Windows domain controller DNS intercept

We are attempting to bridge a on-prem private windows desktop edge machine into a managed directory service inside of AWS, among the myriad of issues so far a question has arisen about how to handle the DNS intercept across multiple sites.

AWS Directory Services runs in two different regions by default, so my plan was to have 2 different edge routers in the cloud to bridge into the private subnet in each region VPC, however I don't understand how the wildcard DNS intercept would work, since the same AD domain name is used for both sites in the AWS side?

If there is a service configured for both sites on the WDE client, would it round robin the lookups in the interepts, or only use 1 until a failure occured, or would this just break?

I'm no expert here. Hopefully another community member who's actually done this can add more details.

I don't have a clear picture in my head how/where the problem comes in. Not being an expert in this scenario, I don't "see the problem" yet. Maybe you can outline an example where the problem becomes obvious to me? :slight_smile:

I'll see if anyone else can comment on this scenario, I don't think I understand it well enough to be able to help out (at least, not yet)

This sounds like it would be forwarded based on the service ha configuration across the fabric with 2 egress points. By default, this service is set up as shortest path wins (least latency) at the time of each session creation.

more on this here Ziti Services | OpenZiti

The part that I thought might be the problem is that where would be duplicate services that both had the wildcard DNS intercepts configured at the same time on the single client install, does that matter, or would the DNS part just be a race condition on which service it used to intercept the dns traffic?

ziti edge create config "wildcard.uswest2.dial" intercept.v1 '{"protocols":["tcp","udp"],"addresses":["","*"], "portRanges":[{"high":443,"low":443}]'

ziti edge create config "wildcard.useast1.dial" intercept.v1 '{"protocols":["tcp","udp"],"addresses":["","*"], "portRanges":[{"high":443,"low":443}]'

Due to the other issues I'm having I haven't been able to test the dual services yet, so I guess we'll find out what it does.

Hi Pixitha,
If I understand your question correctly, the dns will be resolved at the egress point. The egress point is the endpoint that binds to the service.

On the ingress point, ziti intercepts the wildcard domain (*, for example, the traffic goes over ziti fabric to the egress point and then get route to whatever "" is resolved to at that node.

I would create a third service hosted by both locations where the wild card url is intercepted and would take that out of the existing two services. My assumption based on the provided configs is that the prefixes are unique per hosted site.