Desktop edge windows client and dns

22

Hmm, so I have something strange going on. I have 2 identities set up on my pc, one was my original one, and I created a test one. I set up service to the private router via a blah.ziti name, on port 22. this was originally on identity 1, my main id. I connected via ssh no problems.

I then switched the service over to only be on the 2nd identity by changing the service policy attribute and it came up on the 2nd identity list in the windows client gui. However, it now doesn’t resolve, and I can never get to it…is that strange??? coincidence? thats pretty much where i have been stuck with not getting any dns requests through either, for AD issues above. It is also sitting on this test id.

23

Hmmmm. Can you "turn it off and on again" and see if that fixes it? You might have stumbled onto a bug around adding/removing identities. By turning it off/on, if it works, that might be why. And if that's the case - would you submit the logs to clint at openziti.org for review?

Click this to turn it off (and then on)
image

24

Oh and if you need it, Main Menu → Feedback will produce a zip file with “the logs” in it (if you’re so inclined to share them)

25

@cjpit

I created my own XXX.local domain, but can’t seem to be able to use the uppercase name, only the lowercase:

PS C:\Users\Administrator> Resolve-DnsName _ldap._tcp.dc._msdcs.XXX.local -Type SRV
Resolve-DnsName : _ldap._tcp.dc._msdcs.XXX.local : DNS operation refused
At line:1 char:1
+ Resolve-DnsName _ldap._tcp.dc._msdcs.XXX.local -Type SRV
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (_ldap._tcp.dc._msdcs.XXX.local:String) [Resolve-DnsName], Win32Exc
   eption
    + FullyQualifiedErrorId : RCODE_REFUSED,Microsoft.DnsClient.Commands.ResolveDnsName

PS C:\Users\Administrator> Resolve-DnsName _ldap._tcp.dc._msdcs.xxx.local -Type SRV

Name                                     Type   TTL   Section    NameTarget                     Priority Weight Port
----                                     ----   ---   -------    ----------                     -------- ------ ----
_ldap._tcp.dc._msdcs.xxx.local           SRV    86400 Answer     advm.xxx.local                 0        100    389

Same for attempting to join the AD domain, it only works if I use the lowercase “xxx.local”.

26

Odd. That was a bug we had in ziti "a long time ago" but I didn't think it was still an issue. I wonder if that is a "windows thing"? I ask because I just tried to resolve a few names and they all work regardless of casing locally.

PS C:\Users\clint> Resolve-DnsName mattermost.ziti.com

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
mattermost.ziti.com                            A      60    Answer     100.64.0.5

PS C:\Users\clint> Resolve-DnsName Mattermost.ziti.com

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
Mattermost.ziti.com                            A      60    Answer     100.64.0.5

PS C:\Users\clint> Resolve-DnsName MATTERMOST.zITi.com

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
MATTERMOST.zITi.com                            A      60    Answer     100.64.0.5
27

Just guessing it’s an issue with the tunneling & not the local resolver.

28

ooh I bet it is wildcard related. I bet it’s the same bug we had before but this time with wildcard mixed in… I’ll ask @ekoby what he thinks.

29

this is a bug: proxy resolution should not be case sensitive · Issue #566 · openziti/ziti-tunnel-sdk-c · GitHub

30

@emoscardini @TheLumberjack Awesome thanks for tracking that down, that is exactly the issue. I guess since this is an old windows domain, it probably hasn’t come up yet for other people. I know a lot of that is no longer best practices in the eyes of MS for naming conventions, but we don’t have any plans to migrate to a new domain any time soon.

31

Well, when we fix the bug it’ll just start working for you too. :slight_smile: Until then, if you can deal with just knowing that the casing matters, maybe you’ll be able to move forward.

We’ll get that fixed “soon” though. Thanks for discovering it! :slight_smile: