diff options
| author | Andrew Dunham <andrew@du.nham.ca> | 2024-05-14 23:59:50 -0400 |
|---|---|---|
| committer | Andrew Dunham <andrew@du.nham.ca> | 2024-05-15 00:32:10 -0400 |
| commit | 64ff6b0e4342f256cccbcc811a47b10c3ca54004 (patch) | |
| tree | e6a0643b5b79ffc1a1375bdfe7a32ff158ad9410 /ipn | |
| parent | 1f51bb68915eec6ba7e44a4fb184ff68b069d9d2 (diff) | |
| download | tailscale-andrew/dns-fallback.tar.xz tailscale-andrew/dns-fallback.zip | |
various: add resolver fallback for captive portalsandrew/dns-fallback
If enabled via a nodeAttr, we can fall back to querying the system
resolvers instead of any configured MagicDNS resolvers if a captive
portal is detected.
TODO: more docs
Signed-off-by: Andrew Dunham <andrew@du.nham.ca>
Change-Id: I1f0d29d3a066cd4673d794c72d5b69790fb81def
Diffstat (limited to 'ipn')
| -rw-r--r-- | ipn/ipnlocal/local.go | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/ipn/ipnlocal/local.go b/ipn/ipnlocal/local.go index 9fea49870..e9de193c3 100644 --- a/ipn/ipnlocal/local.go +++ b/ipn/ipnlocal/local.go @@ -3627,7 +3627,14 @@ func (b *LocalBackend) authReconfig() { disableSubnetsIfPAC := nm.HasCap(tailcfg.NodeAttrDisableSubnetsIfPAC) userDialUseRoutes := nm.HasCap(tailcfg.NodeAttrUserDialUseRoutes) dohURL, dohURLOK := exitNodeCanProxyDNS(nm, b.peers, prefs.ExitNodeID()) - dcfg := dnsConfigForNetmap(nm, b.peers, prefs, b.logf, version.OS()) + haveCaptivePortal := func() bool { + lastReport := b.MagicConn().GetLastNetcheckReport(b.ctx) + if lastReport == nil { + return false + } + return lastReport.CaptivePortal.EqualBool(true) + } + dcfg := dnsConfigForNetmap(nm, b.peers, prefs, b.logf, version.OS(), haveCaptivePortal) // If the current node is an app connector, ensure the app connector machine is started b.reconfigAppConnectorLocked(nm, prefs) b.mu.Unlock() @@ -3725,12 +3732,14 @@ func shouldUseOneCGNATRoute(logf logger.Logf, controlKnobs *controlknobs.Knobs, return false } +var dnsAllowFallback = envknob.RegisterBool("TS_DNS_ALLOW_FALLBACK") + // dnsConfigForNetmap returns a *dns.Config for the given netmap, // prefs, client OS version, and cloud hosting environment. // // The versionOS is a Tailscale-style version ("iOS", "macOS") and not // a runtime.GOOS. -func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.NodeView, prefs ipn.PrefsView, logf logger.Logf, versionOS string) *dns.Config { +func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.NodeView, prefs ipn.PrefsView, logf logger.Logf, versionOS string, haveCaptivePortal func() bool) *dns.Config { if nm == nil { return nil } @@ -3739,6 +3748,17 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg. Hosts: map[dnsname.FQDN][]netip.Addr{}, } + // TODO(andrew-d): this isn't enough; we should probably healthcheck + // the resolver and decide based on that, instead of just using the + // netcheck 'captive portal' bool. + if dnsAllowFallback() { + logf("[v1] dnsConfigForNetmap: allowing system resolver fallback due to envknob") + dcfg.AllowFallback = true + } else if nm.HasCap(tailcfg.NodeAttrDNSFallbackToSystemResolver) && haveCaptivePortal() { + logf("[v1] dnsConfigForNetmap: allowing system resolver fallback due to nodeAttr and captive portal") + dcfg.AllowFallback = true + } + // selfV6Only is whether we only have IPv6 addresses ourselves. selfV6Only := nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs6) && !nm.GetAddresses().ContainsFunc(tsaddr.PrefixIs4) |