Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Adding an option to prevent tailscale clients adding ~. to its DNS search domains for systemd-resolved. #2256

Open
1 of 2 tasks
AlynxZhou opened this issue Nov 25, 2024 · 3 comments · May be fixed by #2438
Open
1 of 2 tasks

[Feature] Adding an option to prevent tailscale clients adding ~. to its DNS search domains for systemd-resolved. #2256

AlynxZhou opened this issue Nov 25, 2024 · 3 comments · May be fixed by #2438
Labels
enhancement New feature or request

Comments

@AlynxZhou
Copy link

Use case

systemd-resolved works as a multicast DNS server, which means by default when it queries domains, it will try all available providers, and use the fastest result, unless the domain matches one of DNS search domains of one provider, then it will only use this provider to query.

Tailscale by default registers itself as one of providers of systemd-resolved, but it adds ~. to its DNS search domains, this means all domains will match, and makes systemd-resolved's multicast invalid, all DNS queries go to tailscale's DNS. User may only wants to query tailscale domains via tailscale.

Description

Setting tailcfg.DNSConfig.FallbackResolvers instead of tailcfg.DNSConfig.Resolvers can prevent tailscale clients from adding ~.. In previous version this behavior is controlled by override_local_dns, but this option is removed because it does not work as intended, and then we lose a way to control this behavior.

Is there any chance to add an option to control setting tailcfg.DNSConfig.FallbackResolvers instead of tailcfg.DNSConfig.Resolvers?

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature

How can it be implemented?

Just bring back https://github.com/juanfont/headscale/pull/905/files#diff-0e426a43248661127a0c0ee115aef7a1093b635f8993b3f7ebb1dd9f05b8f249R406-R410, but with a better option to describe what it does?
@AlynxZhou AlynxZhou added the enhancement New feature or request label Nov 25, 2024
@nblock
Copy link
Collaborator

nblock commented Dec 20, 2024
edited
Loading

The Tailscale SaaS behaves as follows when changing the setting Override local DNS:

When enabled in the control plane, Tailscale configures systemd-resolved as default route (+DefaultRoute) and also
configures a route-only domain ~. so all domains will match and Tailscale will receive all DNS requests.

$ resolvectl status tailscale0
Link 4 (tailscale0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
       DNS Servers: 100.100.100.100
        DNS Domain: taile8db11.ts.net ~.
     Default Route: yes

When disabled in the control plane, Tailscale will not set the default route (-DefaultRoute) and the route-only domain
is not present in the list of DNS domains. It will only handle requests that match the list of domains.

$ resolvectl status tailscale0
Link 4 (tailscale0)
    Current Scopes: DNS
         Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
       DNS Servers: 100.100.100.100
        DNS Domain: taile8db11.ts.net ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa ~100.100.in-addr.arpa ~101.100.in-addr.arpa ~102.100.in-addr.arpa ~103.100.in-addr.arpa ~104.100.in-addr.arpa ~105.100.in-addr.arpa ~106.100.in-addr.arpa
                    ~107.100.in-addr.arpa ~108.100.in-addr.arpa ~109.100.in-addr.arpa ~110.100.in-addr.arpa ~111.100.in-addr.arpa ~112.100.in-addr.arpa ~113.100.in-addr.arpa ~114.100.in-addr.arpa ~115.100.in-addr.arpa ~116.100.in-addr.arpa
                    ~117.100.in-addr.arpa ~118.100.in-addr.arpa ~119.100.in-addr.arpa ~120.100.in-addr.arpa ~121.100.in-addr.arpa ~122.100.in-addr.arpa ~123.100.in-addr.arpa ~124.100.in-addr.arpa ~125.100.in-addr.arpa ~126.100.in-addr.arpa
                    ~127.100.in-addr.arpa ~64.100.in-addr.arpa ~65.100.in-addr.arpa ~66.100.in-addr.arpa ~67.100.in-addr.arpa ~68.100.in-addr.arpa ~69.100.in-addr.arpa ~70.100.in-addr.arpa ~71.100.in-addr.arpa ~72.100.in-addr.arpa
                    ~73.100.in-addr.arpa ~74.100.in-addr.arpa ~75.100.in-addr.arpa ~76.100.in-addr.arpa ~77.100.in-addr.arpa ~78.100.in-addr.arpa ~79.100.in-addr.arpa ~80.100.in-addr.arpa ~81.100.in-addr.arpa ~82.100.in-addr.arpa
                    ~83.100.in-addr.arpa ~84.100.in-addr.arpa ~85.100.in-addr.arpa ~86.100.in-addr.arpa ~87.100.in-addr.arpa ~88.100.in-addr.arpa ~89.100.in-addr.arpa ~90.100.in-addr.arpa ~91.100.in-addr.arpa ~92.100.in-addr.arpa
                    ~93.100.in-addr.arpa ~94.100.in-addr.arpa ~95.100.in-addr.arpa ~96.100.in-addr.arpa ~97.100.in-addr.arpa ~98.100.in-addr.arpa ~99.100.in-addr.arpa ~ts.net
     Default Route: no

As a workaround, one may configure domains and the default route explicitly on the tailscale0 link and "undo" the DNS override:

resolvectl domain tailscale0 tn.example.com
resolvectl default-route tailscale0 off

Likely this will only last until the next network change where tailscale gets a chance to reconfigure DNS.

@st0nie
Copy link

st0nie commented Dec 30, 2024
edited
Loading

Another workaround is to set headscale's global dns to empty, in which case the system will not use tailscale's dns to resolve other domains even if tailscale --accept-dns. But the disadvantage of this workaround is that if the linux system does not use systemd-resolved but uses 100.100.100.100 as the dns, the system won't be able to resolve domains except headscale domain (because the upstream dns is not set).

@Toomoch
Copy link

Toomoch commented Feb 3, 2025

This is a big problem, as I can't resolve local domains served by my router's DNS server (.lan) and tailscale names at the same time. It's one or the other with --accept-dns. Interestingly, in Android everything works correctly.

nblock added a commit to nblock/headscale that referenced this issue Feb 20, 2025
@nblock
Restore support for "Override local DNS"
ac3f5f1 
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name "dns.override_local_dns" but disable it by default to align it with
Tailscale's default behaviour.

Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.

With `dns.override_local_dns: false`:

  Link 12 (tailscale0)
  Current Scopes: DNS
       Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
     DNS Servers: 100.100.100.100
      DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]

With `dns.override_local_dns: true`:

  Link 12 (tailscale0)
  Current Scopes: DNS
       Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
     DNS Servers: 100.100.100.100
      DNS Domain: tn.example.com ~.

[1] https://tailscale.com/kb/1054/dns#override-local-dns

Fixes: juanfont#2256
nblock added a commit to nblock/headscale that referenced this issue Feb 20, 2025
@nblock
Restore support for "Override local DNS"
ad95e74 
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name "dns.override_local_dns" but disable it by default to align it with
Tailscale's default behaviour.

Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.

With `dns.override_local_dns: false`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]
```

With `dns.override_local_dns: true`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~.
```

[1] https://tailscale.com/kb/1054/dns#override-local-dns

Fixes: juanfont#2256
nblock added a commit to nblock/headscale that referenced this issue Feb 20, 2025
@nblock
Restore support for "Override local DNS"
cafe36a 
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name `dns.override_local_dns` but disable it by default to align it with
Tailscale's default behaviour.

Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.

With `dns.override_local_dns: false`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]
```

With `dns.override_local_dns: true`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~.
```

[1] https://tailscale.com/kb/1054/dns#override-local-dns

Fixes: juanfont#2256
@nblock nblock linked a pull request Feb 20, 2025 that will close this issue
Open
6 tasks
nblock added a commit to nblock/headscale that referenced this issue Feb 20, 2025
@nblock
Restore support for "Override local DNS"
245f507 
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name `dns.override_local_dns` but disable it by default to align it with
Tailscale's default behaviour.

Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.

With `dns.override_local_dns: false`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]
```

With `dns.override_local_dns: true`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~.
```

[1] https://tailscale.com/kb/1054/dns#override-local-dns

Fixes: juanfont#2256
nblock added a commit to nblock/headscale that referenced this issue Mar 2, 2025
@nblock
Restore support for "Override local DNS"
3367193 
Tailscale allows to override the local DNS settings of a node via
"Override local DNS" [1]. Restore this flag with the same config setting
name `dns.override_local_dns` but disable it by default to align it with
Tailscale's default behaviour.

Tested with Tailscale 1.80.2 and systemd-resolved on Debian 12.

With `dns.override_local_dns: false`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa [snip]
```

With `dns.override_local_dns: true`:

```
Link 12 (tailscale0)
Current Scopes: DNS
     Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
   DNS Servers: 100.100.100.100
    DNS Domain: tn.example.com ~.
```

[1] https://tailscale.com/kb/1054/dns#override-local-dns

Fixes: juanfont#2256
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Restore support for "Override local DNS" nblock/headscale
4 participants
@nblock @AlynxZhou @Toomoch @st0nie