Hi,
the new DNS and SSH behavour really makes me re-consider using netbird. I was planning to use Netbird to manage a fleet of PC/Raspberry Probes, runnign debian/raspian. Big selling points are familiar encryption (Wireguard) and a European solution (no discussions on Digital Sovereignty).
But with breaking DNS (the devices do network measurements, having something interfere with the DHCP provided DNS and the IPv6 provided DNS breaks that) to the point that some devices cannot reach the internet anymore, had this been after rollout a process of sending devices back, re-registering them etc is needed. Breaking SSH (hijacking TCP Port 22) breaks my configuration via ansible and also remotely execurting measurements and getting the results.
As this DNS and SSH seems to be more geared to interactive sessions and use-cases, I do not understand why these were made the default. I do not need simple names, ansible inventories do just fine.
To the community, whats you advice? Drop netbird and go to tailscale, Nebuala, Zerotier etc?
Andreas
I am a similar mind at this point, and came very close to writing quite a long rant on the subreddit about it. The 0.59-0.60 has been an unmitigated disaster of breaking changes. It is unbelievable that this wasn’t messaged in advance. There wasn’t even an acknowledgment that this was bad practice and I see no reason to believe it won’t happen again. This coupled with the out of date and consistently broken mobile apps makes me consider moving as well.
Unfortunately, I have yet to find a really suitable alternative. My use case is self hosted cloud for about 20 people. Tailscale is cost prohibitive for this and only gives nerfed acls for the base pay per seat model. At least it’s reliable though, i genuinely cannot imagine paying for NetBird in the current state. Headscale was more reliable, but has some significant limitations for policy management. Everyone talks about the risk of the os client getting out of date with closed source master server, but NetBird is still less reliable even with being completely open source. ZeroTier hosted is outrageously expensive, though I think most of it can be self hosted. Haven’t gone down that path yet but am considering it.
@Andreas_Berger @jfrconley
Just for my own use case analasis, what specificly is the issue? As far as I experienced, I use my own DNS server. What has changed to DNS that breaks your own use cases?
As for the SSH, as long as you don’t enable the SSH feature, regular SSH over port 22 should still operate functionally. However, correct me if I am wrong.
Found the quote:
You use the above to make it use the old/legacy mode ^
Hi @Andreas_Berger, I’m from the NetBird team.
Sorry to hear you’re having issues with v0.60. Could you describe the issues you’re having with DNS? We haven’t made any changes to DNS functionality recently - certainly no breaking ones - so I’m unsure why you’d suddenly be facing issues now. If you’d like, I can help you troubleshoot on our public Slack.
@jfrconley Again, sorry to see you’ve been facing issues, and a description of the specific issues you’re facing would be helpful here. Regarding our messaging for the SSH breaking change - they made were made clear (or so we thought) on Reddit, Slack, GitHub and this forum. On Slack, we made the anouncement 2 weeks prior to the release, and on this forum there’s a banner on every landing page:
Totally willing to admit if our messaging channels/strategy aren’t adequate/suffiecient, though! If you have any ideas on anything more we should be doing in this regard, please share them and I’ll take them to the team for discussion 
Cheers,
Ashley
Hi, ok let’s separate out the SSH and the DNS stuff.
I’ll start with SSH.
As for the communications I think the criticism is more on the choice of introducing breaking defaults. That breaks trust that netbird is safe in that regard. Ultimatly, I want to use netbird as the main connection to the machines - there is no cheap (remote hand, truck roll or ILO) or safe secondary way (leaving SSH open) to get to them, which is the point of using netbird overlay.
Question is why: leaving the default to the “old way” (Port 22 untouched, Port 22022 having the netbird ssh daemon), then having on flag like “–enable/disable-ssh-port-22-intercetp” would have avoided the whole issue - maybe that would also be possible to implement from the management UI.
Also, I like the idea of accessing the machines via Web Terminal. But that could easily use Port 22022. In the current waym I can only completly switch off SSH to get rid of the silent DNAT.
On DNS:
DNS on servers is configured manually - as are the IP adresses or routing tables. it is not that somebody sits in front of the machine and can try a different net or wifi or a manual setting to revive something. On servers I do not want anything to fiddle around with the DNS. Remember: breaking the DNS breaks everything on the server including the netbird VPN by cutting its connection to the management and making the IPs inaccessible.
Again, same thing. The default should be to not touch anything on the machine. netbird can offer a DNS server on its own address for use if needed, I am fine with that. But anything else should be explicitly enabled.
In my particular case the devices are in DSL/FTTx/DOCSIS Subscriber’s home and use DHCP to get the DNS servers and measurement software uses them explicitly. I do not want an alien DNS to sit in between, change queries or do caching. Edge use case - maybe.
Andreas
