ipn/ipnlocal: use fallback default DNS whenever exit nodes are on.

Fixes #1625 Signed-off-by: David Anderson <danderson@tailscale.com>
2025-05-02 21:51:06 +00:00 · 2021-04-22 15:24:18 -07:00 · 2021-04-22 15:24:18 -07:00 · 36d030cc36
commit 36d030cc36
parent 67ba6aa9fd
1 changed files with 13 additions and 7 deletions
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@ -1650,15 +1650,21 @@ func (b *LocalBackend) authReconfig() {
 		switch {
 		case len(dcfg.DefaultResolvers) != 0:
 			// Default resolvers already set.
-		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
+		case !uc.ExitNodeID.IsZero():
-			// No settings requiring split DNS, no problem.
+			// When using exit nodes, it's very likely the LAN
-		case (version.OS() == "iOS" || version.OS() == "macOS") && !uc.ExitNodeID.IsZero():
+			// resolvers will become unreachable. So, force use of the
-			// On Apple OSes, if your NetworkExtension provides a
+			// fallback resolvers until we implement DNS forwarding to
-			// default route, underlying primary resolvers are
+			// exit nodes.
-			// automatically removed, so we MUST provide a set of
+			//
-			// resolvers capable of resolving the entire world.
+			// This is especially important on Apple OSes, where
 			// adding the default route to the tunnel interface makes
 			// it "primary", and we MUST provide VPN-sourced DNS
 			// settings or we break all DNS resolution.
 			//
 			// https://github.com/tailscale/tailscale/issues/1713
 			addDefault(nm.DNS.FallbackResolvers)
 		case len(dcfg.Routes) == 0 && len(dcfg.Hosts) == 0 && len(dcfg.AuthoritativeSuffixes) == 0:
 			// No settings requiring split DNS, no problem.
 		case version.OS() == "android":
 			// We don't support split DNS at all on Android yet.
 			addDefault(nm.DNS.FallbackResolvers)