search

tailscale / tailscale

The easiest, most secure way to use WireGuard and 2FA.
https://tailscale.com
BSD 3-Clause "New" or "Revised" License
19.48k stars 1.52k forks source link

Tailscale still pushes MagicDNS servers to (some?) clients when disabled #13927

Open Kreeblah opened 3 weeks ago

Kreeblah commented 3 weeks ago

What is the issue?

I disabled MagicDNS on my tailnet because I don't need to connect to the nodes which aren't already permanently joined to the tailnet. However, when I did that, I noticed that my OPNsense installation could no longer update packages or refresh dashboard information that relied on outbound connections, even though it was passing traffic just fine.

I found through the CLI that it was still attempting to use the MagicDNS servers:

root@OPNsense:~ # dig asdf.com
;; UDP setup with 100.100.100.100#53(100.100.100.100) for asdf.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 100.100.100.100#53(100.100.100.100) for asdf.com failed: host unreachable.
;; no servers could be reached
;; UDP setup with 100.100.100.100#53(100.100.100.100) for asdf.com failed: host unreachable.
;; no servers could be reached

I added --accept-dns=false to the tailscale up command, and it started using my configured DNS servers again (and working as expected).

Steps to reproduce

I'm uncertain whether any of the DNS-related configuration steps other than disabling MagicDNS are required, but I'm including them for completeness.

  1. Join an OPNsense host to the tailnet
  2. Add tailscale0 as an interface as described on https://tailscale.com/kb/1097/install-opnsense
  3. Add a firewall rule to the Tailscale device allowing all IPv4 traffic
  4. Disable MagicDNS
  5. Set a global DNS server in Tailscale (I'm using a ControlD server)
  6. Set a split domain DNS server for hosts on the tailnet
  7. Run tailscale down
  8. Run tailscale up (make sure we're pulling current settings)
  9. Attempt to look up a DNS record from the OPNsense host

Are there any recent changes that introduced the issue?

I don't know of any specific code changes, as this is my first time installing Tailscale on OPNsense.

OS

Other

OS version

OPNsense 24.7.7, based on FreeBSD 14.1-RELEASE-p5

Tailscale version

1.76.1

Other software

No response

Bug report

BUG-568bd5512d883dc16a2b404feb5e6ec04bdec53309b148265bdff73b2fd0fb04-20241027174756Z-9895f5458bcb6ce8

bradfitz commented 3 weeks ago

I think one point of confusion here is you seem to be assuming that enabling MagicDNS (the foo.bar.ts.net names) means that 100.100.100.100 is used and that if 100.100.100.100 is used, that means it's because of MagicDNS.

In fact, neither can be true: on systems with good DNS APIs, we install MagicDNS without changing your system DNS server to 100.100.100.100. And on some systems, for certain DNS functionality, we have to change your DNS to 100.100.100.100, even if you're not using MagicDNS.

Our FreeBSD DNS support is super minimal and it'll use 100.100.100.100 for a number of DNS scenarios. As you discovered, you can disable that with --accept-dns=false.

Kreeblah commented 3 weeks ago

Hmmm. Do you have documentation on when the 100.100.100.100 DNS server is added to hosts? That'd be good to be able to understand/plan for. Now I'm wondering what other things I'm impacting by refusing to accept that DNS server for my OPNsense host.

And, you're right. I had assumed that it was tied to MagicDNS since disabling MagicDNS caused 100.100.100.100 to disappear from the DNS page as a listed DNS server. So, I'd thought that it was required for resolving ts.net entries, but since I don't need that functionality and using it was preventing lookups to other FQDNs, disabling it wouldn't negatively impact anything.