[Feature] Restricted nameservers without search domains

[casdr]

Use case

I use the restricted_nameservers option for my own implementation of App Connectors (the DNS server adds routes to the subnet router) so I can route services like 1Password over the tailnet. The issue with the current implementation is that 1password.com will also be added as a search domain, which I don't want.

Description

It would be nice if it was possible to add a restricted nameserver without the domain being added as a searchdomain.

Contribution

• [ ] I can write the design doc for this feature
• [ ] I can contribute this feature

How can it be implemented?

I've been digging in the Tailscale client sourcecode, and I think this can be implemented by adding the domain to DNSConfig.MatchDomains instead of DNSConfig.SearchDomains, but I'm not really sure about this.

[Hypnotist1148]

I am facing the same issue, it's really frustrating especially because I get some dns resolution errors because of this.

[code-sigil]

My current fix is a slight modification of the v0.22.3 code, where I remove line 448 from the file hscontrol/config.go . This keeps headscale from appending the restricted servers to the search domains.

[SuperSandro2000]

I think DNSConfig.MatchDomains is filled via https://github.com/tailscale/tailscale/blob/218110963dbb12002529a4a91ffc149b70ac21ac/net/dns/manager.go#L292 and https://github.com/tailscale/tailscale/blob/7aec8d4e6b4e72d5053d9ff7d819c28f9e035c2c/net/dns/config.go#L146 which we don't set according to tailscaled -verbose 2.

Edit: I think my personal issue was caused by an /etc/hosts entry on the exit node I was using rather than this issue. Nevertheless I think I found an issue and raised #2057

[kradalby]

I think we have implemented this wrongly the whole time, looking into it now, it does not seem that tailscale saas, nor the client adds split dns to search domains, and I dont think there is a good reason to do it. I will address this as part of #2034.