Intercepting SRV records

pgross · February 14, 2025, 9:40pm

Good evening, here is the second thread I promised

I'm pretty sure I read that ziti will intercept srv records and I'm rather sure I already got it working once.

I shorten the configs a little:
intercept-config reads like:

    "addresses": [
      "_kerberos._udp.ad.company.de",
      "adw-dc01.ad.company.de",
      "ad-dc01.ad.company.de"
    ],

host-config reads like:

    "forwardProtocol": true,
    "forwardAddress": true,
    "forwardPort": true,
    "allowedAddresses": [
      "_kerberos._udp.ad.company.de",
      "adw-dc01.ad.company.de",
      "ad-dc01.ad.company.de"
    ],

Windows client with Ziti Desktop Edge Client:

PS C:\Users\p.gross> Resolve-DnsName -type SRV _kerberos._udp.ad.company.de
Resolve-DnsName : _kerberos._udp.ad.company.de : Der DNS-Vorgang wurde abgelehnt
In Zeile:1 Zeichen:1
+ Resolve-DnsName -type SRV _kerberos._udp.ad.company.de
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (_kerberos._udp.ad.company.de:String) [Resolve-DnsName], Win32Exc
   eption
    + FullyQualifiedErrorId : RCODE_REFUSED,Microsoft.DnsClient.Commands.ResolveDnsName

PS C:\Users\p.gross> Resolve-DnsName ad-dc01.ad.company.de

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
ad-dc01.ad.company.de                        A      60    Answer     100.64.0.5

root@ad-ztna01:~# ziti edge policy-advisor services active-directory.svc
OKAY : ad-ztna02 (3) -> active-directory.svc (3) Common Routers: (3/3) Dial: Y Bind: Y 
OKAY : AD-NB08 (3) -> active-directory.svc (3) Common Routers: (3/3) Dial: Y Bind: N

AD-NB08 is the ZDEW.

I have no idea, what is going wrong here.
Any help is highly appreciated!

emoscardini · February 14, 2025, 9:57pm

Hello again @pgross,

Our Windows client(ZDEW) has the ability to automatically tunnel SRV records that match a wildcard configuration, you might want to review this thread: Conneting Remote Endpoints with a On-Prem AD - #6 by emoscardini

Let me know if that makes sense & if you have questions afterwards.

pgross · February 15, 2025, 7:46am

Thank you!

So it ONLY works with wildcard domains?
No option to finetune access?

For example: Active Directory needs Samba (Port 445) to work properly. Adding this wildcard will allow access to every samba share of any domain computer (as those usually get a dns name automatically assigned).

pgross · February 17, 2025, 6:43pm

@emoscardini is there any way to finetune access?

Does it work if I add the wildcard intercept only to a DNS (port 53) service and split the other (LDAP, SMB, etc.) into other services without wildcard domains?

emoscardini · February 18, 2025, 2:21pm

Hi @pgross,

As far as I know, it only works with wildcard configuration. @ekoby Can you confirm this?

I've never tried to narrow this down like you suggested, give it a shot & let me know if you can get it working.

ekoby · February 18, 2025, 2:27pm

That's correct -- SRV records are only supported at part of wildcard domain configuration (at this time).

pgross · February 19, 2025, 1:23pm

Thank you. I'll try and let you know.

pgross · February 24, 2025, 10:57am

I'm still testing but I (think) I'm observing a rather unintuitive behaviour?

I have a setup where I have a public edge router, reachable via ziti01.company.com.
I have a private edge router reachable via ziti02. ad. company.com

ad.company.com is the Active Directory domain.
Now I need to set a wildcard domain intercept for *.ad.company.com to intercept SRV records.

I now see in Wireshark

3	0.000227	100.64.0.1	100.64.0.2	DNS	71	Standard query 0xb361 AAAA ziti02.ad.company.com
4	0.000449	100.64.0.2	100.64.0.1	DNS	82	Standard query response 0xb361 AAAA ziti02.ad.company.com OPT
5	0.001094	100.64.0.1	100.64.0.11	TCP	52	51025 → 3022 [SYN] Seq=0 Win=65535 Len=0 MSS=65495 WS=256 SACK_PERM

So ZDEW tries to reach the private edge router via the tunnel.
This is not working.
I believe I could circumvent this by advertising a address outside of the ad.company.com zone.
Just wanted to share my observations. Maybe it would be useful to not resolve advertised adresses of the overlay via the overlay at all?

Hope this makes sense.

pgross · February 24, 2025, 12:42pm

I have now setup two different services.

active-directory-client.svc
active-directory-dns.svc

{
  "name": "active-directory-dns.svc-intercept-config",
  "configTypeId": "g7cIWbcGg",
  "data": {
    "portRanges": [
      {
        "high": 53,
        "low": 53
      }
    ],
    "addresses": [
      "*.ad.company.com"
    ],
    "protocols": [
      "tcp",
      "udp"
    ]
  },
  "tags": {}
}

{
  "name": "active-directory-dns.svc-host-config",
  "configTypeId": "NH5p4FpGR",
  "data": {
    "address": "*.ad.company.com",
    "port": 53,
    "forwardProtocol": true,
    "allowedProtocols": [
      "tcp",
      "udp"
    ],
    "httpChecks": [],
    "portChecks": []
  },
  "tags": {}
}

The other service active-directory-client.svc basically intecepts the A records for the domain controllers for ports 138,389,445,1024-65535,88,636,123,135,3128.

This is meant to finetune the access to domain resources as mentiones above.

I thought:
active-directory-dns.svc let me intercept the SRV records, those contain references to for example the domain controllers.
When the IP adresses of those domain controllers are resolved, the active-directory-client.svc can now provide access to them.
But if one tries to access a fileserver, there's no service for that and it fails.

But the result is:

PS C:\Users\p.gross> Resolve-DnsName -Type SRV _ldap._tcp.AUE._sites.dc._msdcs.ad.company.com
Resolve-DnsName : _ldap._tcp.AUE._sites.dc._msdcs.ad.company.com : DNS-Serverfehler
In Zeile:1 Zeichen:1
+ Resolve-DnsName -Type SRV _ldap._tcp.AUE._sites.dc._msdcs.ad.company.com ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (_ldap._tcp.AUE....ad.company.com:String) [Resolve-DnsName], Win32
   Exception
    + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName

The windows client reports:

[2025-02-24T12:25:56.908Z]    INFO tunnel-cbs:ziti_dns.c:686 on_proxy_connect() proxy resolve connection established for domain[*.ad.company.com]

Any idea, why this is not working?

ekoby · February 28, 2025, 3:12pm

you hosting configuration is missing forwarding option for. host and port.
wildcard domains won't work without forwardAddress being set to true.

sorry for delayed response

Topic		Replies	Views
Intercept active directory with ZDEW	3	33	August 6, 2024
Ziti Client crashes at SRV record lookup Ziti Desktop Edge for Windows	15	118	April 16, 2024
Desktop edge windows client and dns	29	1180	November 29, 2022
Misc notes after a few days of working with ziti General Questions	3	376	October 24, 2022
Explain about host and intercept Configs General Questions	2	216	February 26, 2024

Intercepting SRV records

Related topics