New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
100.100.100.100 handles reverse DNS requests even though override local DNS is enabled #7859
Comments
Hah. Somehow I immediately think of https://xkcd.com/1172/ But more serious: I don't recall any recent change we made that should've changed this behavior. 100.100.100.100 has always answered authoritatively if it got the PTR query for a Tailscale IP. Whether/how we program the OS's DNS configuration varies by OS & what else is running on Linux (https://tailscale.com/blog/sisyphean-dns-client-linux/ etc ... but that's a bit dated at this point) On what OS/distro/version/other-DNS-stuff do you see the behavior you don't like? |
Ha, I do understand that it isn't a standard use-case. Interesting, I do remember it working late 2022 when I set it up, but I don't recall if Tailscale pushed the DNS server's IP itself, or 100.100.100.100 at that time. Is there any way to force upstream DNS instead of 100.100.100.100? I observed it first on iOS 16.4 running Tailscale 1.38.2. The above "tests" were run on Arch Linux, with 1.38.4 on both the client machine and the machine with the DNS server. |
So I did some messing around. Disabling override local DNS made Tailscale push the IP itself instead of 100.100.100.100. Then reverse lookups failed completely both on iOS and Linux, not sure why. So I added another split-DNS search domain with But now since override local DNS is disabled, every non-tailscale IP DNS request goes to the default network interface and I no longer have network-wide adblock 🤦. So I believe the issue title still stands, if override local DNS is enabled (among several other reasons), 100.100.100.100 is pushed as DNS server that handles PTR queries before checking with the Tailscale DNS settings. This now makes me wonder about #1543, and if there's a possibility of ordering all DNS rewrites / reroutes before 100.100.100.100 forwards it to global DNS? |
Maybe what we can do is say that if you have the Technically, you actually want:
... at least until systemd/systemd#21526 is fixed. But maybe we can make /cc @danderson |
That works as well, a condition to check for Meanwhile, routing all domains with Going back to 100.100.100.100 having to decide between handling and forwarding, my 2 cents is to separate concerns with a tab like "DHCP" next to the DNS tab in the admin console. Then advertising upstreams and domains would be handled by that "DHCP" tab. Now the DNS tab is a proper DNS resolver and can do MagicDNS, tailnet naming, custom records, forwarding, blocklists etc. Obviously, enabling any feature in the DNS tab would propagate only if the DHCP tab has upstream set to 100.100.100.100. As it stands, there's no way of knowing if a client would get 100.100.100.100 or other upstreams directly and there could always be drift / edge-cases / unexpected behavior between clients like this issue. |
What is the issue?
I run my own CoreDNS server within the tailnet with one of the zones serving records of all the tailnet devices both forward and backward. It used to work perfectly while enabling override local DNS, using search domains for the zones and disabling MagicDNS.
With the introduction of tailnet names
*.<tailnet-name>.ts.net
, reverse lookups aren’t forwarded to my overridden DNS server but handled internally by 100.100.100.100 to resolve to<hostname>.<tailnet-name>.ts.net
instead of my DNS server’s authoritative zone.This breaks Samba connections as the samba server accepts connections only from my zone, which it verifies with a reverse lookup, that now sadly goes somewhere else.
I know you guys are working towards DNS that just works:tm:, but would it be possible to ensure that “override local DNS” includes reverse DNS lookups as well? Or better yet, make tailnet name/auto-DNS opt-in, just like MagicDNS?
Steps to reproduce
dig @100.100.100.100 -x <ip>
returns<ip>.<tailnet-name>.ts.net
dig @<ip> -x <ip>
returns the expected<ip>.<zone>
Are there any recent changes that introduced the issue?
I believe that it was caused by recent changes to 100.100.100.100 as a local DNS server of sorts and the tailscale fun names stuff.
OS
Linux, Windows, iOS, Android
OS version
Arch Linux, Windows 10, iOS 16.4, Android 12
Tailscale version
All devices run > 1.38
Other software
CoreDNS
Samba
Bug report
No response
The text was updated successfully, but these errors were encountered: