netbird icon indicating copy to clipboard operation
netbird copied to clipboard

Published 20 hours ago verified publisher icon netbirdio

Windows DNS isues on AD DC and AD joined Windows machines

Open bbaumgartl opened this issue 2 years ago • 10 comments

It seems like that the netbird search domain is ignored on a Windows Server Active Directory Domain Controller.

After connecting netbird the log states that the search domain was added:

2023-06-23T11:44:27+02:00 INFO client/internal/dns/host_windows.go:181: updated the search domains in the registry with 1 domains. Domain list: [netbird.cloud]

But it does not show up in ipconfig /all under DNS Suffix Search List or Connection-specific DNS Suffix:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : windows-server
   Primary Dns Suffix  . . . . . . . : domain.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.local

Unknown adapter wt0:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WireGuard Tunnel
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 100.71.19.142(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 162275179
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-22-98-15-90-AC-1F-6B-60-F5-72
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled

And DNS queries with only the hostname fail:

PS C:\Users\administrator> Resolve-DnsName -Name peer-a
Resolve-DnsName : peer-a : DNS name does not exist
At line:1 char:1
+ Resolve-DnsName -Name  peer-a
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (peer-a:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : DNS_ERROR_RCODE_NAME_ERROR,Microsoft.DnsClient.Commands.ResolveDnsName

Using the FQDN does work though:

PS C:\Users\administrator> Resolve-DnsName -Name peer-a.netbird.cloud
Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
peer-a.netbird.cloud                           A      300   Answer     100.71.126.42

bbaumgartl avatar Jun 26 '23 09:06 bbaumgartl

I tried the same configuration on an AD joined Windows 10 machine. DNS resolution for netbird works, but the local AD domain doesn't resolve anymore. It looks like netbird changes the DNS configuration (in the adapter properties) from Append primary and connection specific DNS suffixes to Append these DNS suffixes (in order) (like it is described here https://answers.uillinois.edu/illinois/page.php?id=114224). This somehow means that Windows is only using the suffixes from this list and on a Windows AD DC this seems to have no effect at all (after changing the setting manually while testing it somehow worked but reconnecting netbird broke it again).

I tried two different manual dns configurations with netbird connected:

  1. Activating Append primary and connection specific DNS suffixes and setting DNS suffix for this connection on the wt0 adapter to netbird.cloud. This appends netbird.cloud to the DNS Suffix Search List in ipconfig /all.
  2. Adding domain.local to Append these DNS suffixes (in order) after netbird added netbird.cloud to the list.

Both seem to work (local AD domain and netbird domain are added to the search list and can be resolved) on the Windows AD DC and Windows 10 machine. Maybe one could be a possible solution?

bbaumgartl avatar Jun 27 '23 12:06 bbaumgartl

Another thing i noticed is that connecting netbird registers the netbird IP address in the local DNS server. This causes local network clients to sometimes get the netbird IP instead of the local IP and thus can't connect to the server. There is an option in the adapter properties (Register this connection's addresses in DNS) which should avoid this. Maybe this is something that can be set after the adapter is created?

image

bbaumgartl avatar Jul 04 '23 08:07 bbaumgartl

Yes, waiting for that fix as well... This makes NetBird effectively unusable in AD environment, because short names are usually heavily utilized in avarage business usecases (seems that even some Win10/11 domain communication itself expects AD servers to be accessible by their short name).

MobileManiC avatar Oct 09 '23 11:10 MobileManiC

Btw. I think the solution 1. ("Append primary and connection specific DNS suffixes") is proper one

MobileManiC avatar Oct 09 '23 11:10 MobileManiC

Can confirm this is an issue in AD environments. The suggestions above did fix these issues, however, they are temporary (upon reboot or restarting the netbird client). Would love to roll this solution out but this is a major hurdle.

hesshaus avatar May 03 '24 18:05 hesshaus

I think this is already resolved for a long time. Have you tried to install current version and configure DNS properly on the server side?

MobileManiC avatar May 04 '24 09:05 MobileManiC

I just briefly checked it and it seems that the first two points (windows server netbird dns resolution, ad joined windows machine local dns resolution) seem to work now.

The third point (netbird ip is registered in the local domain as ip address) seems to be still an issue.

bbaumgartl avatar May 10 '24 10:05 bbaumgartl