diff options
| author | Nick Khyl <nickk@tailscale.com> | 2024-06-10 22:05:15 -0500 |
|---|---|---|
| committer | Nick Khyl <1761190+nickkhyl@users.noreply.github.com> | 2024-06-14 14:41:50 -0500 |
| commit | c32efd9118bb8ba63ae5729653d1eaeeaad52149 (patch) | |
| tree | c4fd7ff691d87fa6a4b54588dc6675192118af7d /control/controlknobs/controlknobs.go | |
| parent | 7354547bd849352acb2bdb15ea99c5088d635568 (diff) | |
| download | tailscale-c32efd9118bb8ba63ae5729653d1eaeeaad52149.tar.xz tailscale-c32efd9118bb8ba63ae5729653d1eaeeaad52149.zip | |
various: create a catch-all NRPT rule when "Override local DNS" is enabled on Windows
Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers
associated with all network adapters, even when "Override local DNS" is enabled and/or
a Mullvad exit node is being used, resulting in DNS leaks.
This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable
the new behavior if needed.
Fixes tailscale/corp#20718
Signed-off-by: Nick Khyl <nickk@tailscale.com>
Diffstat (limited to 'control/controlknobs/controlknobs.go')
| -rw-r--r-- | control/controlknobs/controlknobs.go | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/control/controlknobs/controlknobs.go b/control/controlknobs/controlknobs.go index f4cef7b41..9ff12c76f 100644 --- a/control/controlknobs/controlknobs.go +++ b/control/controlknobs/controlknobs.go @@ -90,6 +90,15 @@ type Knobs struct { // This is for now (2024-06-06) an iOS-specific battery life optimization, // and this knob allows us to disable the optimization remotely if needed. DisableSplitDNSWhenNoCustomResolvers atomic.Bool + + // DisableLocalDNSOverrideViaNRPT indicates that the node's DNS manager should not + // create a default (catch-all) Windows NRPT rule when "Override local DNS" is enabled. + // Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers + // associated with all network adapters, even when "Override local DNS" is enabled and/or + // a Mullvad exit node is being used, resulting in DNS leaks. + // We began creating this rule on 2024-06-14, and this knob + // allows us to disable the new behavior remotely if needed. + DisableLocalDNSOverrideViaNRPT atomic.Bool } // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self @@ -117,6 +126,7 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) { appCStoreRoutes = has(tailcfg.NodeAttrStoreAppCRoutes) userDialUseRoutes = has(tailcfg.NodeAttrUserDialUseRoutes) disableSplitDNSWhenNoCustomResolvers = has(tailcfg.NodeAttrDisableSplitDNSWhenNoCustomResolvers) + disableLocalDNSOverrideViaNRPT = has(tailcfg.NodeAttrDisableLocalDNSOverrideViaNRPT) ) if has(tailcfg.NodeAttrOneCGNATEnable) { @@ -142,6 +152,7 @@ func (k *Knobs) UpdateFromNodeAttributes(capMap tailcfg.NodeCapMap) { k.AppCStoreRoutes.Store(appCStoreRoutes) k.UserDialUseRoutes.Store(userDialUseRoutes) k.DisableSplitDNSWhenNoCustomResolvers.Store(disableSplitDNSWhenNoCustomResolvers) + k.DisableLocalDNSOverrideViaNRPT.Store(disableLocalDNSOverrideViaNRPT) } // AsDebugJSON returns k as something that can be marshalled with json.Marshal @@ -168,5 +179,6 @@ func (k *Knobs) AsDebugJSON() map[string]any { "AppCStoreRoutes": k.AppCStoreRoutes.Load(), "UserDialUseRoutes": k.UserDialUseRoutes.Load(), "DisableSplitDNSWhenNoCustomResolvers": k.DisableSplitDNSWhenNoCustomResolvers.Load(), + "DisableLocalDNSOverrideViaNRPT": k.DisableLocalDNSOverrideViaNRPT.Load(), } } |