Controller log: dns intercept IP range

Building/Development
1

I noticed this entry and though to ask what it means..

INFO edge/tunnel/intercept.SetDnsInterceptIpRange: dns intercept IP range: 100.64.0.1 - 100.127.255.254

how is this set?
could it impact the use of a tunneller on an ip outside this range?

2

The 100.64.x.x range is what’s called the “Carrier Grade NAT” range. Read all about it at various places on the internet or just use wikipedia like I did… :slight_smile: It’s useful for networking apps like OpenZiti and is something that is not just ziti uses, you’ll find other networking tools (vpn’s and the like) use this range.

It’s basically a really large amount of IP addresses that are “probably not” competing with legitimate IP addresses on your current network. This range is used by our tunneling apps and roughly works like this… (This is not specific, I’m going to leave a lot of details out of this explanation)

  • you turn on a tunneling app and assign an identity to it which has access to five services. Those five services are a specific private dns name, or ip, or whatever…
  • when the tunneling app gets service 1,2,3,4,5 - it assigns each service to an ip address:
    • service 1 : 100.64.0.5 (DNS name: http.zitified)
    • service 2 : 100.64.0.6
    • service 3 : 100.64.0.7
    • service 4 : 100.64.0.8
  • now when your browser or other app tries to make a connection to “http.zitified” the DNS request is intercepted and returns 100.64.0.5 which is what the browser actually connects to

I’m leaving a mountain of detail out of this response for brevity’s sake. Tunneling apps are amazing but they are only a stop on the road to true application embedded zero trust. This is also why when you run wireshark at best you’ll see that traffic hit the local TUN going towards a 100.64.x.x IP address and then all your traffic will turn into whatever port your routers are configured to advertise as ziti wraps that local traffic into a zero trust payload to send over the fabric…

This would probably make a pretty cool ziti tv too… This is a crazy deep topic and this is just the tiniest of scratches on that surface…

Suffice to say it’s “kinda magic” and we don’t expect it to have any impact on end users with the one caveat - you can’t use another network app (vpn client/whatever) that wants to compete for these IP addresses… That causes shenanigans :slight_smile:

1 Like
3

Thanks for the response… nice… lots more to read up about this

PS… yes… this would be a nice Open Ziti TV session… will paste into the feed