DNS

• [](/)
• Guides
• DNS

On this page

BETA

The configuration described below uses a beta release of our dedicated DNS service, ZeroNSD. You are not required to use ZeroNSD to provide DNS resolution for devices on your ZeroTier networks; any DNS server can be provided with the assigned IPs and names of your networks' members using the Central API.

Conceptual Prerequisites​

• When ZeroTier joins a network, it creates a virtual network interface.
• When ZeroTier joins multiple networks, there will be multiple network interfaces.
• When ZeroNSD starts, it binds to a ZeroTier network interface.
• When ZeroTier is joined to multiple networks, it needs multiple ZeroNSDs, one for each interface.

This means:

• ZeroNSD will be accessible from the node it is running on.
• ZeroNSD will be accessible from other nodes on the ZeroTier network.
• ZeroNSD will be isolated from other networks the node might be on.

Technical Prerequisites​

This Quickstart was written using two machines - one Ubuntu virtual machine on Digital Ocean, and one macOS laptop on a residential ISP. To follow along step by step, you'll need to provision equivalent infrastructure. If you use different platforms, you should be able to figure out what to do with minimal effort.

Create a ZeroTier Network​

You may do this manually through the ZeroTier Central WebUI,

Install ZeroTier​

ZeroTier must be installed and joined to the network you intend to provide DNS service to. The following should work from the CLI on most platforms. Windows users may download the MSI from the ZeroTier Downloads page. For the remainder of this document, please replace the example network af78bf94364e2035 with a network ID your own.

undefined notroot@ubuntu:~$ curl -s https://install.zerotier.com | sudo bashnotroot@ubuntu:~$ sudo zerotier-cli join af78bf94364e2035notroot@ubuntu:~$ sudo zerotier-cli set af78bf94364e2035 allowDNS=1

Authorize the Nodes​

Authorize the node to the network by clicking the "Auth" button in the Members section in the ZeroTier Central WebUI.

First, create a Central API token.

Next, you will need to stash this in a file for ZeroNSD to read.

undefined sudo bash -c "echo ZEROTIER_CENTRAL_TOKEN > /var/lib/zerotier-one/token"sudo chown zerotier-one:zerotier-one /var/lib/zerotier-one/tokensudo chmod 600 /var/lib/zerotier-one/token

ZeroTier Systemd Manager​

zerotier-systemd-manager publishes rpm and deb packages available at https://github.com/zerotier/zerotier-systemd-manager/releases

undefined wget https://github.com/zerotier/zerotier-systemd-manager/releases/download/v0.1.9/zerotier-systemd-manager_0.1.9_linux_amd64.debsudo dpkg -i zerotier-systemd-manager_0.1.9_linux_amd64.deb

Finally, restart all the ZeroTier services.

undefined sudo systemctl daemon-reloadsudo systemctl restart zerotier-onesudo systemctl enable zerotier-systemd-manager.timersudo systemctl start zerotier-systemd-manager.timer

Install ZeroNSD​

ZeroNSD should only run on one node per network. Latency for DNS really matters, so try to place it as close to the clients as possible.

Packages​

ZeroNSD publishes rpm, deb, and msi packages, available here.

The latest release is not reflected below. Go to the link above to get a link!

undefined wget https://github.com/zerotier/zeronsd/releases/download/v0.1.7/zeronsd_0.1.7_amd64.debsudo dpkg -i zeronsd_0.1.7_amd64.deb

Cargo​

If we don't have packages for your platform, you can still install it with cargo.

undefined sudo /usr/bin/apt-get -y install net-tools librust-openssl-dev pkg-config cargosudo /usr/bin/cargo install zeronsd --root /usr/local

Serve DNS​

For each network you want to serve DNS to, do the following (replace af78bf94364e2035 with your network ID)

undefined sudo zeronsd supervise -t /var/lib/zerotier-one/token -w -d beyond.corp af78bf94364e2035sudo systemctl start zeronsd-af78bf94364e2035sudo systemctl enable zeronsd-af78bf94364e2035

Verify functionality​

You should be able to ping the laptop via it's DNS name (or any preceding subdomain, since we've set the wildcard flag)

undefined notroot@ubuntu:~$ ping laptop.beyond.corpPING laptop.beyond.corp (172.22.192.177) 56(84) bytes of data.64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=1 ttl=64 time=50.1 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=2 ttl=64 time=49.5 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=3 ttl=64 time=48.6 ms

or

undefined notroot@ubuntu:~$ ping laptop.beyond.corpPING travel.laptop.beyond.corp (172.22.192.177) 56(84) bytes of data.64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=1 ttl=64 time=50.1 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=2 ttl=64 time=49.5 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=3 ttl=64 time=48.6 ms

Update flag settings​

In order to change the settings (such as the TLD), do the following (replace af78bf94364e2035 with your network ID)

undefined sudo zeronsd supervise -t /var/lib/zerotier-one/token -w -d beyond.corp af78bf94364e2035sudo systemctl daemon-reloadsudo systemctl enable zeronsd-af78bf94364e2035

Most Linux distributions, by default, do not have per-interface DNS resolution out of the box. To test DNS queries against ZeroNSD without zerotier-systemd-manager, find the IP address that ZeroNSD has bound itself to, and run queries against it explicitly.

undefined sudo lsof -i -n | grep ^zeronsd | grep UDP | awk '{ print $9 }' | cut -f1 -d:172.22.245.70

Query the DNS server directly with the dig command

The Ubuntu machine can be queried with:

undefined dig +short @172.22.245.70 zt-3513e8b98d.beyond.corp172.22.245.70dig +short @172.22.245.70 server.beyond.corp172.22.245.70

The macOS laptop can be queried with:

undefined dig +short @172.22.245.70 zt-eff05def90.beyond.corp172.22.245.70dig +short @172.22.245.70 laptop.beyond.corp172.22.192.177

Add a line to /etc/hosts and query again.

undefined bash -c 'echo "1.2.3.4 test" >> /etc/hosts'dig +short @172.22.245.70 test.beyond.corp1.2.3.4

Query a domain on the public DNS to verify fall through

undefined dig +short @172.22.245.70 example.com93.184.216.34

macOS​

macOS uses dns-sd for DNS resolution. Unfortunately, nslookup,host, and dig are broken on macOS. ping works.

undefined user@osx:~$ ping server.beyond.corpPING server.beyond.corp (172.22.245.70): 56 data bytes64 bytes from 172.22.245.70: icmp_seq=0 ttl=64 time=37.361 ms64 bytes from 172.22.245.70: icmp_seq=1 ttl=64 time=38.129 ms64 bytes from 172.22.245.70: icmp_seq=2 ttl=64 time=37.569 ms

To check out the system resolver settings, use: scutil --dns.

The Ubuntu machine can be queried with

dns-sd -G v4 server.beyond.corp dns-sd -G v4 zt-3513e8b98d.beyond.corp

The macOS machine be queried with

dns-sd -G v4 laptop.beyond.corp dns-sd -G v4 zt-eff05def90.beyond.corp

Windows​

Are you a Windows user? Does this work out of the box? Does nslookup behave properly? Let us know... feedback and pull requests welcome

Serving non-ZeroTier records​

NOTE this portion of the document is largely intended for advanced users who want to get more out of zeronsd's service.

zeronsd will also serve non-zerotier records in two situations: It will forward /etc/resolv.conf's nameservers on a TLD mismatch. This behavior is similar to dnsmasq, a popular DNS server on Linux.

Additionally, to serve custom records you can supply the -f flag with a file in hosts format it will service records from that file under the provided TLD, merged in with the zerotier nodes. Example below.

NOTE: if you followed the steps above, you will want to systemctl stop zeronsd-<network id>, and zeronsd unsupervise <network id> your network, before continuing.

Make a file called hosts and put this in it:

undefined 1.1.1.1 cloudflare-dns

Then, let's start a temporary server for now. We'll just use the start subcommand of zeronsd. This will run in the foreground, so start a new terminal or & it.

undefined $ zeronsd start -t /var/lib/zerotier-one/token -f ./hosts -d beyond.corp Welcome to ZeroNS!Your IP is 1.2.3.4

Finally, we can lookup cloudflare-dns.beyond.corp to find CloudFlare's DNS server really really fast!

undefined $ host cloudflare-dns.beyond.corp 1.2.3.4cloudflare-dns.beyond.corp has address 1.1.1.1

tip

See community threads about DNS

Updated on: 12/07/2024