Ziti router run with TPROXY mode

Ziti Overlay
1

I would like to add a Ziti Gateway as described in "Use a Router as a Local Gateway".

Currently, my router is configured as follows and works as a reverse proxy:

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: domain.name:3022
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host #tproxy|host

I am considering simply adding a new binding for the gateway:

listeners:
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: domain.name:3022
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: host 
  - binding: tunnel
    options:
      mode: tproxy
      bind: udp://127.0.0.1:5553  # input from named (DoT)
      resolver: udp://127.0.0.1:53 # forward to cloudflared (DoH)
      dnsSvcIpRange: 100.64.0.0/10  
      domains:
        public.dns.zone: internal
        default: upstream

Can I safely add this new binding alongside my existing ones, or are there any considerations I should be aware of when combining host and tproxy tunnel modes on the same router?

2

Hi @Rantanplan, you should only need one tunnel binding. If it's running in mode tproxy then hosting will also be enabled. We should make it more configurable so you can do intercept only, but for now, that's the recommendation.

Paul

3

I have configured a Ziti router with a tproxy tunnel listener for DNS as follows:

listeners:
# bindings of edge and tunnel requires an "edge" section below
  - binding: edge
    address: tls:0.0.0.0:3022
    options:
      advertise: domain.name:443
      connectTimeoutMs: 5000
      getSessionTimeout: 60
  - binding: tunnel
    options:
      mode: tproxy
      bind: udp://127.0.0.53:53 
      resolver: udp://127.0.0.1:5553
      dnsSvcIpRange: 100.64.0.0/10  
      domains:
        public.dns.zone: internal
        default: upstream

The logs indicate:

{
  "file": "github.com/openziti/ziti/tunnel/dns/dns_linux.go:62",
  "func": "github.com/openziti/ziti/tunnel/dns.NewDnsServer",
  "level": "info",
  "msg": "dns server running at 127.0.0.1:5553",
  "time": "2025-12-03T20:28:44.353Z"
}

And netstat -lunp confirms that 127.0.0.1:5553 is bound by the Ziti process

netstat -lunp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 0.0.0.0:5355            0.0.0.0:*                           835499/systemd-reso 
udp        0      0 127.0.0.1:5553          0.0.0.0:*                           846612/ziti         
udp        0      0 127.0.0.54:53           0.0.0.0:*                           835499/systemd-reso 
udp        0      0 127.0.0.53:53           0.0.0.0:*                           835499/systemd-reso 
udp6       0      0 :::5355                 :::*                                835499/systemd-reso

However, when I query the DNS server on port 5553. I receive:

dig @127.0.0.1 -p 5553 google.com 

; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @127.0.0.1 -p 5553 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 64666
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.			IN	A

;; Query time: 0 msec
;; SERVER: 127.0.0.1#5553(127.0.0.1) (UDP)
;; WHEN: Wed Dec 03 20:31:56 UTC 2025
;; MSG SIZE  rcvd: 28

It is unclear to me where the Ziti router forwards DNS queries from this port.

I am running a Ziti router with a tproxy tunnel listener for DNS queries.

StateDirectory=ziti-router
WorkingDirectory=/var/lib/ziti-router

ExecStartPre=/opt/openziti/etc/router/entrypoint.bash check config.yml
ExecStart=/opt/openziti/bin/ziti router run config.yml ${ZITI_ARGS}

Could you clarify the correct way to configure the upstream DNS server, so that queries are properly resolved?

ziti version
v1.6.10
4

Hello, apologies for the late response. You can supply a couple of extra configuration parameters: dnsUpstream and dnsUnanswerable to customize this:

  - binding: tunnel
    options:
      mode: tproxy
      bind: udp://127.0.0.53:53 
      resolver: udp://127.0.0.1:5553
      dnsSvcIpRange: 100.64.0.0/10  
      dnsUpstream: udp://10.96.0.10:53 # Upstream DNS server for recursive queries (e.g., udp://10.96.0.10:53 or tcp://8.8.8.8:53)
      dnsUnanswerable: refused #Disposition for unanswerable DNS queries (timeout|servfail|refused, default: refused)
      domains:
        public.dns.zone: internal
        default: upstream