tailscale

Commit Graph

Author	SHA1	Message	Date
Brad Fitzpatrick	2aade349fc	net/dns, types/dnstypes: update some comments, tests for DoH Clarify & verify that some DoH URLs can be sent over tailcfg in some limited cases. Updates #2452 Change-Id: Ibb25db77788629c315dc26285a1059a763989e24 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	58abae1f83	net/dns/{publicdns,resolver}: add NextDNS DoH support NextDNS is unique in that users create accounts and then get user-specific DNS IPs & DoH URLs. For DoH, the customer ID is in the URL path. For IPv6, the IP address includes the customer ID in the lower bits. For IPv4, there's a fragile "IP linking" mechanism to associate your public IPv4 with an assigned NextDNS IPv4 and that tuple maps to your customer ID. We don't use the IP linking mechanism. Instead, NextDNS is DoH-only. Which means using NextDNS necessarily shunts all DNS traffic through 100.100.100.100 (programming the OS to use 100.100.100.100 as the global resolver) because operating systems can't usually do DoH themselves. Once it's in Tailscale's DoH client, we then connect out to the known NextDNS IPv4/IPv6 anycast addresses. If the control plane sends the client a NextDNS IPv6 address, we then map it to the corresponding NextDNS DoH with the same client ID, and we dial that DoH server using the combination of v4/v6 anycast IPs. Updates #2452 Change-Id: I3439d798d21d5fc9df5a2701839910f5bef85463 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	f52a659076	net/dnsfallback: allow setting log function (#5550 ) This broke a test in corp that enforces we don't use the log package. Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Andrew Dunham	b8596f2a2f	net/dnsfallback: cache most recent DERP map on disk (#5545 ) This is especially helpful as we launch newer DERPs over time, and older clients have progressively out-of-date static DERP maps baked in. After this, as long as the client has successfully connected once, it'll cache the most recent DERP map it knows about. Resolves an in-code comment from @bradfitz Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Kris Brandow	19008a3023	net/dnscache: use net/netip Removes usage of net.IP and net.IPAddr where possible from net/dnscache. Fixes #5282 Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Brad Fitzpatrick	9bd9f37d29	go.mod: bump wireguard/windows, which moves to using net/netip Updates #5162 Change-Id: If99a3f0000bce0c01bdf44da1d513f236fd7cdf8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	9f6c8517e0	net/dns: set OS DNS to 100.100.100.100 for route-less ExtraRecords [cap 41] If ExtraRecords (Hosts) are specified without a corresponding split DNS route and global DNS is specified, then program the host OS DNS to use 100.100.100.100 so it can blend in those ExtraRecords. Updates #1543 Change-Id: If49014a5ecc8e38978ff26e54d1f74fe8dbbb9bc Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	68d9d161f4	net/dns: [win] fix regression in disableDynamicUpdate Somehow I accidentally set the wrong registry value here. It should be DisableDynamicUpdate=1 and not EnableDNSUpdate=0. This is a regression from `545639e`. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Nahum Shalman	214242ff62	net/dns/publicdns: Add Mullvad DoH See https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/ The Mullvad DoH servers appear to only speak HTTP/2 and the use of a non-nil DialContext in the http.Transport means that ForceAttemptHTTP2 must be set to true to be able to use them. Signed-off-by: Nahum Shalman <nahamu@gmail.com>	2 years ago
Maisem Ali	9197dd14cc	net/dns: [win] add MagicDNS entries to etc/hosts This works around the 2.3s delay in short name lookups when SNR is enabled. C:\Windows\System32\drivers\etc\hosts file. We only add known hosts that match the search domains, and we populate the list in order of Search Domains so that our matching algorithm mimics what Windows would otherwise do itself if SNR was off. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Kris Brandow	9ae1161e85	net/dnscache: fix v4addrs to return only v4 addrs Update the v4addrs function to filter out IPv6 addresses. Fixes regression from `8725b14056`. Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Kris Brandow	8f38afbf8e	net/stun: convert to use net/netip.AddrPort Convert ParseResponse and Response to use netip.AddrPort instead of net.IP and separate port. Fixes #5281 Signed-off-by: Kris Brandow <kris.brandow@gmail.com>	2 years ago
Maisem Ali	25865f81ee	net/dns: disable NetBIOS on Tailscale interfaces Like LLMNR, NetBIOS also adds resolution delays and we don't support it anyway so just disable it on the interface. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	545639ee44	util/winutil: consolidate interface specific registry keys Code movement to allow reuse in a follow up PR. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	1cff719015	net/dns: [win] respond with SERVFAIL queries when no resolvers Currently we forward unmatched queries to the default resolver on Windows. This results in duplicate queries being issued to the same resolver which is just wasted. Updates #1659 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Andrew Dunham	d942a2ff56	net/dnscache: try IPv6 addresses first (#5349 ) Signed-off-by: Andrew Dunham <andrew@tailscale.com> Signed-off-by: Andrew Dunham <andrew@tailscale.com>	2 years ago
Maisem Ali	3bb57504af	net/dns/resolver: add comments clarifying nil error returns Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Maisem Ali	4497bb0b81	net/dns/resolver: return SERVFAIL when no upstream resolvers set Otherwise we just keep looping over the same thing again and again. ``` dns udp query: upstream nameservers not set dns udp query: upstream nameservers not set dns udp query: upstream nameservers not set ``` Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	ec9d13bce5	hostinfo, net/netcheck: use CutPrefix Updates #5309 Change-Id: I37e594cfd245784bf810c493de68a66d3ff20677 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	18109c63b0	net/socks5: use new Go 1.19 binary.AppendByteOrder.AppendUintX Updates #4872 Change-Id: I43db63d2ba237324bc1cd87d4261197f14cb1088 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	f0d6f173c9	net/netcheck: try ICMP if UDP is blocked (#5056 ) Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Maisem Ali	a9f6cd41fd	all: use syncs.AtomicValue Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	4950fe60bd	syncs, all: move to using Go's new atomic types instead of ours Fixes #5185 Change-Id: I850dd532559af78c3895e2924f8237ccc328449d Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Maisem Ali	9bb5a038e5	all: use atomic.Pointer Also add some missing docs. Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
Brad Fitzpatrick	5381437664	logtail, net/portmapper, wgengine/magicsock: use fmt.Appendf Fixes #5206 Change-Id: I490bb92e774ce7c044040537e2cd864fcf1dbe5a Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	5f6abcfa6f	all: migrate code from netaddr.FromStdAddr to Go 1.18 With caveat https://github.com/golang/go/issues/53607#issuecomment-1203466984 that then requires a new wrapper. But a simpler one at least. Updates #5162 Change-Id: I0a5265065bfcd7f21e8dd65b2bd74cae90d76090 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	8725b14056	all: migrate more code code to net/netip directly Instead of going through the tailscale.com/net/netaddr transitional wrappers. Updates #5162 Change-Id: I3dafd1c2effa1a6caa9b7151ecf6edd1a3fda3dd Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	116f55ff66	all: gofmt for Go 1.19 Updates #5210 Change-Id: Ib02cd5e43d0a8db60c1f09755a8ac7b140b670be Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Aaron Klotz	4dbdb19c26	net/tshttpproxy: fix incorrect type in Windows implementation, switch to mkwinsyscall, fix memory leak The definition of winHTTPProxyInfo was using the wrong type (uint16 vs uint32) for its first field. I fixed that type. Furthermore, any UTF16 strings returned in that structure must be explicitly freed. I added code to do this. Finally, since this is the second time I've seen type safety errors in this code, I switched the native API calls over to use wrappers generated by mkwinsyscall. I know that would not have helped prevent the previous two problems, but every bit helps IMHO. Updates https://github.com/tailscale/tailscale/issues/4811 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
nyghtowl	e6e1976c3a	net/dns: remove systemd-resolved ping Ping only needed to ensure system awak otherwise utilizing resolvConf to set dns mode. Signed-off-by: nyghtowl <warrick@tailscale.com>	2 years ago
Brad Fitzpatrick	a12aad6b47	all: convert more code to use net/netip directly perl -i -npe 's,netaddr.IPPrefixFrom,netip.PrefixFrom,' $(git grep -l -F netaddr.) perl -i -npe 's,netaddr.IPPortFrom,netip.AddrPortFrom,' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPrefix,netip.Prefix,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPPort,netip.AddrPort,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IP\b,netip.Addr,g' $(git grep -l -F netaddr. ) perl -i -npe 's,netaddr.IPv6Raw\b,netip.AddrFrom16,g' $(git grep -l -F netaddr. ) goimports -w . Then delete some stuff from the net/netaddr shim package which is no longer neeed. Updates #5162 Change-Id: Ia7a86893fe21c7e3ee1ec823e8aba288d4566cd8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	6a396731eb	all: use various net/netip parse funcs directly Mechanical change with perl+goimports. Changed {Must,}Parse{IP,IPPrefix,IPPort} to their netip variants, then goimports -d . Finally, removed the net/netaddr wrappers, to prevent future use. Updates #5162 Change-Id: I59c0e38b5fbca5a935d701645789cddf3d7863ad Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	7eaf5e509f	net/netaddr: start migrating to net/netip via new netaddr adapter package Updates #5162 Change-Id: Id7bdec303b25471f69d542f8ce43805328d56c12 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Aaron Klotz	1cae618b03	net/dns: add Windows group policy notifications to the NRPT rule manager As discussed in previous PRs, we can register for notifications when group policies are updated and act accordingly. This patch changes nrptRuleDatabase to receive notifications that group policy has changed and automatically move our NRPT rules between the local and group policy subkeys as needed. Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Melanie Warrick	f17873e0f4	net/dns: handle D-Bus restarts in resolved manager (#5026 ) When dbus restarts it can cause the tailscaled to crash because the nil signal was not handled in resolved.Fixing so the nil signal leads to a connection reset and tailscaled stays connected to systemd when dbus restarted. Fixes #4645 Co-authored-by: James Tucker <james@tailscale.com> Signed-off-by: nyghtowl <warrick@tailscale.com> Co-authored-by: James Tucker <james@tailscale.com>	2 years ago
Maisem Ali	9514ed33d2	go.mod: bump gvisor.dev/gvisor Pick up https://github.com/google/gvisor/pull/7787 Signed-off-by: Maisem Ali <maisem@tailscale.com>	2 years ago
David Anderson	c1cb3efbba	net/netcheck: test for OS IPv6 support as well as connectivity. This lets us distinguish "no IPv6 because the device's ISP doesn't offer IPv6" from "IPv6 is unavailable/disabled in the OS". Signed-off-by: David Anderson <danderson@tailscale.com>	2 years ago
Brad Fitzpatrick	0d52674a84	net/tstun: diagnose /dev/net/tun fd leak, give better failure message Updates #5029 Change-Id: Ibee5e0c9076fe764eb5d856d5ef8b09f4d0e2921 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Andrew Dunham	c7993d2b88	net/dns/resolver: add fuzz/unit test for #2533 (#5018 ) Signed-off-by: Andrew Dunham <andrew@du.nham.ca>	2 years ago
Tom DNetto	d6817d0f22	net/dns/resolver: respond with SERVFAIL if all upstreams fail Fixes #4722 Signed-off-by: Tom DNetto <tom@tailscale.com>	2 years ago
Mihai Parparita	ec649e707f	ipn/ipnlocal: prefer to use one CGNAT route on the Mac Together with `06aa141632` this minimizes the number of NEPacketTunnelNetworkSettings updates that we have to do, and thus avoids Chrome interrupting outstanding requests due to (perceived) network changes. Updates #3102 Signed-off-by: Mihai Parparita <mihai@tailscale.com>	2 years ago
Brad Fitzpatrick	aa37aece9c	ipn/ipnlocal, net/dns, util/cloudenv: add AWS DNS support And remove the GCP special-casing from ipn/ipnlocal; do it only in the forwarder for .internal. Fixes #4980 Fixes #4981 Change-Id: I5c481e96d91f3d51d274a80fbd37c38f16dfa5cb Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Brad Fitzpatrick	88c2afd1e3	ipn/ipnlocal, net/dns, util/cloudenv: specialize DNS config on Google Cloud This does three things: If you're on GCP, it adds a .internal DNS split route to the metadata server, so we never break GCP DNS names. This lets people have some Tailscale nodes on GCP and some not (e.g. laptops at home) without having to add a Tailnet-wide .internal DNS route. If you already have such a route, though, it won't overwrite it. * If the 100.100.100.100 DNS forwarder has nowhere to forward to, it forwards it to the GCP metadata IP, which forwards to 8.8.8.8. This means there are never errNoUpstreams ("upstream nameservers not set") errors on GCP due to e.g. mangled /etc/resolv.conf (GCP default VMs don't have systemd-resolved, so it's likely a DNS supremacy fight) * makes the DNS fallback mechanism use the GCP metadata IP as a fallback before our hosted HTTP-based fallbacks I created a default GCP VM from their web wizard. It has no systemd-resolved. I then made its /etc/resolv.conf be empty and deleted its GCP hostnames in /etc/hosts. I then logged in to a tailnet with no global DNS settings. With this, tailscaled writes /etc/resolv.conf (direct mode, as no systemd-resolved) and sets it to 100.100.100.100, which then has regular DNS via the metadata IP and .internal DNS via the metadata IP as well. If the tailnet configures explicit DNS servers, those are used instead, except for .internal. This also adds a new util/cloudenv package based on version/distro where the cloud type is only detected once. We'll likely expand it in the future for other clouds, doing variants of this change for other popular cloud environments. Fixes #4911 RELNOTES=Google Cloud DNS improvements Change-Id: I19f3c2075983669b2b2c0f29a548da8de373c7cf Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago
Denton Gentry	d7f452c0a1	net/portmapper: send discovery packet for IGD specifically. There appear to be devices out there which send only their first descriptor in response to a discovery packet for `ssdp:all`, for example the Sagemcom FAST3890V3 only sends urn:schemas-wifialliance-org:device:WFADevice:1 Send both ssdp:all and a discovery frame for InternetGatewayDevice specifically. Updates https://github.com/tailscale/tailscale/issues/3557 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	09eaba91ad	net/portmap: add a test for Sagemcom FAST3890V3. Updates https://github.com/tailscale/tailscale/issues/3557 Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	b5553c6ad2	net/portmap: run go fmt Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Denton Gentry	de4c635e54	net/portmapper: make pcpCodeNotAuthorized log more descriptive If PCP is present but disabled, turning it on might help get direct connections. Signed-off-by: Denton Gentry <dgentry@tailscale.com>	2 years ago
Aaron Klotz	4baf34cf25	net/dns: set appropriate Windows registry values to prevent it from sending DNS changes concerning our interface to AD domain controllers. We do this unconditionally inside SetDNS such that the values are always set before we make any other changes to DNS configurations. It should not be harmful for the settings to remain even when other DNS settings are cleared out (since they only affect our network interface). See https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/configure-dns-dynamic-updates-windows-server-2003 for details about the registry value. Fixes https://github.com/tailscale/tailscale/issues/4829 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Aaron Klotz	8cdfd12977	net/dns: update Windows split DNS settings to work alongside other NRPT entries set by group policy. When there are group policy entries for the NRPT that do not belong to Tailscale, we recognize that we need to add ourselves to group policy and use that registry key instead of the local one. We also refresh the group policy settings as necessary to ensure that our changes take effect immediately. Fixes https://github.com/tailscale/tailscale/issues/4607 Signed-off-by: Aaron Klotz <aaron@tailscale.com>	2 years ago
Brad Fitzpatrick	13d0b8e6a4	control/controlclient, net/dnscache: use typed singleflight fork Change-Id: I12be4c5a91ae3a812fe88d9b2d15526fdbb5a921 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2 years ago

1 2 3 4 5 ...

643 Commits (b302742137fb3c6150f28f9c088723085a71f0b6)