From 2685260ba1e15c9f8802eabc62b21056ff8f12cf Mon Sep 17 00:00:00 2001 From: David Anderson Date: Thu, 8 Apr 2021 23:26:22 -0700 Subject: [PATCH] net/dns: add temporary fallback to quad-9 resolver for split-DNS testing. This allows split-DNS configurations to not break clients on OSes that haven't yet been ported to understand split DNS, by falling back to quad-9 as a global resolver when handed an "impossible to implement" split-DNS config. Part of #953. Needs to be removed before shipping 1.8. Signed-off-by: David Anderson --- net/dns/manager.go | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/net/dns/manager.go b/net/dns/manager.go index cf0b0412b..2207e1582 100644 --- a/net/dns/manager.go +++ b/net/dns/manager.go @@ -168,7 +168,28 @@ func (m *Manager) compileConfig(cfg Config) (resolver.Config, OSConfig, error) { } else { bcfg, err := m.os.GetBaseConfig() if err != nil { - return resolver.Config{}, OSConfig{}, err + // Temporary hack to make OSes where split-DNS isn't fully + // implemented yet not completely crap out, but instead + // fall back to quad-9 as a hardcoded "backup resolver". + // + // This codepath currently only triggers when opted into + // the split-DNS feature server side, and when at least + // one search domain is something within tailscale.com, so + // we don't accidentally leak unstable user DNS queries to + // quad-9 if we accidentally go down this codepath. + canUseHack := false + for _, dom := range cfg.SearchDomains { + if strings.HasSuffix(dom, ".tailscale.com") { + canUseHack = true + break + } + } + if !canUseHack { + return resolver.Config{}, OSConfig{}, err + } + bcfg = OSConfig{ + Nameservers: []netaddr.IP{netaddr.IPv4(9, 9, 9, 9)}, + } } rcfg.Routes["."] = toIPPorts(bcfg.Nameservers) ocfg.SearchDomains = append(ocfg.SearchDomains, bcfg.SearchDomains...)