Feature Request: Add Support for Centrally Managed Static DNS Records

[tkloda]

Is your feature request related to a problem? Please describe.
Yes, it is. When managing internal services like relays, databases, or application backends within a NetBird network, we rely on DNS resolvers to connect to them via hostnames. This reliance introduces a potential point of failure and adds latency. If our designated DNS resolver is slow, misconfigured, or temporarily unavailable, access to critical internal infrastructure is disrupted. We need a more resilient and faster way to resolve a few key internal hostnames that is independent of traditional DNS queries.

Describe the solution you'd like
I would like a new feature within the NetBird management UI, preferably under the DNS section, called Static DNS Records (or a similar name). This feature would allow an administrator to define a list of static host-to-IP mappings.

For example, I could create an entry like:

- Hostname: relay01.domain.com

- IP Address: 192.168.0.1

These defined records would be pushed out to all connected NetBird clients. When a client needs to resolve relay01.domain.com, it would immediately use the provided IP 192.168.0.1 from its local NetBird configuration, completely bypassing any system or network DNS resolvers. This would function like a centrally-managed, distributed hosts file for the entire VPN.

Describe alternatives you've considered

1. Manually editing the hosts file on each client: This is not a viable solution. It is extremely difficult to manage, scale, and keep updated across multiple devices. It's also highly error-prone and requires manual access to every machine.

2. Running a dedicated internal DNS server: This adds significant overhead. It requires setting up, securing, and maintaining another piece of infrastructure just to resolve a handful of static internal records. This complicates the network setup and introduces another potential point of failure, which is what we are trying to avoid.

Additional context
This feature would greatly improve the speed and resilience of connections to critical internal infrastructure. For services like high-availability relays or jump hosts, having their hostnames resolve instantly and reliably, without external dependencies, is a major advantage. It simplifies the overall network architecture by removing the need for complex split-DNS configurations for a few essential services.

[i-am-ez76]

i would actually love to have also the option to add an internal DNS for netbird agents that we use on servers.
so anyone connected to netbird can use the internal FQDN of the office domain and it will be forwarded to the netbird FQDN .
just like renaming the hostname in netbird, will be able to give it the office internal FQDN as an alias.

[1nerdyguy]

As long as it's opt in. I personally don't like the idea of managing my DNS outside of, well, my DNS environment. We setup resilient and highly available DNS for this reason

[PowershellScripter]

This would be very similar to Tailscale's MagicDNS feature where the list of entries provided to the clients creates a tailscale section within the local host file of the system that gets added and removed on connection. Its great for environments that dont have dedicated DNS servers or if you want internal services exposed without needing to expose them to the internet. Tailscale / Headscale does go one step further and they have a way to create an SSL cert for internal services, but thats beyond the needs of most.

This feature would be beneficial in another sense too. If you could have static records exposed to all the clients, you could also use that as a firewall. Blocking services like facebook, discord, spotify, etc..

+1 This request

[mlsmaycon]

Hey folks, we are looking into adding custom zones in October. The idea is to allow you to have full private zones configuration that will be pushed down to clients in specific distribution groups.

@tkloda the issue for me isn't clear if is related to management, relay and signal domains or specific company services.

@PowershellScripter TLS is coming too, but later in Q4 with let's encrypt

[tkloda]

@mlsmaycon
The issue we're facing is with the management, relay, and signal domains. On our self-hosted Netbird instance, the DNS resolution for our custom NetBird domains is unreliable due to the complex nature of our network environment. We have found that the most reliable solution would be to bypass the network's DNS for these specific domains. Therefore, we propose a feature that would allow administrators to push static DNS entries directly to the Netbird clients. This would ensure reliable connectivity and would be a game-changer for complex network deployments like ours.

[MisterDuval]

any date for this feature release @mlsmaycon ?

[ddesmond]

I am in the same boat here, Static DNS for the win! +1!

[Darren-Cederman]

Hi, we also would be interested in this feature for a few static entries.
Our idea is for external collaborators that we provide netbird for segmented access, but we don't want to expose our DNS server to. DNS server is fine for managed devices.

Is there any ETA for this?

[brenner-tobias]

+1, happy to receive an update on this

[mlsmaycon]

This is in the works now: #4849

[SuperKali]

@mlsmaycon Amazing!

Thank you 🙏