New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
macOS & iOS doesn't use DNS set in the admin panel #101
Comments
+1 Both on iOS & macOS this behaviour persists |
Same: scutil output:
|
Also on 10.15.4 and 0.97.78 |
It seems like this might be a general wireguard issue, as I've found a couple of reddit posts mentioning similar issue in the MacOS wireguard client (though I haven't tried it). I did come across this: that walks through creating a resolver for a specific domain. In short if I do this
where 1.2.3.4 is part of the subnet my relay advertises and mydomain.com is the domain I want to use that DNS host for. I can then do DNS lookups over the tunnel. I've only tested it for 5 minutes, but it also seems to not break things (in my case where I'm sure there is a way to track it down, but might be worth remembering what you set
Looking at the |
Confirmed on the latest macOS 10.5.4 and iOS 13.4. I set up a dnsmasq server on one of my Linux nodes running Tailscale I have connectivity: If I put the Tailscale DNS IP at the top of the nameserver list in advanced settings on a macOS interface, name resolution works (apart from the search domain). So it seems there’s something not correct with the way Tailscale is handling DNS on macOS and iOS. I couldn’t see the DNS entry when running macOS command |
Thanks for the feedback here, everybody. I left a comment in a now-closed duplicate bug #281 (comment) but we'll keep using this bug for tracking & debugging. @crawshaw, looks like one solution if all else fails is implementing NEDNSProxyProvider |
Hi @bradfitz happy to help test on iOS, macOS once a fix is ready |
@crawshaw fixed this at HEAD in our iOS app and I've just confirmed it's fixed. The iOS app with a version greater than or equal to |
This comment has been minimized.
This comment has been minimized.
I should clarify that the fix should equally apply to macOS (they share the same code). I just only tested it on iOS. |
Does it work with cellular networks too? (If you're just setting system DNS, and not proxying DNS, I think that iOS doesn't allow DNS to be set for cellular networks.) |
@sa1, yes. I tested it on iOS with wifi off. |
0.98.12 for iOS and macOS have been released. May take a few hours to reach everyone's devices. |
Users report that the DNS server IPs are set correctly now, but not the search path. |
We are setting searchDomains (just confirmed with some logging). Preliminary testing with 8.8.8.8 and a search domain shows it isn't working though. I suspect we are running into some limitation of the NetworkExtension: https://forums.developer.apple.com/thread/35027 @bradfitz, next time you're connected to your home domain with your own DNS server, could you try setting a search domain (e.g. ts.tailscale.com) and see if |
|
Well, if the domain doesn't have a DNS search domain (the common case?), we can default to not being the default route. If the Tailscale domain does have a search domain set, then we still could if we detect a simple network config (for some heuristic) on the mac. Otherwise worst case we could make it a client option, which I'm sure @apenwarr loves. |
With version 0.98.12 on OS X we are seeing:
but this fails:
when that From our perspective we would very much like at least the ability to maintain #1 (not be the default route), and gain the ability to disable #3 (use local DNS for domains other than those specified in Tailscale). We are going to run into users in locations that have local domains that will lose access to them with Tailscale running I think. Thinking about it, #3 is probably more important. |
@TheHill, thanks for your feedback. If I were to summarize what you
want to happen, is it this?
1. Tailscale should *not* be your default route for traffic
2. DNS resolution for tailscaledomain.com should go through the
tailscale-provided DNS server
3. DNS resolution for localdomain.com should go through the
DHCP-provided local DNS server
4. DNS resolution for all other domains should go through ???
Is that right? What would you like to happen for #4? I think by
default if we implement #1-3 above, then all other domains will go
through your DHCP-provided local DNS server, which might be fine for
you.
…On Wed, Apr 29, 2020 at 10:14 AM thehilll ***@***.***> wrote:
With version 0.98.12 on OS X we are seeing:
Tailscale is not the default route (traceroute to a non-advertised route does not go through the tunnel)
The default domain set in the Tailscale admin interface is not appended to hostname-only queries (ping www fails when the Tailscale provided DNS host has an entry for www.tailscaledomain.com)
The Tailscale provided DNS servers are used for all queries...when I am on a network with its own local DNS and connected to tailscale this works:
ping host.tailscaledomain.com
but this fails:
ping host.localdomain.com
when that localdomain.com is an internal domain that is hosted only on the local DNS. If I quit tailscale the ping to the localdomain.com host works.
From our perspective we would very much like at least the ability to maintain #1 (not be the default route), and gain the ability to disable #3 (use local DNS for domains other than those specified in Tailscale). We are going to run into users in locations that have local domains that will lose access to them with Tailscale running I think. Thinking about it, #3 is probably more important.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
Avery Pennarun // CEO @ Tailscale
|
@apenwarr I think for #4 we'd want the DHCP-provided DNS to get the query. For #3 the real issue is when one of our users visits e.g. the office of another company and needs to access services in a domain that is only on their local DNS. If all queries went to our DNS via Tailscale they would be unable to get there. #4 would basically be the same issue in the case where the service had a domain only on the DHCP DNS but was not the search domain provided by the DNS. Thanks. |
Well, good news then, it sounds like the current macOS and iOS releases
already do exactly what you want? Can you confirm?
ᐧ
…On Wed, Apr 29, 2020 at 4:05 PM thehilll ***@***.***> wrote:
@apenwarr <https://github.com/apenwarr> I think for #4
<#4> we'd want the
DHCP-provided DNS to get the query.
For #3 <#3> the real issue
is when one of our users visits e.g. the office of another company and
needs to access services in a domain that is only on their local DNS. If
all queries went to our DNS via Tailscale they would be unable to get there.
#4 <#4> would basically be
the same issue in the case where the service had a domain only on the DHCP
DNS but was not the search domain provided by the DNS.
Thanks.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#101 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4A7SJ5BHHYHFTRWUFDRPCCCBANCNFSM4K3QAQTQ>
.
--
Avery Pennarun // CEO @ Tailscale
|
Not quite, 3 and (presumably) 4 from above don't work. I'm currently on a network like we are discussing here. I have a local DNS handed out by my DHCP server and it is definitive for an internal domain. When I am connected to Tailscale: ping host1.tailscaledomain.com ping host2.dhcp-domain.com Then I quite the Tailscale client: ping host2.dhcp-domain.com This is a non-issue right now when all of our users are home (and no one has this setup), so no one is really noticing it. It would be somewhat of an issue once they get out of the house. Thanks. |
There is an iOS/macOS feature that would let us implement that, |
+1 for having the capability for forcing all DNS queries through the VPN, which is our primary use case |
My biggest concern right now: we can not abbrevate domain names inspite of We have links and code that use names like consul-1, mongo-3, Some of the discussions here has made me curious. Is there Apple |
Someone else just told me that some apps are working with the redirected DNS server, but specifically nslookup, dig, and kubectl do not. kubectl prints an especially interesting error:
A quick googling suggests that Go's resolver is probably doing something suspicious to cause that last part: golang/go#12712 |
@apenwarr This is true. It comes down to whether the app uses the OS X system lookup tools or lower level settings. e.g.: host host.tailscaledomain.com ping host.tailscaledomain.com when connected to Tailscale. |
I read elsewhere that nslookup and dig have their own resolvers and just read /etc/resolv.conf (the synthetic file) on mac and use that, not using Apple's libc. And kubectl if cross-compiled is likewise not using Apple's libc, falling back to /etc/resolv.conf without cgo. And when we're a scoped resolver we don't get put in /etc/resolv.conf. |
@bradfitz I believe all of that is correct. It makes troubleshooting less than obvious, particularly on the iPhone. |
I "read elsewhere" that dns-sd is the perfered tool for CLI name lookups. SD? - service discovery. It's a very frustrating tool, as you'll learn. But it's manual advises " You can also query for a unicast name like www.apple.com and monitor its status. Mostly i use |
Hmm. My conclusion from all this feedback is that our primary mode of
operation should be as the primary resolver, not the "scoped" resolver, or
users will have all kinds of problems. Hopefully that's even possible for a
NetworkExtension to achieve, and hopefully without those routing hacks
Crawshaw mentioned up above.
We could allow a user preference to only act as the scoped resolver,
perhaps, but it seems like it shouldn't be the default since users are
actively confused by it (and if kubectl doesn't even work, we're doomed).
ᐧ
…On Thu, Apr 30, 2020 at 12:44 PM Ben Hyde ***@***.***> wrote:
I "read elsewhere" that dns-sd is the perfered tool for CLI name lookups.
SD? - service discovery. It's a very frustrating tool, as you'll learn. But
it's manual advises " You can also query for a unicast name like
www.apple.com and monitor its status. dns-sd -q www.apple.com"
Mostly i use ping -c 1 consul-1.example.com.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#101 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4HBKREYCGMLGRCZAWTRPGTGNANCNFSM4K3QAQTQ>
.
--
Avery Pennarun // CEO @ Tailscale
|
@apenwarr this seems right to me (even as someone who needs the scoped setting in some cases). Frankly both DNS and default route seem like there isn't a single answer here. Sending everything over Tailscale is best for privacy, but it could cause issues in some cases for some users. |
Default route is something to discuss in a separate issue, but yeah,
we absolutely don't want to always route all traffic over tailscale.
And yet, sometimes we absolutely do :)
…On Thu, Apr 30, 2020 at 1:38 PM thehilll ***@***.***> wrote:
@apenwarr this seems right to me (even as someone who needs the scoped setting in some cases).
Frankly both DNS and default route seem like there isn't a single answer here. Sending everything over Tailscale is best for privacy, but it could cause issues in some cases for some users.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
Avery Pennarun // CEO @ Tailscale
|
The routing hack is the only way I have found for the network extension to set the primary resolver.
…On Fri, May 1 2020 at 4:27 AM, apenwarr < ***@***.*** > wrote:
Default route is something to discuss in a separate issue, but yeah,
we absolutely don't want to always route all traffic over tailscale.
And yet, sometimes we absolutely do :)
On Thu, Apr 30, 2020 at 1:38 PM thehilll ***@***.***> wrote:
>
> @apenwarr this seems right to me (even as someone who needs the scoped
setting in some cases).
>
> Frankly both DNS and default route seem like there isn't a single answer
here. Sending everything over Tailscale is best for privacy, but it could
cause issues in some cases for some users.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub, or unsubscribe.
--
Avery Pennarun // CEO @ Tailscale
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub (
#101 (comment) )
, or unsubscribe (
https://github.com/notifications/unsubscribe-auth/AABHMJ5RLMSXZBSKRYRLIYLRPG7H7ANCNFSM4K3QAQTQ
).
|
This comment has been minimized.
This comment has been minimized.
In the meantime, a workaround for the search path setting is to use MDM to
simply override it at the OS level setting. It should be harmless to force
corporate devices to use the corporate domain name in all cases, even when
they're not currently connected to the corporate network or a VPN.
ᐧ
…On Fri, May 8, 2020 at 11:14 AM Ben Hyde ***@***.***> wrote:
Ping. I'm sad that we can't use abbreviated domain names since apparently
the search setting in my admin DNS setting isn't getting any traction. As a
consequence my eager beta users have begun to rework *random* things to
use fully qualified names, and that is making some of us cranky. The phrase
"stop this madness," has been heard.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#101 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4DI2RNAH7Y43SLTM43RQQOWTANCNFSM4K3QAQTQ>
.
--
Avery Pennarun // CEO @ Tailscale
|
Okay, I have a fix that makes search domains work. For reference, the trick was: /etc/resolv.conf is indeed entirely bogus on macOS, and there isn't much we can do about it. Both go's internal resolver and commands like The good news is that, (unlike older macOS releases I remember?), most command line tools do use the proper resolver. So These new settings cause macOS/iOS to always use the configured DNS server, not just for corporate DNS purposes, because there is no way yet for us to make the split-DNS configuration work on our other platforms. However, we've also added an option "Use corporate DNS" to the menu on macOS, to match the one on Windows-staging, which lets you disable Tailscale's DNS configuration entirely so you can use a local DNS server when you prefer to do so. When MagicDNS (#416) is further along, we can consider addressing it there in a cross-platform way. This fix should show up in the next macOS and iOS releases >= v0.99.1-5. |
Running app version on MacOS Set up in the Admin Panel the DNS ➜ scutil --dns 13:12:19
DNS configuration
resolver #1
search domain[0] : skynet.local
nameserver[0] : 172.20.0.2
if_index : 22 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 102400
resolver #2
nameserver[0] : 192.168.10.1
if_index : 6 (en0)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
order : 200000
resolver #3
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #4
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #5
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #6
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #7
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #8
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
resolver #9
domain : test
nameserver[0] : 127.0.0.1
flags : Request A records, Request AAAA records
reach : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
DNS configuration (for scoped queries)
resolver #1
search domain[0] : skynet.local
nameserver[0] : 192.168.10.1
if_index : 6 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
nameserver[0] : 172.20.0.2
if_index : 22 (utun4)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection) but only forcing for instance ➜ dig +short ip-172-20-90-205.ec2.internal @172.20.0.2
172.20.90.205 otherwise dig +short ip-172-20-90-205.ec2.internal Of course I ticked the option |
This might be just a characteristic of macOS. We have found that tools like |
yeah but in my case it does not work neither |
Ok, must be something different then. |
@thehilll I confirm that it works. as just a local misconfiguration |
Salvatore, could you tell us what went wrong locally so we can perhaps use
it to help people diagnose their systems in the future?
ᐧ
…On Wed, Aug 5, 2020 at 5:27 PM Salvatore Mazzarino ***@***.***> wrote:
@thehilll <https://github.com/thehilll> I confirm that it works. as just
a local misconfiguration
—
You are receiving this because you modified the open/close state.
Reply to this email directly, view it on GitHub
<#101 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAFA4C63EP77ARNY6HQ5ADR7HFDRANCNFSM4K3QAQTQ>
.
--
Avery Pennarun // CEO @ Tailscale
|
hey @apenwarr it was just a local misconfig of my ssh config file. nothing related to Tailscale. |
Describe the bug
On macOS dns resolution order doesn't get prioritized with the dns in the admin panel which means it's essentially ignored.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
I'd expect the dns set in the admin to take priority with the vpn is connected, or at least an option per client to decide
Version information:
- Device: macbook pro
- OS: macOS
- OS version: 10.14.6
- Tailscale version: App version: 0.95.208
Additional context
I currently have a very specific hardcoded example that works as a work around at
https://github.com/pelotech/tailscale-tools/tree/master/resolver
it listens to the up/down of the interfaces and adds resolvers for specific domains to be used.
┆Issue is synchronized with this Asana task by Unito
The text was updated successfully, but these errors were encountered: