DNS not reachable through Tailscale

[bdr99]

Problem/Motivation

I'm trying to use this add-on in combination with the Tailscale add-on, to allow all my Tailscale devices to use the AdGuard DNS. When I install both the Tailscale and AdGuard add-ons, I'm able to perform DNS queries from other devices using my HA system's local IP (192.168.x.x), but not through its Tailscale IP (100.x.x.x).

Expected behavior

The AdGuard DNS service should be reachable via the Tailscale network interface, so that AdGuard and Tailscale can be used in combination.

Actual behavior

In these log snippets, 192.168.x.x represents my HA machine's local IP (assigned by my router), while 100.x.x.x represents the Tailscale IP.

DNS is working when I use my HA machine's local IP:

; <<>> DiG 9.18.9 <<>> @192.168.x.x google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10113
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             73      IN      A       172.217.10.206

;; Query time: 0 msec
;; SERVER: 192.168.x.x#53(192.168.x.x) (UDP)
;; WHEN: Tue Dec 06 17:15:37 EST 2022
;; MSG SIZE  rcvd: 55

But when I try to make the same query using the HA machine's Tailscale IP, it fails:

root@ubuntu:/# dig @100.x.x.x google.com
;; communications error to 100.x.x.x#53: connection refused
;; communications error to 100.x.x.x#53: connection refused
;; communications error to 100.x.x.x#53: connection refused

; <<>> DiG 9.18.9 <<>> @100.x.x.x google.com
; (1 server found)
;; global options: +cmd
;; no servers could be reached

Steps to reproduce

1. Install the Tailscale and AdGuard add-ons.
2. Issue a DNS query from another device on the Tailscale network, directed at the HA machine's Tailscale IP.
3. Observe that the DNS query will fail.

Proposed changes

I think this is happening because the add-on is configuring AdGuard to only listen on the interfaces provided by the Supervisor. If I add my Tailscale IP to dns.bind_hosts in the AdGuard config file, it fixes the issue, but I realize that manually modifying the config file is not supported. Therefore, I propose that one of the following fixes be made to resolve this issue:

Option 1: Add logic to the init script to detect that there is a Tailscale interface present on the system, and add its IP to dns.bind_hosts if it exists.

• This might be fragile, and probably would only work if the Tailscale add-on is started before the AdGuard add-on. So this might not be the best solution.

Option 2: Make the Supervisor report the Tailscale interface to add-ons, so that AdGuard (along with any other add-ons that request the list of interfaces) will know to listen on that interface.

• This might also be difficult to make work correctly, but I'm not familiar enough with the Supervisor to know for certain.

Option 3: Add a config parameter to the add-on to allow the user to specify interface IPs. These will be added to dns.bind_hosts in addition to the ones provided by the Supervisor. This way, users can add their Tailscale IP to this config parameter to make AdGuard listen on the Tailscale interface.

• I think this would be the simplest solution, and probably the least likely to cause other issues.

[kevynb]

Hey @bdr99, I created a PR for this use case, do you mind testing it as well to ensure that it does not just works on my machine ?

[frenck]

fixed in #382