[Feature] Adding an option to prevent tailscale clients adding ~. to its DNS search domains for systemd-resolved.
#2256
Comments
|
The Tailscale SaaS behaves as follows when changing the setting Override local DNS: When enabled in the control plane, Tailscale configures systemd-resolved as default route ( $ resolvectl status tailscale0
Link 4 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
DNS Servers: 100.100.100.100
DNS Domain: taile8db11.ts.net ~.
Default Route: yesWhen disabled in the control plane, Tailscale will not set the default route ( $ resolvectl status tailscale0
Link 4 (tailscale0)
Current Scopes: DNS
Protocols: -DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
DNS Servers: 100.100.100.100
DNS Domain: taile8db11.ts.net ~0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa ~100.100.in-addr.arpa ~101.100.in-addr.arpa ~102.100.in-addr.arpa ~103.100.in-addr.arpa ~104.100.in-addr.arpa ~105.100.in-addr.arpa ~106.100.in-addr.arpa
~107.100.in-addr.arpa ~108.100.in-addr.arpa ~109.100.in-addr.arpa ~110.100.in-addr.arpa ~111.100.in-addr.arpa ~112.100.in-addr.arpa ~113.100.in-addr.arpa ~114.100.in-addr.arpa ~115.100.in-addr.arpa ~116.100.in-addr.arpa
~117.100.in-addr.arpa ~118.100.in-addr.arpa ~119.100.in-addr.arpa ~120.100.in-addr.arpa ~121.100.in-addr.arpa ~122.100.in-addr.arpa ~123.100.in-addr.arpa ~124.100.in-addr.arpa ~125.100.in-addr.arpa ~126.100.in-addr.arpa
~127.100.in-addr.arpa ~64.100.in-addr.arpa ~65.100.in-addr.arpa ~66.100.in-addr.arpa ~67.100.in-addr.arpa ~68.100.in-addr.arpa ~69.100.in-addr.arpa ~70.100.in-addr.arpa ~71.100.in-addr.arpa ~72.100.in-addr.arpa
~73.100.in-addr.arpa ~74.100.in-addr.arpa ~75.100.in-addr.arpa ~76.100.in-addr.arpa ~77.100.in-addr.arpa ~78.100.in-addr.arpa ~79.100.in-addr.arpa ~80.100.in-addr.arpa ~81.100.in-addr.arpa ~82.100.in-addr.arpa
~83.100.in-addr.arpa ~84.100.in-addr.arpa ~85.100.in-addr.arpa ~86.100.in-addr.arpa ~87.100.in-addr.arpa ~88.100.in-addr.arpa ~89.100.in-addr.arpa ~90.100.in-addr.arpa ~91.100.in-addr.arpa ~92.100.in-addr.arpa
~93.100.in-addr.arpa ~94.100.in-addr.arpa ~95.100.in-addr.arpa ~96.100.in-addr.arpa ~97.100.in-addr.arpa ~98.100.in-addr.arpa ~99.100.in-addr.arpa ~ts.net
Default Route: noAs a workaround, one may configure domains and the default route explicitly on the Likely this will only last until the next network change where tailscale gets a chance to reconfigure DNS. |
|
Another workaround is to set headscale's global dns to empty, in which case the system will not use tailscale's dns to resolve other domains even if |
Use case
systemd-resolved works as a multicast DNS server, which means by default when it queries domains, it will try all available providers, and use the fastest result, unless the domain matches one of DNS search domains of one provider, then it will only use this provider to query.
Tailscale by default registers itself as one of providers of systemd-resolved, but it adds
~.to its DNS search domains, this means all domains will match, and makes systemd-resolved's multicast invalid, all DNS queries go to tailscale's DNS. User may only wants to query tailscale domains via tailscale.Description
Setting
tailcfg.DNSConfig.FallbackResolversinstead oftailcfg.DNSConfig.Resolverscan prevent tailscale clients from adding~.. In previous version this behavior is controlled byoverride_local_dns, but this option is removed because it does not work as intended, and then we lose a way to control this behavior.Is there any chance to add an option to control setting
tailcfg.DNSConfig.FallbackResolversinstead oftailcfg.DNSConfig.Resolvers?Contribution
How can it be implemented?
Just bring back https://github.com/juanfont/headscale/pull/905/files#diff-0e426a43248661127a0c0ee115aef7a1093b635f8993b3f7ebb1dd9f05b8f249R406-R410, but with a better option to describe what it does?
The text was updated successfully, but these errors were encountered: