net/dnsfallback, control/controlknobs: add knob to disable recursive resolverbradfitz/recursive_controlknob

Updates tailscale/corp#15261

Change-Id: I099860c400c82617382723b96fd3a5193c45f0d7
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

3 files changed, 17 insertions, 2 deletions

diff --git a/control/controlclient/direct.go b/control/controlclient/direct.go
index 80f6e919b..2f4c40c03 100644
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -235,7 +235,7 @@ func NewDirect(opts Options) (*Direct, error) {
 	dnsCache := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward, // use default cache's forwarder
 		UseLastGood:      true,
-		LookupIPFallback: dnsfallback.MakeLookupFunc(opts.Logf, opts.NetMon),
+		LookupIPFallback: dnsfallback.MakeLookupFunc(opts.Logf, opts.NetMon, opts.ControlKnobs.EnableRecursiveResolver),
 		Logf:             opts.Logf,
 		NetMon:           opts.NetMon,
 	}
diff --git a/control/controlhttp/client.go b/control/controlhttp/client.go
index fb220fd0b..d622aca40 100644
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@@ -390,7 +390,7 @@ func (a *Dialer) resolver() *dnscache.Resolver {
 
 	return &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
-		LookupIPFallback: dnsfallback.MakeLookupFunc(a.logf, a.NetMon),
+		LookupIPFallback: dnsfallback.MakeLookupFunc(a.logf, a.NetMon, func() bool { return false }),
 		UseLastGood:      true,
 		Logf:             a.Logf, // not a.logf method; we want to propagate nil-ness
 		NetMon:           a.NetMon,
diff --git a/control/controlknobs/controlknobs.go b/control/controlknobs/controlknobs.go
index e64bc8011..2678ba494 100644
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -52,6 +52,10 @@ type Knobs struct {
 	// DisableDNSForwarderTCPRetries is whether the DNS forwarder should
 	// skip retrying truncated queries over TCP.
 	DisableDNSForwarderTCPRetries atomic.Bool
+
+	// DisableRecursiveResolver is whether the node should disable the
+	// dnsfallback recursive resolver.
+	DisableRecursiveResolver atomic.Bool
 }
 
 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -74,6 +78,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 		forceBackgroundSTUN           = has(tailcfg.NodeAttrDebugForceBackgroundSTUN)
 		peerMTUEnable                 = has(tailcfg.NodeAttrPeerMTUEnable)
 		dnsForwarderDisableTCPRetries = has(tailcfg.NodeAttrDNSForwarderDisableTCPRetries)
+		dnsDisableRecursiveResolver   = has(tailcfg.NodeAttrDisableRecursiveResolver)
 	)
 
 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -91,6 +96,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 	k.DisableDeltaUpdates.Store(disableDeltaUpdates)
 	k.PeerMTUEnable.Store(peerMTUEnable)
 	k.DisableDNSForwarderTCPRetries.Store(dnsForwarderDisableTCPRetries)
+	k.DisableRecursiveResolver.Store(dnsDisableRecursiveResolver)
 }
 
 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -111,3 +117,12 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		"DisableDNSForwarderTCPRetries": k.DisableDNSForwarderTCPRetries.Load(),
 	}
 }
+
+// EnableRecursiveResolver is whether the node should use its DNS recursive resolver
+// as a fallback. It defaults to enabled unless disabled by the control plane.
+func (k *Knobs) EnableRecursiveResolver() bool {
+	if k == nil {
+		return true
+	}
+	return !k.DisableRecursiveResolver.Load()
+}