Redo DNS configuration #2034
Redo DNS configuration #2034
Conversation
|
This PR is in progress, I think the DNS part is working as it should but I ran into some issues with Viper and loading config from Environment variables which prevented me from writing all the tests that was missing and is needed. If someone takes it for a spin, that would be great, I will continue next week. |
| - 1.1.1.1 | ||
| - 1.0.0.1 | ||
| - 2606:4700:4700::1111 | ||
| - 2606:4700:4700::1001 |
There was a problem hiding this comment.
For this cloudflare example it looks like they have a DoH endpoint at: https://cloudflare-dns.com/dns-query (from https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/make-api-requests/)
There was a problem hiding this comment.
I would think that it would work, but I have not actually tested it, happy to include it if someone can test it, but that can be a follow up PR too.
There was a problem hiding this comment.
Another question: by default resolv.conf only takes 3 name servers. How does tailscale handle more?
There was a problem hiding this comment.
resolv.conf is a "fallback" for tailscale, it will try a number of ways before using resolv.conf.
In this case, when you override DNS, the DNS server in resolv.conf will be 100.100.100.100, which lives inside the tailscale daemon, and it will proxy everything.
There was a problem hiding this comment.
you can see this in the integration tests https://github.com/juanfont/headscale/pull/2034/files#diff-6534f1d1f61ff53e7fe7de90f7736900614802c5bdaa10a63f485316b95351c2R126
kradalby
force-pushed
the
kradalby/redo-dns-config
branch
3 times, most recently
from
052f780 to
ccb2cc7
Compare
|
I found this PR linked from bug 2029. After updating to beta1, tailscale started messing with my /etc/resolv.conf and broke internet connectivity under Linux and every client lost its ability to resolve any DNS records ... I was able to get around that by using |
You will be able to set a null/empty value to all settings under the I would like to add that the breakage in beta1 was unfortunate, but when the fix is in, I would not expect it to fail in that way as you likely have had Tailscale take over your connection up until this point. |
kradalby
force-pushed
the
kradalby/redo-dns-config
branch
from
a6a8f8c to
9333d6b
Compare
kradalby
force-pushed
the
kradalby/redo-dns-config
branch
from
cb85784 to
e456f0d
Compare
|
It's a little confusing new setup, was: |
They need to be different, so you could do clients.headscale.site.com for example |
|
If you still need to test it please tell me if this OK? |
|
@masterwishx how did this work for you? |
| magic_dns: true | ||
|
|
||
| # Defines the base domain to create the hostnames for MagicDNS. | ||
| # This domain _must_ be different from the server_url domain. |
There was a problem hiding this comment.
Different as in different subdomains or different TLDs?
Would headscale.example.com and scale.example.com work?
There was a problem hiding this comment.
different (sub)domains, your example works.
Could also do
headscale.net as the server
clients.headscale.net as clients
Technically could do
server.headscale.net as the server
headscale.net as clients (as long as you dont have a node called server)
There was a problem hiding this comment.
we dont need any changes for Nginx proxy Manger also ?
if was :
server_url: https://headscale.site.com
base_domain: headscale.site.com
and will be :
server_url: https://headscale.site.com
base_domain: clients.headscale.site.com
There was a problem hiding this comment.
I dont think so, but I dont know anything about nginx proxy manager.
There was a problem hiding this comment.
This is a real shame - is there a technical reason why this can't be allowed, or is it a case of being too difficult/risky to support over the rewrite?
I guess what I'm really asking is: is there a possibility of me (or someone else) making a patch to change this down the line?
Nevermind, I've reread the code and noticed the error it gives you
server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.
Apologies for the noise 🙏
There was a problem hiding this comment.
No problem, It is one of these things that "we dont want to add this", but it is how upstream works, and we dont really have any choice, and I understand why it happens upstream too. We just initially implemented it wrongly.
| "HEADSCALE_DNS_USE_USERNAME_IN_MAGIC_DNS": "true", | ||
|
|
||
| // TODO(kradalby): Figure out how to pass these as env vars | ||
| // "HEADSCALE_DNS_NAMESERVERS_SPLIT": `{foo.bar.com: ["1.1.1.1"]}`, |
There was a problem hiding this comment.
maybe something like?
HEADSCALE_DNS_NAMESERVERS_SPLIT=foo.bar.com=[1.1.1.1,1.0.0.1],buzz.bar.com=[8.8.8.8,8.4.4.8]
There was a problem hiding this comment.
hmm, doesnt seem to work either, now that we dont add them to the search path, it does have limited value, so happy to leave it for now.
kradalby
force-pushed
the
kradalby/redo-dns-config
branch
from
0b2c39a to
a240842
Compare
|
Thanks @SuperSandro2000, think I addressed all comments. |
Sorry not checked yet , i see you added more changes here ? |
kradalby
force-pushed
the
kradalby/redo-dns-config
branch
from
23881cf to
63941c0
Compare
this commit changes and streamlines the dns_config into a new key, dns. It removes a combination of outdates and incompatible configuration options that made it easy to confuse what headscale could and could not do, or what to expect from ones configuration. Signed-off-by: Kristoffer Dalby <[email protected]>
kradalby
force-pushed
the
kradalby/redo-dns-config
branch
from
63941c0 to
3a098e5
Compare
| // - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net) | ||
| // | ||
| // TODO(kradalby): remove dnsConfig.UserNameInMagicDNS check when removed. | ||
| if !dnsConfig.UserNameInMagicDNS && dnsConfig.BaseDomain != "" && strings.Contains(serverURL, dnsConfig.BaseDomain) { |
There was a problem hiding this comment.
I could be wrong, but I wonder if the string.Contains check might be too strict of a test. I want to use (for example) https://bar.foo.com as my server_url, and just foo as my dns.base_domain, but this check rejects that. I've manually removed the check and this seems to work without issue.
|
Since the change got more restrictive, I also posted a question whether it's safe to change |
This PR aims to redo (simplify and correct) DNS configuration to match what is possible with Tailscale.
TLDR: currently we have several settings that are either incompatible together, dont do what they sound like, or some dont work the way we thought at the time we, or a contributor implemented them.
DNS has been one of these things that mostly worked and had not been revisited until I got #1963 which I looked at, thought, I can easily knock this one out, and then I messed up everything. DNS config was very much a patchwork that had been changed over time and a lot of this work was from before we had integration tests.
It is embarrassing that it made it into the beta, but I suppose its a very efficient way to prioritise work...
This screwup has caused me to revisit the DNS config and I discovered that:
Notable changes for people coming here from the CHANGELOG:
dns_configis nowdns.override_local_dns: has been removed, if magic_dns or the other dns options are used, Tailscale needs to take over the DNS configuration. Clients can opt out by passing--accept-dns=false(https://tailscale.com/kb/1235/resolv-conf)domainshas been renamed tosearch_domainsto describe what it actually is.nameservershas become a root key, where:old
nameserversis nownameservers.globalandrestricted_nameserversis nownameservers.splitto describe the fact that it was configuring Split DNS.These settings now reflect what Tailscale (https://login.tailscale.com/admin/dns) allows you to do, but note, we still have some additional features like
extra_recordswhich has been preserved under the same key ;).TODO:
Reverts DNS search path part of #1987
Fixes #2026
Fixes #2047
Fixes #1936
Fixes #2025
Fixes #2029
Updates #2024
Updates #1963