A question came in from email asking how the user might go about intercepting/tunneling ALL traffic that meets a domain. We call this “wildcard” dns.
On the client side I wish to intercept “*.blue” so anything that goes to this domain will get intercepted and then tunneled to the other end, where it will then get ofloaded from the ziti overlay back to the local network. For example on my client I want to intercept two addresses: web-test.blue
and web.test.blue
.
How can I do something like this with OpenZiti
I ended up producing a video that demonstrates how to accomplish this. You can find it on YouTube.
It uses the docker-compose based quickstart, the ziti-edge-tunnel for linux (attached to the ‘blue’ docker network) and the Ziti Desktop Edge for Windows. Give it a watch - it’s under 10 minutes!
The ziti
CLI commands I run are all in the youtube video. A follow-up question came back because I used only two allowed addresses: allowedAddresses":["web.test.blue", "web-test.blue"]
however you can absolutely change that to be allowedAddresses":["*.blue"],
(and I should have done that anyway).
You’ll also see I went ham with the ports and exposed them all - I don’t recommend you do that but you might need/want to.
If you have any questions on the video - this would be the best place to talk about it! YouTube comments aren’t, that’s for sure!
Another follow-up question was if a tunneler is NECESSARY on the ‘client’ side. My answer to that was NO. You can absolutely look at how a ‘tunneling app’ works and adopt all the same ideas/patterns/code as necessary to make your app INTO a tunneling app! This is super cool because we have a whole SDK dedicated to working ‘as a tunneller’! You can find it on github here GitHub - openziti/ziti-tunnel-sdk-c
1 Like
i noticed wildcard.domain.com will work but not wildcard.domain.com.wildcard will not work
I'm not entirely sure what you mean or what you did. If you post your ziti
cli commands so I can see them, that's helpful.
My guess is that you didn't set the "allowedAddresses" correctly maybe?
The wildcard in a Ziti service intercept is for the "least significant label" in DNS terms. It's always on the left side, which is the lowest position in the DNS hierarchy.
*.example.com
is valid, *.example.*
is not.
Yes , I was trying to intercept for some addresss with additional country tld . Example google.com.sg
Adding regexp support might be useful ?
I realize this suggestion probably isn't ideal, but you can specify as many addresses
as you like in the intercept configuration:
ziti edge create config multinational-apps-intercept.v1 intercept.v1 '{
"protocols": "tcp",
"addresses": ["*.example.ua", "*.example.us", "*.example.ca"],
"portRanges": [{"low":443,"high":443}]
}'
1 Like