I don't follow. While my post started out asking how we solved this with before, I ended by saying it really never was solved.
The DNS servers provided to the VPN client weren't reliably more authoritative with responses than the local connection DNS servers. I basically had to setup a host file for anyone who was mobile to ensure IP connectivity for them.
-
@Dashrender said:
The DNS servers provided to the VPN client weren't reliably more authoritative with responses than the local connection DNS servers. I basically had to setup a host file for anyone who was mobile to ensure IP connectivity for them.
That should not happen. I've done VPNs for decades and never ran into that issue. What was causing DNS to not work well when on the VPN?
-
@scottalanmiller said:
@Dashrender said:
The DNS servers provided to the VPN client weren't reliably more authoritative with responses than the local connection DNS servers. I basically had to setup a host file for anyone who was mobile to ensure IP connectivity for them.
That should not happen. I've done VPNs for decades and never ran into that issue. What was causing DNS to not work well when on the VPN?
Maybe the fact that I have a split brain DNS?
-
@Dashrender said:
Maybe the fact that I have a split brain DNS?
Split horizon, I hope that you mean. Split brain would mean that it is confused and handing out bad entries from a confused cluster failover.
-
Why are you using split horizon?
-
@scottalanmiller said:
Why are you using split horizon?
I've actually never heard this term before - I've only ever seen split brain.
Just to make sure we're on the same page (and correct my term usage):
I have internal DNS for the same FQDN space and a separate DNS on the internet.
-
@Dashrender said:
I've actually never heard this term before - I've only ever seen split brain.
Split Brain is a cluster failure condition.
-
@Dashrender said:
I have internal DNS for the same FQDN space and a separate DNS on the internet.
Yup, that is Split Horizon.
Although I could see why that would be mistaken as a failure condition.
-
What is the purpose in your split horizon? Why are you serving out something to the public from your internal DNS servers?
-
Here is Microsoft calling it Split Brain.
http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx -
Very weird. I guess they are either just confused or they are trying to make a point that it is a failure condition that should be avoided.
-
If you do a google search for split brain DNS, you come up with many people using the term to describe this setup.
-
@Dashrender said:
If you do a google search for split brain DNS, you come up with many people using the term to describe this setup.
If you Google cloud you get a lot of peoples saying a lot of things
-
@scottalanmiller said:
@Dashrender said:
If you do a google search for split brain DNS, you come up with many people using the term to describe this setup.
If you Google cloud you get a lot of peoples saying a lot of things
Touche!
-
So what is the reason for the split horizon? What external entities are getting DNS resolution from your internal DNS servers?
-
@scottalanmiller said:
So what is the reason for the split horizon? What external entities are getting DNS resolution from your internal DNS servers?
Other than remote users, non.
We have the same domainname inhouse for AD as we use for our website on the interwebs...
Very little overlap, but email would be one of those overlaps.
Externally points to our ISP provided IP, internally, of course inside IP. -
-
@Dashrender said:
Very little overlap, but email would be one of those overlaps.
How is email affected?