Summary
The ZTLP agent daemon DNS resolver does not intercept queries for domains configured in [dns.domain_map]. Instead, queries fall through to upstream DNS and return the public IP instead of a local VIP from the 127.100.0.0/16 pool.
Steps to Reproduce
- Configure
~/.ztlp/agent.toml:
[dns]
listen = "127.0.0.1:5354"
enabled = true
vip_range = "127.100.0.0/16"
zones = ["beta.chooseforce.com"]
[dns.domain_map]
"beta.chooseforce.com" = "beta.techrockstars.ztlp"
[ns]
servers = ["52.39.59.34:23096"]
- Start agent:
sudo ./ztlp agent start --foreground
- Query DNS:
dig @127.0.0.1 -p 5354 beta.chooseforce.com
Expected
- DNS returns a VIP like
127.100.0.1
- Agent creates a tunnel to the gateway for
beta.techrockstars.ztlp
- Agent binds a TCP listener on the VIP
- Browsing
http://beta.chooseforce.com works transparently
Actual
- DNS returns the public IP (
204.16.122.24) from upstream resolution
- No VIP assigned, no tunnel created
./ztlp agent status shows VIPs: 0/65534 and ./ztlp agent tunnels shows no active tunnels
Expected Flow
- Agent DNS intercepts query for
beta.chooseforce.com
domain_map maps it to beta.techrockstars.ztlp- Agent queries NS → gets gateway address (
10.0.0.112:23098, service beta)
- Agent assigns next VIP from pool, binds TCP listener
- Agent creates ZTLP tunnel to gateway
- Returns VIP as DNS A record
Environment
- macOS (Apple Silicon), ztlp v0.9.13
- Agent source:
proto/src/agent/dns.rs, proto/src/agent/domain_map.rs
Additional Notes
- Manual
ztlp connect works fine — handshake + tunnel + TCP bridge all functional
- NS has
beta.techrockstars.ztlp registered with SVC record pointing to 10.0.0.112:23098
- macOS: port 5353 taken by mDNS (Bonjour),
127.0.0.53 does not exist as loopback alias
- Agent socket created by root (sudo) needs chmod for non-root status queries
- Architecture decision: VIP assignment should stay agent-local (not centralized in NS) since loopback addresses are inherently per-machine
Summary
The ZTLP agent daemon DNS resolver does not intercept queries for domains configured in
[dns.domain_map]. Instead, queries fall through to upstream DNS and return the public IP instead of a local VIP from the127.100.0.0/16pool.Steps to Reproduce
~/.ztlp/agent.toml:sudo ./ztlp agent start --foregrounddig @127.0.0.1 -p 5354 beta.chooseforce.comExpected
127.100.0.1beta.techrockstars.ztlphttp://beta.chooseforce.comworks transparentlyActual
204.16.122.24) from upstream resolution./ztlp agent statusshowsVIPs: 0/65534and./ztlp agent tunnelsshows no active tunnelsExpected Flow
beta.chooseforce.comdomain_mapmaps it tobeta.techrockstars.ztlp10.0.0.112:23098, servicebeta)Environment
proto/src/agent/dns.rs,proto/src/agent/domain_map.rsAdditional Notes
ztlp connectworks fine — handshake + tunnel + TCP bridge all functionalbeta.techrockstars.ztlpregistered with SVC record pointing to10.0.0.112:23098127.0.0.53does not exist as loopback alias