Unable to follow CNAME to magic dns record

[ocelotsloth]

What is the issue?

What happened:

When I have a DNS record set like this:

CNAME nextcloud.markstenglein.com --> cloudron.--------------.beta.tailscale.net

I am unable to reach that host at that domain name.

~
❯ ping -v nextcloud.markstenglein.com                
ping: nextcloud.markstenglein.com: Name or service not known

What I expected to happen:

If, instead, I directly add an A record to the IP address it does work. I expected this result from the CNAME as well.

~
❯ ping nextcloud.markstenglein.com                   
PING nextcloud.markstenglein.com (--.--.--.-- ) 56(84) bytes of data.
64 bytes from cloudron.--------------.beta.tailscale.net (--.--.--.-- ): icmp_seq=1 ttl=64 time=1.11 ms
64 bytes from cloudron.--------------.beta.tailscale.net (--.--.--.-- ): icmp_seq=2 ttl=64 time=0.951 ms
^C
--- nextcloud.markstenglein.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.951/1.030/1.109/0.079 ms

Probably unrelated

I've been having a lot of trouble with the dns resolution failing until I stop/restart tailscale. This happens both on Linux and Android 12.

I probably need to file a separate bug report for that. My suspicion is that that's entirely a different thing though so let's not waste too much time in this thread on that unless it's actually related.

Steps to reproduce

Set up magic DNS with a custom DNS server.

My setup might be a bit different...I've got one ec2 instance each in us-east-1 and us-west-2 running Pi-Hole. They're firewalled off so the only way to reach them is through tailscale.

I was able to get direct connections working today which should rule out anything to do with the relays...though it didn't seem a likely reason.

~
❯ tailscale status   
--.--.--.--    ocelotsloth-archdesk --------@ linux   -
--.--.--.--    cloudron             --------@ linux   -
--.--.--.--    dns-2                --------@ linux   active; direct --.--.--.--:41641, tx 110000 rx 79408
--.--.--.--    dns-home             --------@ linux   -
--.--.--.--    dns                  tagged-devices linux   active; direct --.--.--.--:41641, tx 324336 rx 2951824

I have dns and dns-2 configured as Global Nameservers (using the tailscale IP), with Override local DNS enabled.

On the dns servers, I configured the CNAME described at the start of this issue. Do this and my Android phone and Arch computers are unable to follow the CNAME.

Change that record to an A pointing at the tailscale IP (instead of the magic domain name) it will work.

Obviously just using the A record is a sufficient mitigation to keep me happy--but I wanted to report the issue with CNAME traversal just in case it wasn't a known thing yet.

Are there any recent changes that introduced the issue?

No recent changes--this has been an issue since I on-boarded.

OS

Linux, Android

OS version

Arch Linux, Android 12

Tailscale version

1.26.1

Bug report

BUG-f5650105cdbba214cc96bc47d9c0281f70f80520e943ccf75576ad5a1e3698db-20220710030346Z-b37363cc07a586cb

[DentonGentry]

If the DNS server configured with the CNAME for nextcloud.markstenglein.com is:

1. not running Tailscale, and
2. configured as a recursive resolver

then I think this is what happens. It finds the CNAME for cloudron.--------------.beta.tailscale.net, and tries to recursively resolve the A record for it but fails.

Come to think of it, even if Tailscale is installed it might still fail depending on the DNS server. It may be assuming that it can start from the public root servers and be able to resolve the name.

[ocelotsloth]

You'll probably want these:

With the A record:

~
❯ dig nextcloud.markstenglein.com   

; <<>> DiG 9.18.4 <<>> nextcloud.markstenglein.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48211
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;nextcloud.markstenglein.com.   IN      A

;; ANSWER SECTION:
nextcloud.markstenglein.com. 1  IN      A       --.--.--.--

;; Query time: 23 msec
;; SERVER: 100.100.100.100#53(100.100.100.100) (UDP)
;; WHEN: Sat Jul 09 23:27:34 EDT 2022
;; MSG SIZE  rcvd: 72

With a CNAME instead:

~
❯ dig nextcloud.markstenglein.com       

; <<>> DiG 9.18.4 <<>> my.markstenglein.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57363
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4095
;; QUESTION SECTION:
;nextcloud.markstenglein.com.          IN      A

;; ANSWER SECTION:
nextcloud.markstenglein.com.   0       IN      CNAME   cloudron.--------------.beta.tailscale.net.

;; Query time: 6 msec
;; SERVER: 100.100.100.100#53(100.100.100.100) (UDP)
;; WHEN: Sat Jul 09 23:27:55 EDT 2022
;; MSG SIZE  rcvd: 109

(edit...I have several cname records, so the my.markstenglen.com that was there is the same behavior)

[ocelotsloth]

If the DNS server configured with the CNAME for nextcloud.markstenglein.com is:

not running Tailscale, and
configured as a recursive resolver

They both are running tailscale. I don't think they're configured as a recursive resolver. But the dig commands above should show if I know what I'm talking about or not :)

[ocelotsloth]

Come to think of it, even if Tailscale is installed it might still fail depending on the DNS server. It may be assuming that it can start from the public root servers and be able to resolve the name.

If I understand this correctly--I'm getting back the magic DNS name so my desktop will be asking 100.100.100.100 for an A record for the magic name?

I don't see any logged queries for the magic dns on the two DNS servers (running Pi-Hole).

[ocelotsloth]

Is there a way to dump query logs to 100.100.100.100?

[MelMti]

I'm picking up similar issue with MagicDNS. Resolution seems to break after about 48 hours. IP addresses do resolve just domain names not working. I've disabled and re-enabled MagicDNS which seems to restore connection to IP address. Feel like a service that stops running.

[fourstepper]

This happens to me only on android as well

On MacOS:

$ dig @8.8.8.8 grocy.home.robinopletal.com +short
microserver.fourstepper.github.beta.tailscale.net.

On Android in Chrome:
DNS_PROBE_FINISHED_NXDOMAIN

I tried a combination of overriding the local DNS, turning off private DNS with no avail.

Any pointers on how to debug this further would be pretty helpful, or anyone who would be willing to test this on their Android device as well.