4 files changed, 31 insertions, 11 deletions
diff --git a/net/dns/manager.go b/net/dns/manager.go
index 88fe94fac..7040be7e9 100644
--- a/net/dns/manager.go
+++ b/net/dns/manager.go
@@ -147,20 +147,28 @@ func (m *Manager) setLocked(cfg Config) error {
 		ocfg.WriteToBufioWriter(w)
 	}))
 
-	if err := m.resolver.SetConfig(rcfg); err != nil {
-		return err
-	}
+	m.resolver.SetConfig(rcfg)
+
 	if err := m.os.SetDNS(ocfg); err != nil {
-		m.health.SetDNSOSHealth(err)
+		m.health.SetUnhealthy(OSConfigWarnable, health.Args{health.ArgError: err.Error()})
 		return err
 	}
 
-	m.health.SetDNSOSHealth(nil)
+	m.health.SetHealthy(OSConfigWarnable)
 	m.config = &cfg
 
 	return nil
 }
 
+var OSConfigWarnable = health.Register(&health.Warnable{
+	Code:     "dns-failed-osconfig",
+	Severity: health.SeverityMedium,
+	Title:    "System DNS configuration failed",
+	Text: func(args health.Args) string {
+		return "Could not configure this device to use the Tailscale DNS resolver. Error: " + args[health.ArgError]
+	},
+})
+
 // compileHostEntries creates a list of single-label resolutions possible
 // from the configured hosts and search domains.
 // The entries are compiled in the order of the search domains, then the hosts.
@@ -315,9 +323,10 @@ func (m *Manager) compileConfig(cfg Config) (rcfg resolver.Config, ocfg OSConfig
 			// This is currently (2022-10-13) expected on certain iOS and macOS
 			// builds.
 		} else {
-			m.health.SetDNSOSHealth(err)
+			m.health.SetUnhealthy(OSConfigWarnable, health.Args{health.ArgError: err.Error()})
 			return resolver.Config{}, OSConfig{}, err
 		}
+		m.health.SetHealthy(OSConfigWarnable)
 	}
 
 	if baseCfg == nil {
diff --git a/net/dns/manager_linux.go b/net/dns/manager_linux.go
index 3ba3022b6..dcb178179 100644
--- a/net/dns/manager_linux.go
+++ b/net/dns/manager_linux.go
@@ -275,7 +275,7 @@ func dnsMode(logf logger.Logf, health *health.Tracker, env newOSConfigEnv) (ret
 			return "direct", nil
 		}
 
-		health.SetDNSManagerHealth(errors.New("systemd-resolved and NetworkManager are wired together incorrectly; MagicDNS will probably not work. For more info, see https://tailscale.com/s/resolved-nm"))
+		health.SetUnhealthy(resolvedNetworkManagerConflictWarnable, nil)
 		dbg("nm-safe", "no")
 		return "systemd-resolved", nil
 	default:
@@ -284,6 +284,16 @@ func dnsMode(logf logger.Logf, health *health.Tracker, env newOSConfigEnv) (ret
 	}
 }
 
+// resolvedNetworkManagerConflictWarnable reports whether the system is in a
+// state where NetworkManager and systemd-resolved are in conflict, and we should
+// warn the user about it.
+var resolvedNetworkManagerConflictWarnable = health.Register(&health.Warnable{
+	Code:     "resolved-nm-conflict",
+	Title:    "NetworkManager and systemd-resolved conflict",
+	Text:     health.StaticMessage("systemd-resolved and NetworkManager are wired together incorrectly; MagicDNS will probably not work. For more info, see https://tailscale.com/s/resolved-nm"),
+	Severity: health.SeverityMedium,
+})
+
 func nmVersionBetween(first, last string) (bool, error) {
 	conn, err := dbus.SystemBus()
 	if err != nil {
diff --git a/net/dns/resolved.go b/net/dns/resolved.go
index d82d3fc31..fe7345fba 100644
--- a/net/dns/resolved.go
+++ b/net/dns/resolved.go
@@ -165,7 +165,7 @@ func (m *resolvedManager) run(ctx context.Context) {
 
 		// Reset backoff and SetNSOSHealth after successful on reconnect.
 		bo.BackOff(ctx, nil)
-		m.health.SetDNSOSHealth(nil)
+		m.health.SetHealthy(OSConfigWarnable)
 		return nil
 	}
 
@@ -243,9 +243,11 @@ func (m *resolvedManager) run(ctx context.Context) {
 			// Set health while holding the lock, because this will
 			// graciously serialize the resync's health outcome with a
 			// concurrent SetDNS call.
-			m.health.SetDNSOSHealth(err)
 			if err != nil {
 				m.logf("failed to configure systemd-resolved: %v", err)
+				m.health.SetUnhealthy(OSConfigWarnable, health.Args{health.ArgError: err.Error()})
+			} else {
+				m.health.SetHealthy(OSConfigWarnable)
 			}
 		}
 	}
diff --git a/net/dns/resolver/tsdns.go b/net/dns/resolver/tsdns.go
index a140c7e93..6036cf99f 100644
--- a/net/dns/resolver/tsdns.go
+++ b/net/dns/resolver/tsdns.go
@@ -253,7 +253,7 @@ func (r *Resolver) SetMissingUpstreamRecovery(f func()) {
 
 func (r *Resolver) TestOnlySetHook(hook func(Config)) { r.saveConfigForTests = hook }
 
-func (r *Resolver) SetConfig(cfg Config) error {
+func (r *Resolver) SetConfig(cfg Config) {
 	if r.saveConfigForTests != nil {
 		r.saveConfigForTests(cfg)
 	}
@@ -273,7 +273,6 @@ func (r *Resolver) SetConfig(cfg Config) error {
 	r.localDomains = cfg.LocalDomains
 	r.hostToIP = cfg.Hosts
 	r.ipToHost = reverse
-	return nil
 }
 
 // Close shuts down the resolver and ensures poll goroutines have exited.