From 4baf34cf258ed65697710a2d14b14928036db6c5 Mon Sep 17 00:00:00 2001
From: Aaron Klotz <aaron@tailscale.com>
Date: Thu, 23 Jun 2022 16:15:11 -0600
Subject: [PATCH] net/dns: set appropriate Windows registry values to prevent
 it from sending DNS changes concerning our interface to AD domain
 controllers.

We do this unconditionally inside SetDNS such that the values are always set
before we make any other changes to DNS configurations.

It should not be harmful for the settings to remain even when other DNS
settings are cleared out (since they only affect our network interface).

See https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 for details about the registry value.

Fixes https://github.com/tailscale/tailscale/issues/4829

Signed-off-by: Aaron Klotz <aaron@tailscale.com>
---
 net/dns/manager_windows.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/net/dns/manager_windows.go b/net/dns/manager_windows.go
index 0a82b10aa..951e06444 100644
--- a/net/dns/manager_windows.go
+++ b/net/dns/manager_windows.go
@@ -215,6 +215,11 @@ func (m windowsManager) SetDNS(cfg OSConfig) error {
 	// configuration only, routing one set of things to the "split"
 	// resolver and the rest to the primary.
 
+	// Unconditionally disable dynamic DNS updates on our interfaces.
+	if err := m.disableDynamicUpdates(); err != nil {
+		m.logf("disableDynamicUpdates error: %v\n", err)
+	}
+
 	if len(cfg.MatchDomains) == 0 {
 		if err := m.setSplitDNS(nil, nil); err != nil {
 			return err
@@ -295,6 +300,29 @@ func (m windowsManager) Close() error {
 	return m.SetDNS(OSConfig{})
 }
 
+// disableDynamicUpdates sets the appropriate registry values to prevent the
+// Windows DHCP client from sending dynamic DNS updates for our interface to
+// AD domain controllers.
+func (m windowsManager) disableDynamicUpdates() error {
+	setRegValue := func(regBase string) error {
+		key, err := m.openKey(m.ifPath(regBase))
+		if err != nil {
+			return err
+		}
+		defer key.Close()
+
+		return key.SetDWordValue("DisableDynamicUpdate", 1)
+	}
+
+	for _, regBase := range []string{ipv4RegBase, ipv6RegBase} {
+		if err := setRegValue(regBase); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
 func (m windowsManager) GetBaseConfig() (OSConfig, error) {
 	resolvers, err := m.getBasePrimaryResolver()
 	if err != nil {