Windows AD DNS Server Per NIC Responses with ZeroTier
-
Due to some recent issues with DNS that have arisen using ZeroTier, et al. Has anyone been able to figure out a way to make Windows AD / DNS Server respond depending on which NIC the request comes from?
IE: If I have a LAN (192.168.1.0/24)... and a file server with a LAN IP (192.168.1.10)... and this file server also has ZeroTier (IP: 192.168.100.10)...
I want the Windows DNS server to ALWAYS respond with 192.168.1.10 from any computer that issues a DNS request from the 192.168.1.0/24 network....
I would also like the Windows DNS server to ALWAYS respond with 192.168.100.10 from any computer that issues a dns request from the ZeroTier network...
Is that even possible without having to create two separate DNS servers?
-
Adding @adam-ierymenko
-
To add to this request, let's assume there are two local networks
192.168.1.x
192.168.2.xDNS = 192.168.1.10
ZT network = 10.10.10.xYou want all 192.168.x.x to get 192.168.x.x addresses, and the 10.x.x.x to get 10.x.x.x responses.
-
Yes, exactly... and 196.168.2.x... to get 192.168.2.x....
-
@dafyre said:
Yes, exactly... and 196.168.2.x... to get 192.168.2.x....
well, my example was specifically in the expectation that DNS only existed in the 192.168.1.x network, not the .2.x network... but sure, in a larger network, with multiple DNS servers across multiple connected networks, you would want a way to say, if the DNS request is coming from what we declare is an internal network, always give an internal IP if one is available in DNS.
-
@Dashrender Okay. Good point .8-)
-
Paging @adam-ierymenko from ZeroTier.
-
Windows DNS can't do that. Nor would you really want to clutter DNS like that.
I think something to do NAT on the addresses is really what you need
-
I suppose that you could do it by having different DNS servers, like add a BIND server to handle one of the subnets.
-
From the other thread, ZT doesn't provide a DNS server address (at least in default mode). Perhaps if you're providing the IP info to the clients you can provide a DNS server that would be used.
-
What are the DNS issues that have arisen? In theory ZeroTier does link detection to find the best path to a node. Is DNS detection necessary?
-
For me it wasn't an issue on the ZT side, it was that clients on my local network that don't have ZT installed are getting the ZT ip address when querying DNS.
-
@Dashrender said:
For me it wasn't an issue on the ZT side, it was that clients on my local network that don't have ZT installed are getting the ZT ip address when querying DNS.
Oh, that would do it. ZeroTier seems, much like Pertino, like it will work far better if you "install everywhere", at least in regards to end user devices, rather than selectively. Since you don't pay "per device" for the software it does not have the financial concerns that Pertino does for doing that. And as it has that low level detection of best path it should not carry any significant network penalties.
I would run it on the SAN, of course, but you know what I mean.
-
I actually was thinking about things like two separate NICs in a DNS server that sits on 2 networks that don't have access to one another.
I don't want the DNS server giving out 192.168.50 addresses on the 192.168.30 subnet.
-
@dafyre said:
I actually was thinking about things like two separate NICs in a DNS server that sits on 2 networks that don't have access to one another.
I don't want the DNS server giving out 192.168.50 addresses on the 192.168.30 subnet.
What is the underlying purpose of the dual homing?
-
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
-
@dafyre said:
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
Why are the subnets unrelated if single devices have to sit on both of them? They must be somehow related. Why isn't there a third, service network for the shared services? Once you multi-home you are tying the networks together, just in a poor way.
-
@scottalanmiller said:
@dafyre said:
To have one DNS server serving two separate, unrelated subnets to which it has a NIC in each.
Why are the subnets unrelated if single devices have to sit on both of them? They must be somehow related. Why isn't there a third, service network for the shared services? Once you multi-home you are tying the networks together, just in a poor way.
Only if you are using a device for routing. And that is not what I want done...
What I want is Split-Brain DNS (coming Feature in Server 2016, http://blogs.technet.com/b/networking/archive/2015/05/12/split-brain-dns-deployment-using-windows-dns-server-policies.aspx)... Guess I gotta wait a few more weeks.
My primary use case would be for something like with ZeroTier, but I could see it being useful under certain types of lab conditions as well.
-
But why don't you want that done? You are leading with your tech want, but what is the business need? What is the business factor pushing you to dual homing?
-
Just to be clear, I've answered my question -- I didn't know what it was called, but it is called Split-Brain DNS. If you are a Windows shop, you get that feature in Server 2016.
===
You know as well as I do that a Lab environment needs to be isolated from the network, and it some shops, the lab network doesn't even have internet access. I'd like to have my lab network connected to a multihomed DNS server simply because I can. I want to know if the tech can do what I want it to do. No other reason is necessary.
