Abusing Public DNS for Zerotier Routing

Picking a Mesh VPN

I've been a big fan of mesh VPNs for many years now. It's great to not have to deal with Strongswan or OpenVPN on a central server. Mesh VPN's also come with intelligent routing, so if both of my devices are at home on the same network they will dial each other directly. This concept also combines nicely with my interest in setting up a BeyondCorp analog for my home use.

I used to run a private cloud on Tinc, but adding new devices was extremely cumbersome and there is no mobile device support.

After looking into alternatives, I discovered Tailscale and Zerotier. I don't need the hardcore firewall rules of  Tailscale, so I decided to set up Zerotier on all of my devices. The installation truly is less than 5 minutes - I am impressed.

Abusing DNS

I can set custom IP's in my class B address space (prefix 172.xx), but I don't want to memorize them all. Even though it's not up to DNS spec, we can set internal IP's as A records on Amazon Route53 and have them resolve to the Zerotier address space.

I don't view it as a strong security risk, because even if someone knows my internal VPN IP, they still have to break into the network to route any requests to my devices.

By setting up semi-proper DNS for my machines, I can completely detach from the physical network layout and have all of my proxies and scripts reference the internal VPN DNS names. This works extremely well - I can move my server and plug it into any network, and still be able to access it.

Mobile Support

Most importantly, I now have easy addresses to use on my mobile devices. I can install the app and join my network, then use Files, Termius, or Solid Explorer to view my files and media on the go.