mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-11 02:34:43 +00:00
ipn/ipnlocal: allow Split-DNS and default resolvers with WireGuard nodes
The initial implementation directly mirrored the behavior of Tailscale exit nodes, where the WireGuard exit node DNS took precedence over other configuration. This adjusted implementation treats the WireGuard DNS resolvers as a lower precedence default resolver than the tailnet default resolver, and allows split DNS configuration as well. This also adds test coverage to the existing DNS selection behavior with respect to default resolvers and split DNS routes for Tailscale exit nodes above cap 25. There may be some refinement to do in the logic in those cases, as split DNS may not be working as we intend, though that would be a pre-existing and separate issue. Updates #9377 Signed-off-by: James Tucker <james@tailscale.com>
This commit is contained in:
parent
3056a98bbd
commit
c7ce4e07e5
@ -3308,9 +3308,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
|
|||||||
}
|
}
|
||||||
|
|
||||||
addDefault := func(resolvers []*dnstype.Resolver) {
|
addDefault := func(resolvers []*dnstype.Resolver) {
|
||||||
for _, r := range resolvers {
|
dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, resolvers...)
|
||||||
dcfg.DefaultResolvers = append(dcfg.DefaultResolvers, r)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we're using an exit node and that exit node is new enough (1.19.x+)
|
// If we're using an exit node and that exit node is new enough (1.19.x+)
|
||||||
@ -3320,14 +3318,17 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
|
|||||||
return dcfg
|
return dcfg
|
||||||
}
|
}
|
||||||
|
|
||||||
// If we're using an exit node and that exit node is IsWireGuardOnly with
|
// If the user has set default resolvers ("override local DNS"), prefer to
|
||||||
// ExitNodeDNSResolver set, then add that as the default.
|
// use those resolvers as the default, otherwise if there are WireGuard exit
|
||||||
|
// node resolvers, use those as the default.
|
||||||
|
if len(nm.DNS.Resolvers) > 0 {
|
||||||
|
addDefault(nm.DNS.Resolvers)
|
||||||
|
} else {
|
||||||
if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
|
if resolvers, ok := wireguardExitNodeDNSResolvers(nm, peers, prefs.ExitNodeID()); ok {
|
||||||
addDefault(resolvers)
|
addDefault(resolvers)
|
||||||
return dcfg
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
addDefault(nm.DNS.Resolvers)
|
|
||||||
for suffix, resolvers := range nm.DNS.Routes {
|
for suffix, resolvers := range nm.DNS.Routes {
|
||||||
fqdn, err := dnsname.ToFQDN(suffix)
|
fqdn, err := dnsname.ToFQDN(suffix)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -3342,11 +3343,7 @@ func dnsConfigForNetmap(nm *netmap.NetworkMap, peers map[tailcfg.NodeID]tailcfg.
|
|||||||
//
|
//
|
||||||
// While we're already populating it, might as well size the
|
// While we're already populating it, might as well size the
|
||||||
// slice appropriately.
|
// slice appropriately.
|
||||||
dcfg.Routes[fqdn] = make([]*dnstype.Resolver, 0, len(resolvers))
|
dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], resolvers...)
|
||||||
|
|
||||||
for _, r := range resolvers {
|
|
||||||
dcfg.Routes[fqdn] = append(dcfg.Routes[fqdn], r)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Set FallbackResolvers as the default resolvers in the
|
// Set FallbackResolvers as the default resolvers in the
|
||||||
|
@ -28,6 +28,7 @@
|
|||||||
"tailscale.com/types/logid"
|
"tailscale.com/types/logid"
|
||||||
"tailscale.com/types/netmap"
|
"tailscale.com/types/netmap"
|
||||||
"tailscale.com/types/ptr"
|
"tailscale.com/types/ptr"
|
||||||
|
"tailscale.com/util/dnsname"
|
||||||
"tailscale.com/util/set"
|
"tailscale.com/util/set"
|
||||||
"tailscale.com/wgengine"
|
"tailscale.com/wgengine"
|
||||||
"tailscale.com/wgengine/filter"
|
"tailscale.com/wgengine/filter"
|
||||||
@ -922,41 +923,191 @@ type tc struct {
|
|||||||
nm := &netmap.NetworkMap{}
|
nm := &netmap.NetworkMap{}
|
||||||
gotResolvers, gotOK := wireguardExitNodeDNSResolvers(nm, peers, tc.id)
|
gotResolvers, gotOK := wireguardExitNodeDNSResolvers(nm, peers, tc.id)
|
||||||
|
|
||||||
if gotOK != tc.wantOK || !resolversEqual(gotResolvers, tc.wantResolvers) {
|
if gotOK != tc.wantOK || !resolversEqual(t, gotResolvers, tc.wantResolvers) {
|
||||||
t.Errorf("case: %s: got %v, %v, want %v, %v", tc.name, gotOK, gotResolvers, tc.wantOK, tc.wantResolvers)
|
t.Errorf("case: %s: got %v, %v, want %v, %v", tc.name, gotOK, gotResolvers, tc.wantOK, tc.wantResolvers)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestDNSConfigForNetmapForWireguardExitNode(t *testing.T) {
|
func TestDNSConfigForNetmapForExitNodeConfigs(t *testing.T) {
|
||||||
resolvers := []*dnstype.Resolver{{Addr: "dns.example.com"}}
|
type tc struct {
|
||||||
nm := &netmap.NetworkMap{}
|
name string
|
||||||
peers := map[tailcfg.NodeID]tailcfg.NodeView{
|
exitNode tailcfg.StableNodeID
|
||||||
1: (&tailcfg.Node{
|
peers []tailcfg.NodeView
|
||||||
|
dnsConfig *tailcfg.DNSConfig
|
||||||
|
wantDefaultResolvers []*dnstype.Resolver
|
||||||
|
wantRoutes map[dnsname.FQDN][]*dnstype.Resolver
|
||||||
|
}
|
||||||
|
|
||||||
|
defaultResolvers := []*dnstype.Resolver{{Addr: "default.example.com"}}
|
||||||
|
wgResolvers := []*dnstype.Resolver{{Addr: "wg.example.com"}}
|
||||||
|
peers := []tailcfg.NodeView{
|
||||||
|
(&tailcfg.Node{
|
||||||
ID: 1,
|
ID: 1,
|
||||||
StableID: "1",
|
StableID: "wg",
|
||||||
IsWireGuardOnly: true,
|
IsWireGuardOnly: true,
|
||||||
ExitNodeDNSResolvers: resolvers,
|
ExitNodeDNSResolvers: wgResolvers,
|
||||||
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
||||||
|
}).View(),
|
||||||
|
// regular tailscale exit node with DNS capabilities
|
||||||
|
(&tailcfg.Node{
|
||||||
|
Cap: 26,
|
||||||
|
ID: 2,
|
||||||
|
StableID: "ts",
|
||||||
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
Hostinfo: (&tailcfg.Hostinfo{}).View(),
|
||||||
}).View(),
|
}).View(),
|
||||||
}
|
}
|
||||||
prefs := &ipn.Prefs{
|
exitDOH := peerAPIBase(&netmap.NetworkMap{Peers: peers}, peers[0]) + "/dns-query"
|
||||||
ExitNodeID: "1",
|
routes := map[dnsname.FQDN][]*dnstype.Resolver{
|
||||||
CorpDNS: true,
|
"route.example.com.": {{Addr: "route.example.com"}},
|
||||||
|
}
|
||||||
|
stringifyRoutes := func(routes map[dnsname.FQDN][]*dnstype.Resolver) map[string][]*dnstype.Resolver {
|
||||||
|
if routes == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
m := make(map[string][]*dnstype.Resolver)
|
||||||
|
for k, v := range routes {
|
||||||
|
m[string(k)] = v
|
||||||
|
}
|
||||||
|
return m
|
||||||
}
|
}
|
||||||
|
|
||||||
got := dnsConfigForNetmap(nm, peers, prefs.View(), t.Logf, "")
|
tests := []tc{
|
||||||
if !resolversEqual(got.DefaultResolvers, resolvers) {
|
{
|
||||||
t.Errorf("got %v, want %v", got.DefaultResolvers, resolvers)
|
name: "noExit/noRoutes/noResolver",
|
||||||
|
exitNode: "",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{},
|
||||||
|
wantDefaultResolvers: nil,
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "tsExit/noRoutes/noResolver",
|
||||||
|
exitNode: "ts",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{},
|
||||||
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "tsExit/noRoutes/defaultResolver",
|
||||||
|
exitNode: "ts",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{Resolvers: defaultResolvers},
|
||||||
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
|
||||||
|
// The following two cases may need to be revisited. For a shared-in
|
||||||
|
// exit node split-DNS may effectively break, furthermore in the future
|
||||||
|
// if different nodes observe different DNS configurations, even a
|
||||||
|
// tailnet local exit node may present a different DNS configuration,
|
||||||
|
// which may not meet expectations in some use cases.
|
||||||
|
// In the case where a default resolver is set, the default resolver
|
||||||
|
// should also perhaps take precedence also.
|
||||||
|
{
|
||||||
|
name: "tsExit/routes/noResolver",
|
||||||
|
exitNode: "ts",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
|
||||||
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "tsExit/routes/defaultResolver",
|
||||||
|
exitNode: "ts",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
|
||||||
|
wantDefaultResolvers: []*dnstype.Resolver{{Addr: exitDOH}},
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
|
||||||
|
// WireGuard exit nodes with DNS capabilities provide a "fallback" type
|
||||||
|
// behavior, they have a lower precedence than a default resolver, but
|
||||||
|
// otherwise allow split-DNS to operate as normal, and are used when
|
||||||
|
// there is no default resolver.
|
||||||
|
{
|
||||||
|
name: "wgExit/noRoutes/noResolver",
|
||||||
|
exitNode: "wg",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{},
|
||||||
|
wantDefaultResolvers: wgResolvers,
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wgExit/noRoutes/defaultResolver",
|
||||||
|
exitNode: "wg",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{Resolvers: defaultResolvers},
|
||||||
|
wantDefaultResolvers: defaultResolvers,
|
||||||
|
wantRoutes: nil,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wgExit/routes/defaultResolver",
|
||||||
|
exitNode: "wg",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes), Resolvers: defaultResolvers},
|
||||||
|
wantDefaultResolvers: defaultResolvers,
|
||||||
|
wantRoutes: routes,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
name: "wgExit/routes/noResolver",
|
||||||
|
exitNode: "wg",
|
||||||
|
peers: peers,
|
||||||
|
dnsConfig: &tailcfg.DNSConfig{Routes: stringifyRoutes(routes)},
|
||||||
|
wantDefaultResolvers: wgResolvers,
|
||||||
|
wantRoutes: routes,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
|
||||||
|
for _, tc := range tests {
|
||||||
|
t.Run(tc.name, func(t *testing.T) {
|
||||||
|
nm := &netmap.NetworkMap{
|
||||||
|
Peers: tc.peers,
|
||||||
|
DNS: *tc.dnsConfig,
|
||||||
|
}
|
||||||
|
|
||||||
|
prefs := &ipn.Prefs{ExitNodeID: tc.exitNode, CorpDNS: true}
|
||||||
|
got := dnsConfigForNetmap(nm, peersMap(tc.peers), prefs.View(), t.Logf, "")
|
||||||
|
if !resolversEqual(t, got.DefaultResolvers, tc.wantDefaultResolvers) {
|
||||||
|
t.Errorf("DefaultResolvers: got %#v, want %#v", got.DefaultResolvers, tc.wantDefaultResolvers)
|
||||||
|
}
|
||||||
|
if !routesEqual(t, got.Routes, tc.wantRoutes) {
|
||||||
|
t.Errorf("Routes: got %#v, want %#v", got.Routes, tc.wantRoutes)
|
||||||
|
}
|
||||||
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func resolversEqual(a, b []*dnstype.Resolver) bool {
|
func resolversEqual(t *testing.T, a, b []*dnstype.Resolver) bool {
|
||||||
|
if a == nil && b == nil {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
if a == nil || b == nil {
|
||||||
|
t.Errorf("resolversEqual: a == nil || b == nil : %#v != %#v", a, b)
|
||||||
|
return false
|
||||||
|
}
|
||||||
if len(a) != len(b) {
|
if len(a) != len(b) {
|
||||||
|
t.Errorf("resolversEqual: len(a) != len(b) : %#v != %#v", a, b)
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
for i := range a {
|
for i := range a {
|
||||||
if !a[i].Equal(b[i]) {
|
if !a[i].Equal(b[i]) {
|
||||||
|
t.Errorf("resolversEqual: a != b [%d]: %v != %v", i, *a[i], *b[i])
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
func routesEqual(t *testing.T, a, b map[dnsname.FQDN][]*dnstype.Resolver) bool {
|
||||||
|
if len(a) != len(b) {
|
||||||
|
t.Logf("routes: len(a) != len(b): %d != %d", len(a), len(b))
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
for name := range a {
|
||||||
|
if !resolversEqual(t, a[name], b[name]) {
|
||||||
|
t.Logf("routes: a != b [%s]: %v != %v", name, a[name], b[name])
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user