ZeroNS provides names that are a part of ZeroTier Central's configured networks; once provided an IPv4-capable network it:
/etc/resolv.conf resolvers that do not match the TLD, similar to dnsmasq..domain is the default), as well as configuring A (IPv4) and AAAA (IPv6) records for:
zt-<memberid>.<tld> will resolve to the IPv4 & IPv6 addresses for them.<name>.<tld>.-w flag) enables wildcards for all names under the TLD; for example my-site.zt-<memberid>.<tld> will resolve to the member's IP, and named hosts work the same way.Before continuing, be reminded that zeronsd is beta software. That said, if you'd like to get started quickly with zeronsd, click here for a user-friendly guide!
Packages:
*.deb, *.rpm for Linux, and MSI format for Windows.
brew tap zerotier/homebrew-tap && brew install zerotier/homebrew-tap/zeronsddocker pull zerotier/zeronsd (see below for more on docker)Other methods:
Please obtain a working rust environment first.
cargo install zeronsd
cargo install --git https://github.com/zerotier/zeronsd --branch main
There is a Dockerfile present in the repository you can use to build images in lieu of one of our official images.
There are build arguments which control behavior:
IS_LOCAL: if set, uses the local source tree and does not try to fetch.VERSION: this is the branch or tag to fetch.IS_TAG: if non-zero, tells cargo to fetch tags instead of branches.Example:
bash
docker build . # builds latest master
docker build --build-arg VERSION=somebranch # builds branch `somebranch`
docker build --build-arg IS_TAG=1 --build-arg VERSION=v0.1.0 # builds version 0.1.0 from tag v0.1.0
Once built, the image automatically runs zeronsd for you. The default subcommand is help.
Setting ZEROTIER_CENTRAL_TOKEN in the environment (or providing the -t flag, which points at a file containing this value) is required. You must be able to administer the ZeroTier network to use zeronsd with it. Also, running as root is required as many client resolvers do not work over anything but port 53. Your zeronsd instance will listen on both udp and tcp, port 53.
Tip: running sudo? Pass the -E flag to import your current shell's environment, making it easier to add the ZEROTIER_CENTRAL_TOKEN, or use the -t flag to avoid the environment entirely.
zeronsd start <network id>
This behavior is currently only supported on Linux and Mac OS X; we will accept patches for other platforms.
The zeronsd supervise and zeronsd unsupervise commands can be used to manipulate systemd unit files related to your network. For the supervise case, simply pass the arguments you would normally pass to start and it will generate a unit from it.
Example:
```bash
zeronsd supervise -t ~/.token -f /etc/hosts -d mydomain 36579ad8f6a82ad3
systemctl daemon-reload systemctl enable zeronsd-36579ad8f6a82ad3.service && systemctl start zeronsd-36579ad8f6a82ad3.service
systemctl disable zeronsd-36579ad8f6a82ad3.service && systemctl stop zeronsd-36579ad8f6a82ad3.service zeronsd unsupervise 36579ad8f6a82ad3 systemctl daemon-reload ```
Running in docker is a little more complicated. You must be able to have a network interface you can import (joined a network) and must be able to reach localhost:9999 on the host. At this time, for brevity's sake we are recommending running with --net=host until we have more time to investigate a potentially more secure solution.
You also need to mount your authtoken.secret, which we use to talk to zerotier-one
docker run --net host -it \
-v /var/lib/zerotier-one/authtoken.secret:/authtoken.secret \
-v <token file>:/token.txt \
zeronsd:alpine start -s /authtoken.secret -t /token.txt \
<network id>
You must have already joined a network and obviously, zerotier-one should be running!
It should print some diagnostics after it has talked to your zerotier-one instance to figure out what IP to listen on. After that it should communicate with the central API and set everything else up automatically.
start and supervise subcommands:-d <tld> will set a TLD for your records; the default is domain.-f <hosts file> will parse a file in /etc/hosts format and append it to your records.-s <secret file> path to authtoken.secret which is needed to talk to ZeroTier on localhost. You can provide this file with this argument, but it is auto-detected on multiple platforms including Linux, OS X and Windows.-t <central token file> path to file containing your ZeroTier Central token.-w Enables wildcard mode, where all member names get a wildcard in this format: *.<name>.<tld>; this points at the member's IP address(es).-v Enables verbose logging. Repeat for more verbosity.-V prints the version.Records currently have a TTL of 60s, and Central's records are refreshed every 30s through the API. I felt this was a safer bet than letting timeouts happen.
OS X and Windows users get this functionality by default, so there is no need for it. Please note at this point in time, however, that PTR resolution does not properly work on either platform. This is a defect in ZeroTier and should be corrected soon.
Linux users are strongly encouraged to use systemd-networkd along with systemd-resolved to get per-interface resolvers that you can isolate to the domain you want to use. If you'd like to try something that can assist with getting you going quickly, check out the zerotier-systemd-manager repository.
BSD systems still need a bit of work; work that we could really use your help with if you know the lay of the land on your BSD of choice. Set up an issue if this interests you.
ZeroNS demands a lot out of the trust-dns toolkit and I personally am grateful such a library suite exists. It made my job very easy.
Erik Hollensbe github@hollensbe.org