DNS
[](/)
Guides
DNS
On this page
BETA
The configuration described below uses a beta release of our dedicated DNS service, ZeroNSD. You are not required to use ZeroNSD to provide DNS resolution for devices on your ZeroTier networks; any DNS server can be provided with the assigned IPs and names of your networks' members using the Central API.
When ZeroTier joins a network, it creates a virtual network interface.
When ZeroTier joins multiple networks, there will be multiple network interfaces.
When ZeroNSD starts, it binds to a ZeroTier network interface.
When ZeroTier is joined to multiple networks, it needs multiple ZeroNSDs, one for each interface.
This means:
ZeroNSD will be accessible from the node it is running on.
ZeroNSD will be accessible from other nodes on the ZeroTier network.
ZeroNSD will be isolated from other networks the node might be on.
This Quickstart was written using two machines - one Ubuntu virtual machine on Digital Ocean, and one macOS laptop on a residential ISP. To follow along step by step, you'll need to provision equivalent infrastructure. If you use different platforms, you should be able to figure out what to do with minimal effort.
You may do this manually through the ZeroTier Central WebUI,
ZeroTier must be installed and joined to the network you intend to provide DNS service to. The following should work from the CLI on most platforms. Windows users may download the MSI from the ZeroTier Downloads page. For the remainder of this document, please replace the example network af78bf94364e2035 with a network ID your own.
Authorize the node to the network by clicking the "Auth" button in the Members section in the ZeroTier Central WebUI.
First, create a Central API token.
Next, you will need to stash this in a file for ZeroNSD to read.
zerotier-systemd-manager publishes rpm and deb packages available at https://github.com/zerotier/zerotier-systemd-manager/releases
Finally, restart all the ZeroTier services.
ZeroNSD should only run on one node per network. Latency for DNS really matters, so try to place it as close to the clients as possible.
ZeroNSD publishes rpm, deb, and msi packages, available [here](https://github.com/zerotier/zeronsd/releases).
The latest release is not reflected below. Go to the link above to get a link!
If we don't have packages for your platform, you can still install it with cargo.
For each network you want to serve DNS to, do the following (replace af78bf94364e2035 with your network ID)
You should be able to ping the laptop via it's DNS name (or any preceding subdomain, since we've set the wildcard flag)
or
In order to change the settings (such as the TLD), do the following (replace af78bf94364e2035 with your network ID)
Most Linux distributions, by default, do not have per-interface DNS resolution out of the box. To test DNS queries against ZeroNSD without zerotier-systemd-manager, find the IP address that ZeroNSD has bound itself to, and run queries against it explicitly.
Query the DNS server directly with the dig command
The Ubuntu machine can be queried with:
The macOS laptop can be queried with:
Add a line to /etc/hosts and query again.
Query a domain on the public DNS to verify fall through
macOS uses dns-sd for DNS resolution. Unfortunately, nslookup,`host`, and dig are broken on macOS. ping works.
To check out the system resolver settings, use: scutil --dns.
The Ubuntu machine can be queried with
dns-sd -G v4 server.beyond.corp `dns-sd -G v4 zt-3513e8b98d.beyond.corp`
The macOS machine be queried with
dns-sd -G v4 laptop.beyond.corp `dns-sd -G v4 zt-eff05def90.beyond.corp`
Are you a Windows user? Does this work out of the box? Does nslookup behave properly? Let us know... feedback and pull requests welcome
NOTE this portion of the document is largely intended for advanced users who want to get more out of `zeronsd`'s service.
zeronsd will also serve non-zerotier records in two situations: It will forward `/etc/resolv.conf`'s nameservers on a TLD mismatch. This behavior is similar to dnsmasq, a popular DNS server on Linux.
Additionally, to serve custom records you can supply the -f flag with a file in hosts format it will service records from that file under the provided TLD, merged in with the zerotier nodes. Example below.
NOTE: if you followed the steps above, you will want to systemctl stop zeronsd-<network id>, and zeronsd unsupervise <network id> your network, before continuing.
Make a file called hosts and put this in it:
Then, let's start a temporary server for now. We'll just use the start subcommand of zeronsd. This will run in the foreground, so start a new terminal or & it.
Finally, we can lookup cloudflare-dns.beyond.corp to find CloudFlare's DNS server really really fast!
tip
See community threads about DNS
Guides
DNS
On this page
BETA
The configuration described below uses a beta release of our dedicated DNS service, ZeroNSD. You are not required to use ZeroNSD to provide DNS resolution for devices on your ZeroTier networks; any DNS server can be provided with the assigned IPs and names of your networks' members using the Central API.
Conceptual Prerequisites[](#conceptual-prerequisites "Direct link to Conceptual Prerequisites")
When ZeroTier joins a network, it creates a virtual network interface.
When ZeroTier joins multiple networks, there will be multiple network interfaces.
When ZeroNSD starts, it binds to a ZeroTier network interface.
When ZeroTier is joined to multiple networks, it needs multiple ZeroNSDs, one for each interface.
This means:
ZeroNSD will be accessible from the node it is running on.
ZeroNSD will be accessible from other nodes on the ZeroTier network.
ZeroNSD will be isolated from other networks the node might be on.
Technical Prerequisites[](#technical-prerequisites "Direct link to Technical Prerequisites")
This Quickstart was written using two machines - one Ubuntu virtual machine on Digital Ocean, and one macOS laptop on a residential ISP. To follow along step by step, you'll need to provision equivalent infrastructure. If you use different platforms, you should be able to figure out what to do with minimal effort.
Create a ZeroTier Network[](#create-a-zerotier-network "Direct link to Create a ZeroTier Network")
You may do this manually through the ZeroTier Central WebUI,
Install ZeroTier[](#install-zerotier "Direct link to Install ZeroTier")
ZeroTier must be installed and joined to the network you intend to provide DNS service to. The following should work from the CLI on most platforms. Windows users may download the MSI from the ZeroTier Downloads page. For the remainder of this document, please replace the example network af78bf94364e2035 with a network ID your own.
notroot@ubuntu:~$ curl -s https://install.zerotier.com | sudo bashnotroot@ubuntu:~$ sudo zerotier-cli join af78bf94364e2035notroot@ubuntu:~$ sudo zerotier-cli set af78bf94364e2035 allowDNS=1Authorize the Nodes[](#authorize-the-nodes "Direct link to Authorize the Nodes")
Authorize the node to the network by clicking the "Auth" button in the Members section in the ZeroTier Central WebUI.
First, create a Central API token.
Next, you will need to stash this in a file for ZeroNSD to read.
sudo bash -c "echo ZEROTIER_CENTRAL_TOKEN > /var/lib/zerotier-one/token"sudo chown zerotier-one:zerotier-one /var/lib/zerotier-one/tokensudo chmod 600 /var/lib/zerotier-one/tokenZeroTier Systemd Manager[](#zerotier-systemd-manager "Direct link to ZeroTier Systemd Manager")
zerotier-systemd-manager publishes rpm and deb packages available at https://github.com/zerotier/zerotier-systemd-manager/releases
wget https://github.com/zerotier/zerotier-systemd-manager/releases/download/v0.1.9/zerotier-systemd-manager_0.1.9_linux_amd64.debsudo dpkg -i zerotier-systemd-manager_0.1.9_linux_amd64.debFinally, restart all the ZeroTier services.
sudo systemctl daemon-reloadsudo systemctl restart zerotier-onesudo systemctl enable zerotier-systemd-manager.timersudo systemctl start zerotier-systemd-manager.timerInstall ZeroNSD[](#install-zeronsd "Direct link to Install ZeroNSD")
ZeroNSD should only run on one node per network. Latency for DNS really matters, so try to place it as close to the clients as possible.
Packages[](#packages "Direct link to Packages")
ZeroNSD publishes rpm, deb, and msi packages, available [here](https://github.com/zerotier/zeronsd/releases).
The latest release is not reflected below. Go to the link above to get a link!
wget https://github.com/zerotier/zeronsd/releases/download/v0.1.7/zeronsd_0.1.7_amd64.debsudo dpkg -i zeronsd_0.1.7_amd64.debCargo[](#cargo "Direct link to Cargo")
If we don't have packages for your platform, you can still install it with cargo.
sudo /usr/bin/apt-get -y install net-tools librust-openssl-dev pkg-config cargosudo /usr/bin/cargo install zeronsd --root /usr/localServe DNS[](#serve-dns "Direct link to Serve DNS")
For each network you want to serve DNS to, do the following (replace af78bf94364e2035 with your network ID)
sudo zeronsd supervise -t /var/lib/zerotier-one/token -w -d beyond.corp af78bf94364e2035sudo systemctl start zeronsd-af78bf94364e2035sudo systemctl enable zeronsd-af78bf94364e2035Verify functionality[](#verify-functionality "Direct link to Verify functionality")
You should be able to ping the laptop via it's DNS name (or any preceding subdomain, since we've set the wildcard flag)
notroot@ubuntu:~$ ping laptop.beyond.corpPING laptop.beyond.corp (172.22.192.177) 56(84) bytes of data.64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=1 ttl=64 time=50.1 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=2 ttl=64 time=49.5 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=3 ttl=64 time=48.6 msor
notroot@ubuntu:~$ ping laptop.beyond.corpPING travel.laptop.beyond.corp (172.22.192.177) 56(84) bytes of data.64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=1 ttl=64 time=50.1 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=2 ttl=64 time=49.5 ms64 bytes from 172.22.192.177 (172.22.192.177): icmp_seq=3 ttl=64 time=48.6 msUpdate flag settings[](#update-flag-settings "Direct link to Update flag settings")
In order to change the settings (such as the TLD), do the following (replace af78bf94364e2035 with your network ID)
sudo zeronsd supervise -t /var/lib/zerotier-one/token -w -d beyond.corp af78bf94364e2035sudo systemctl daemon-reloadsudo systemctl enable zeronsd-af78bf94364e2035Most Linux distributions, by default, do not have per-interface DNS resolution out of the box. To test DNS queries against ZeroNSD without zerotier-systemd-manager, find the IP address that ZeroNSD has bound itself to, and run queries against it explicitly.
sudo lsof -i -n | grep ^zeronsd | grep UDP | awk '{ print $9 }' | cut -f1 -d:172.22.245.70Query the DNS server directly with the dig command
The Ubuntu machine can be queried with:
dig +short @172.22.245.70 zt-3513e8b98d.beyond.corp172.22.245.70dig +short @172.22.245.70 server.beyond.corp172.22.245.70The macOS laptop can be queried with:
dig +short @172.22.245.70 zt-eff05def90.beyond.corp172.22.245.70dig +short @172.22.245.70 laptop.beyond.corp172.22.192.177Add a line to /etc/hosts and query again.
bash -c 'echo "1.2.3.4 test" >> /etc/hosts'dig +short @172.22.245.70 test.beyond.corp1.2.3.4Query a domain on the public DNS to verify fall through
dig +short @172.22.245.70 example.com93.184.216.34macOS[](#macos "Direct link to macOS")
macOS uses dns-sd for DNS resolution. Unfortunately, nslookup,`host`, and dig are broken on macOS. ping works.
user@osx:~$ ping server.beyond.corpPING server.beyond.corp (172.22.245.70): 56 data bytes64 bytes from 172.22.245.70: icmp_seq=0 ttl=64 time=37.361 ms64 bytes from 172.22.245.70: icmp_seq=1 ttl=64 time=38.129 ms64 bytes from 172.22.245.70: icmp_seq=2 ttl=64 time=37.569 msTo check out the system resolver settings, use: scutil --dns.
The Ubuntu machine can be queried with
dns-sd -G v4 server.beyond.corp `dns-sd -G v4 zt-3513e8b98d.beyond.corp`
The macOS machine be queried with
dns-sd -G v4 laptop.beyond.corp `dns-sd -G v4 zt-eff05def90.beyond.corp`
Windows[](#windows "Direct link to Windows")
Are you a Windows user? Does this work out of the box? Does nslookup behave properly? Let us know... feedback and pull requests welcome
Serving non-ZeroTier records[](#serving-non-zerotier-records "Direct link to Serving non-ZeroTier records")
NOTE this portion of the document is largely intended for advanced users who want to get more out of `zeronsd`'s service.
zeronsd will also serve non-zerotier records in two situations: It will forward `/etc/resolv.conf`'s nameservers on a TLD mismatch. This behavior is similar to dnsmasq, a popular DNS server on Linux.
Additionally, to serve custom records you can supply the -f flag with a file in hosts format it will service records from that file under the provided TLD, merged in with the zerotier nodes. Example below.
NOTE: if you followed the steps above, you will want to systemctl stop zeronsd-<network id>, and zeronsd unsupervise <network id> your network, before continuing.
Make a file called hosts and put this in it:
1.1.1.1 cloudflare-dnsThen, let's start a temporary server for now. We'll just use the start subcommand of zeronsd. This will run in the foreground, so start a new terminal or & it.
$ zeronsd start -t /var/lib/zerotier-one/token -f ./hosts -d beyond.corp Welcome to ZeroNS!Your IP is 1.2.3.4Finally, we can lookup cloudflare-dns.beyond.corp to find CloudFlare's DNS server really really fast!
$ host cloudflare-dns.beyond.corp 1.2.3.4cloudflare-dns.beyond.corp has address 1.1.1.1tip
See community threads about DNS
Updated on: 12/07/2024
Thank you!