ZeroTier + Active Directory Authentication

adam.ierymenko

@JaredBusch Just checking in on this. So the final issue is: you folks want to consult the AD DNS server(s) only for names within AD, but want to consult the host's default regular DNS servers for the Internet. Is that correct?

adam.ierymenko

@JaredBusch What's wrong with using the AD servers for all DNS? Other than reliability?

Note that ZT does not depend on DNS, so ZT will work if DNS is not up.

adam.ierymenko

@JaredBusch I used teh Google a little and found this open source project:

https://github.com/stackia/DNSAgent

Never used it but it looks promising. This could be installed on a client machine and then you could configure it to route DNS queries to different servers by regex of the DNS name.

Looks source only so you'd need to build. Has a .sln file.

JaredBusch

@adam.ierymenko said:

@JaredBusch Just checking in on this. So the final issue is: you folks want to consult the AD DNS server(s) only for names within AD, but want to consult the host's default regular DNS servers for the Internet. Is that correct?

No, I want DNS only so far as AD authentication. I want all DNS to use the dhcp assigned DNS that the primary network adapter gets.

I am not having any problems with ZeroTier as stated above.

ZT works perfectly as designed. I am not trying to limit DNS in windows.

JaredBusch

@adam.ierymenko said:

@JaredBusch What's wrong with using the AD servers for all DNS? Other than reliability?

Note that ZT does not depend on DNS, so ZT will work if DNS is not up.

Because DNS from AD through ZT is returning an address I cannot use.

oc.domain.com should resolve to the external IP but because I set DNS on the ZT adapter I am getting the internal name.

Again, this is not a "problem" with ZT.

adam.ierymenko

@JaredBusch I see. At some point it might be worth looking into that DNSAgent program, since that might do what is needed. Or maybe we could develop/fork something like that to provide the kind of split brain DNS that Pertino apparently does/did.

JaredBusch

@adam.ierymenko said:

@JaredBusch I see. At some point it might be worth looking into that DNSAgent program, since that might do what is needed. Or maybe we could develop/fork something like that to provide the kind of split brain DNS that Pertino apparently does/did.

Pertino has the same issues as ZeroTier. Well unless you have a subscription level large enough to use their AD add on.

adam.ierymenko

@JaredBusch Hmm... so they charge a ton for what that GitHub project does? If the need for split-brain DNS is all it is, I really don't see how this is a hard problem.

Alex Sage

@adam.ierymenko Yes.

scottalanmiller

@adam.ierymenko said:

@JaredBusch Hmm... so they charge a ton for what that GitHub project does? If the need for split-brain DNS is all it is, I really don't see how this is a hard problem.

They also charge a lot for what ZeroTier does.

krisleslie

@JaredBusch how did you setup your NIC for the workstation that had to remote into the AD via ZeroTier? I'm still trying to figure out exactly what was statically assigned as your post wasn't too clear for me (this is new to me).