From c0c182f48718bc70a1a7ae441316dfe1988544bd Mon Sep 17 00:00:00 2001 From: Kevin Allen Date: Wed, 26 Apr 2023 15:03:04 -0400 Subject: [PATCH] Add flag to disable bootstrap dns Adds an optional (default off) boolean environment flag `TS_NO_DNS_FALLBACK` which will simply disable functionality to fallback to using Tailscale DNS servers as indicated in text logs like: ``` trying bootstrapDNS("derp8c.tailscale.com", "2a03:b0c0:1:d0::e1f:4001") for "log.tailscale.io" ... ``` For some user environments, it is desirable to strictly control outbound access to external servers and and leaked data or metadata - and losing this functionality is a desired trade off. Closes #7981 Signed-off-by: Kevin Allen --- net/dnscache/dnscache.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/dnscache/dnscache.go b/net/dnscache/dnscache.go index 0983ae875..0a8b76a99 100644 --- a/net/dnscache/dnscache.go +++ b/net/dnscache/dnscache.go @@ -169,6 +169,7 @@ func (r *Resolver) ttl() time.Duration { } var debug = envknob.RegisterBool("TS_DEBUG_DNS_CACHE") +var noDNSFallback = envknob.RegisterBool("TS_NO_DNS_FALLBACK") // debugLogging allows enabling debug logging at runtime, via // SetDebugLoggingEnabled. @@ -302,7 +303,7 @@ func (r *Resolver) lookupIP(host string) (ip, ip6 netip.Addr, allIPs []netip.Add ips, err = resolver.LookupNetIP(ctx, "ip", host) } } - if (err != nil || len(ips) == 0) && r.LookupIPFallback != nil { + if (err != nil || len(ips) == 0) && r.LookupIPFallback != nil && !noDNSFallback() { ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second) defer cancel() if err != nil { @@ -451,6 +452,12 @@ func (d *dialer) shouldTryBootstrap(ctx context.Context, err error, dc *dialCall d.dnsCache.dlogf("not using bootstrap DNS: no fallback") return false } + if noDNSFallback() { + if debug() { + log.Printf("dnscache: not using bootstrap DNS: disabled via TS_NO_DNS_FALLBACK") + } + return false + } // We can't retry if the context is canceled, since any further // operations with this context will fail.