tailscale

Commit Graph

Author	SHA1	Message	Date
Claus Lensbøl	8085324449	net/dns: retrample resolve.conf when another process has trampled it When using the resolve.conf file for setting DNS, it is possible that some other services will trample the file and overwrite our set DNS server. Experiments has shown this to be a racy error depending on how quickly processes start. Make an attempt to trample back the file a limited number of times if the file is changed. Updates #16635 Signed-off-by: Claus Lensbøl <claus@tailscale.com>	2 days ago
Brad Fitzpatrick	bcd79b161a	feature/featuretags: add option to turn off DNS Saves 328 KB (2.5%) off the minimal binary. For IoT devices that don't need MagicDNS (e.g. they don't make outbound connections), this provides a knob to disable all the DNS functionality. Rather than a massive refactor today, this uses constant false values as a deadcode sledgehammer, guided by shotizam to find the largest DNS functions which survived deadcode. A future refactor could make it so that the net/dns/resolver and publicdns packages don't even show up in the import graph (along with their imports) but really it's already pretty good looking with just these consts, so it's not at the top of my list to refactor it more soon. Also do the same in a few places with the ACME (cert) functionality, as I saw those while searching for DNS stuff. Updates #12614 Change-Id: I8e459f595c2fde68ca16503ff61c8ab339871f97 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	b3e9a128af	net/dns, feature/featuretags: make NetworkManager, systemd-resolved, and DBus modular Saves 360 KB (19951800 => 19591352 on linux/amd64 --extra-small --box binary) Updates #12614 Updates #17206 Change-Id: Iafd5b2536dd735111b447546cba335a7a64379ed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 months ago
Brad Fitzpatrick	2b3e533048	util/syspolicy: finish plumbing policyclient, add feature/syspolicy, move global impl This is step 4 of making syspolicy a build-time feature. This adds a policyclient.Get() accessor to return the correct implementation to use: either the real one, or the no-op one. (A third type, a static one for testing, also exists, so in general a policyclient.Client should be plumbed around and not always fetched via policyclient.Get whenever possible, especially if tests need to use alternate syspolicy) Updates #16998 Updates #12614 Change-Id: Iaf19670744a596d5918acfa744f5db4564272978 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 months ago
Brad Fitzpatrick	fbc6a9ec5a	all: detect JetKVM and specialize a handful of things for it Updates #16524 Change-Id: I183428de8c65d7155d82979d2d33f031c22e3331 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	5 months ago
Brad Fitzpatrick	02f68e5d9f	net/dns: don't link dbus, gonotify on Android Android is Linux, but doesn't use Linux DNS managers (or D-Bus). Updates #12614 Change-Id: I487802ac74a259cd5d2480ac26f7faa17ca8d1c3 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	7 months ago
Nick Khyl	c32efd9118	various: create a catch-all NRPT rule when "Override local DNS" is enabled on Windows Without this rule, Windows 8.1 and newer devices issue parallel DNS requests to DNS servers associated with all network adapters, even when "Override local DNS" is enabled and/or a Mullvad exit node is being used, resulting in DNS leaks. This also adds "disable-local-dns-override-via-nrpt" nodeAttr that can be used to disable the new behavior if needed. Fixes tailscale/corp#20718 Signed-off-by: Nick Khyl <nickk@tailscale.com>	1 year ago
Brad Fitzpatrick	745931415c	health, all: remove health.Global, finish plumbing health.Tracker Updates #11874 Updates #4136 Change-Id: I414470f71d90be9889d44c3afd53956d9f26cd61 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	ebc552d2e0	health: add Tracker type, in prep for removing global variables This moves most of the health package global variables to a new `health.Tracker` type. But then rather than plumbing the Tracker in tsd.System everywhere, this only goes halfway and makes one new global Tracker (`health.Global`) that all the existing callers now use. A future change will eliminate that global. Updates #11874 Updates #4136 Change-Id: I6ee27e0b2e35f68cb38fecdb3b2dc4c3f2e09d68 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	b0e96a6c39	net/dns: log more info when openresolv commands fail Updates #11129 Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: Ic594868ba3bc31f6d3b0721ecba4090749a81f7f	2 years ago
Andrew Lytvynov	2716250ee8	all: cleanup unused code, part 2 (#10670 ) And enable U1000 check in staticcheck. Updates #cleanup Signed-off-by: Andrew Lytvynov <awly@tailscale.com>	2 years ago
Denton Gentry	97ee3891f1	net/dns: use direct when NetworkManager has no systemd-resolved Endeavour OS, at least, uses NetworkManager 1.44.2 and does not use systemd-resolved behind the scenes at all. If we find ourselves in that situation, return "direct" not "systemd-resolved" Fixes https://github.com/tailscale/tailscale/issues/9687 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Anton Tolchanov	388b124513	net/dns: detect when libnss_resolve is used Having `127.0.0.53` is not the only way to use `systemd-resolved`. An alternative way is to enable `libnss_resolve` module, which seems to now be used by default on Debian 12 bookworm. Fixes #8549 Signed-off-by: Anton Tolchanov <anton@tailscale.com>	2 years ago
Will Norris	71029cea2d	all: update copyright and license headers This updates all source files to use a new standard header for copyright and license declaration. Notably, copyright no longer includes a date, and we now use the standard SPDX-License-Identifier header. This commit was done almost entirely mechanically with perl, and then some minimal manual fixes. Updates #6865 Signed-off-by: Will Norris <will@tailscale.com>	3 years ago
Maisem Ali	99aa335923	net/dns: [linux] log and add metric for dnsMode I couldn't find any logs that indicated which mode it was running in so adding that. Also added a gauge metric for dnsMode. Signed-off-by: Maisem Ali <maisem@tailscale.com>	3 years ago
Andrew Dunham	e966f024b0	net/dns: print systemd-resolved ResolvConfMode The ResolvConfMode property is documented to return how systemd-resolved is currently managing /etc/resolv.conf. Include that information in the debug line, when available, to assist in debugging DNS issues. Signed-off-by: Andrew Dunham <andrew@du.nham.ca> Change-Id: I1ae3a257df1d318d0193a8c7f135c458ec45093e	3 years ago
nyghtowl	e6e1976c3a	net/dns: remove systemd-resolved ping Ping only needed to ensure system awak otherwise utilizing resolvConf to set dns mode. Signed-off-by: nyghtowl <warrick@tailscale.com>	3 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	3 years ago
Brad Fitzpatrick	2ff481ff10	net/dns: add health check for particular broken-ish Linux DNS config Updates #3937 (need to write docs before closing) Change-Id: I1df7244cfbb0303481e2621ee750d21358bd67c6 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	21358cf2f5	net/dns: slightly optimize dbusPing for non-dbus case [Linux] Avoid some work when D-Bus isn't running. Change-Id: I6f89bb75fdb24c13f61be9b400610772756db1ef Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	15599323a1	net/dns: fix systemd-resolved detection race at boot If systemd-resolved is enabled but not running (or not yet running, such as early boot) and resolv.conf is old/dangling, we weren't detecting systemd-resolved. This moves its ping earlier, which will trigger it to start up and write its file. Updates #3362 (likely fixes) Updates #3531 (likely fixes) Change-Id: I6392944ac59f600571c43b8f7a677df224f2beed Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	6feb8f4c51	net/dns: log why resolved does not look like it's on use [Linux] Updates #3742 Updates #3531 Change-Id: I9fc7fa0f4bcab1cf8001ba92408c660a5b25f105 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Anderson	c5d572f371	net/dns: correctly handle NetworkManager-managed DNS that points to resolved. Fixes #3304 Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	a320d70614	net/dns: fall back to copy+delete/truncate if moving to/from /etc/resolv.conf fails. In some containers, /etc/resolv.conf is a bind-mount from outside the container. This prevents renaming to or from /etc/resolv.conf, because it's on a different filesystem from linux's perspective. It also prevents removing /etc/resolv.conf, because doing so would break the bind-mount. If we find ourselves within this environment, fall back to using copy+delete when renaming to /etc/resolv.conf, and copy+truncate when renaming from /etc/resolv.conf. Fixes #3000 Co-authored-by: Denton Gentry <dgentry@tailscale.com> Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	10547d989d	net/dns: exhaustively test DNS selection paths for linux. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
David Anderson	c071bcda33	net/dns: relax systemd-resolved detection. Reported on IRC: a resolv.conf that contained two entries for "nameserver 127.0.0.53", which defeated our "is resolved actually in charge" check. Relax that check to allow any number of nameservers, as long as they're all 127.0.0.53. Signed-off-by: David Anderson <danderson@tailscale.com>	4 years ago
Brad Fitzpatrick	065c4ffc2c	net/dns: add start of Linux newOSConfigurator tests Only one test case so far. Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
Brad Fitzpatrick	09a47ea3f1	net/dns: prep for writing manager_linux tests; pull some stuff out Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	4 years ago
David Crawshaw	9b063b86c3	net/dns: factor directManager out over an FS interface This is preliminary work for using the directManager as part of a wslManager on windows, where in addition to configuring windows we'll use wsl.exe to edit the linux file system and modify the system resolv.conf. The pinholeFS is a little funky, but it's designed to work through simple unix tools via wsl.exe without invoking bash. I would not have thought it would stand on its own like this, but it turns out it's useful for writing a test for the directManager. Signed-off-by: David Crawshaw <crawshaw@tailscale.com>	4 years ago
David Anderson	9337826011	net/dns: fix inverted test for NetworkManager version. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	320cc8fa21	net/dns: verify that systemd-resolved is actually in charge. It's possible to install a configuration that passes our current checks for systemd-resolved, without actually pointing to systemd-resolved. In that case, we end up programming DNS in resolved, but that config never applies to any name resolution requests on the system. This is quite a far-out edge case, but there's a simple additional check we can do: if the header comment names systemd-resolved, there should be a single nameserver in resolv.conf pointing to 127.0.0.53. If not, the configuration should be treated as an unmanaged resolv.conf. Fixes #2136. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	e7164425b3	net/dns: don't use NetworkManager for DNS on very old NetworkManagers. Fixes #1945. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
Dave Anderson	144c68b80b	net/dns: avoid using NetworkManager as much as possible. (#1945 ) Addresses #1699 as best as possible. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	cfde997699	net/dns: don't use interfaces.Tailscale to find the tailscale interface index. interfaces.Tailscale only returns an interface if it has at least one Tailscale IP assigned to it. In the resolved DNS manager, when we're called upon to tear down DNS config, the interface no longer has IPs. Instead, look up the interface index on construction and reuse it throughout the daemon lifecycle. Fixes #1892. Signed-off-by: David Anderson <dave@natulte.net>	5 years ago
David Anderson	f6b7d08aea	net/dns: work around new NetworkManager in other selection paths. Further bits of #1788 Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	25ce9885a2	net/dns: don't use NM+resolved for NM >=1.26.6. NetworkManager fixed the bug that forced us to use NetworkManager if it's programming systemd-resolved, and in the same release also made NetworkManager ignore DNS settings provided for unmanaged interfaces... Which breaks what we used to do. So, with versions 1.26.6 and above, we MUST NOT use NetworkManager to indirectly program systemd-resolved, but thankfully we can talk to resolved directly and get the right outcome. Fixes #1788 Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	bb0710d51d	net/dns: add debugging traces to DNS manager selection on linux. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	4b70c7b717	net/dns: fix inverted test for NetworkManager. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	4849a4d3c8	net/dns: error out on linux if /etc/resolv.conf can't be read. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	1f9b73a531	net/dns: fix freebsd DNS manager selection. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	d6bb11b5bf	net/dns: implement correct manager detection on linux. Part of #953. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	854d5d36a1	net/dns: return error from NewOSManager, use it to initialize NM. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	cca230cc23	net/dns: fix staticcheck errors. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	a7340c2015	net/dns: support split DNS in systemd-resolved. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	84430cdfa1	net/dns: improve NetworkManager detection, using more DBus. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	9a48bac8ad	net/dns: rename resolvconf.go to debian_resolvconf.go. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	58760f7b82	net/dns: split resolvconfManager into a debian and an openresolv manager. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	4c61ebacf4	wgengine: move DNS configuration out of wgengine/router. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	a39d2403bc	net/dns: disable NetworkManager and resolved configurators temporarily. They need some rework to do the right thing, in the meantime the direct and resolvconf managers will work out. The resolved implementation was never selected due to control-side settings. The networkmanager implementation mostly doesn't get selected due to unforeseen interactions with `resolvconf` on many platforms. Both implementations also need rework to support the various routing modes they're capable of. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago
David Anderson	befd8e4e68	net/dns: replace managerImpl with OSConfigurator in code. Signed-off-by: David Anderson <danderson@tailscale.com>	5 years ago

1 2

54 Commits (8085324449c133adf6214f07845df62cac970b30)