net/dns,docs/windows/policy,util/syspolicy: register Tailscale IP addresses in AD DNS if required by policy

In this PR, we make DNS registration behavior configurable via the EnableDNSRegistration policy setting. We keep the default behavior unchanged, but allow admins to either enforce DNS registration and dynamic DNS updates for the Tailscale interface, or prevent Tailscale from modifying the settings configured in the network adapter's properties or by other means. Updates #14917 Signed-off-by: Nick Khyl <nickk@tailscale.com>
2025-08-13 22:47:30 +00:00 · 2025-05-08 18:38:48 -05:00
parent 2c16fcaa06
commit fb188c5b53
5 changed files with 121 additions and 12 deletions
--- a/docs/windows/policy/en-US/tailscale.adml
+++ b/docs/windows/policy/en-US/tailscale.adml
@@ -17,6 +17,7 @@
            <string id="SINCE_V1_74">Tailscale version 1.74.0 and later</string>
            <string id="SINCE_V1_78">Tailscale version 1.78.0 and later</string>
            <string id="SINCE_V1_82">Tailscale version 1.82.0 and later</string>
+            <string id="SINCE_V1_84">Tailscale version 1.84.0 and later</string>
            <string id="Tailscale_Category">Tailscale</string>
            <string id="UI_Category">UI customization</string>
            <string id="Settings_Category">Settings</string>
@@ -147,6 +148,14 @@ If you disable this policy, then Use Tailscale Subnets is always disabled and th
 If you do not configure this policy, then Use Tailscale Subnets depends on what is selected in the Preferences submenu.

 See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-accepts-tailscale-subnets or https://tailscale.com/kb/1019/subnets for more details.]]></string>
+            <string id="AlwaysRegister">Always register</string>
+            <string id="UseAdapterProperties">Use adapter properties</string>
+            <string id="DNSRegistration">Register Tailscale IP addresses in DNS</string>
+            <string id="DNSRegistration_Help"><![CDATA[This policy setting controls whether Tailscale IP addresses are registered in DNS and whether dynamic DNS updates are enabled for the Tailscale interface.
+
+If you enable this policy, you can specify whether Tailscale IP addresses should always be registered in DNS or allow the settings to be changed in the network adapter's properties (admin rights required). The "Always" option is recommended in Active Directory domain environments where all devices, including Domain Controllers, have Tailscale installed and are reachable via their Tailscale IP addresses.
+
+If you disable or do not configure this policy, Tailscale IP addresses will not be registered in DNS, and dynamic DNS updates will be disabled for the Tailscale interface. It can be used on non-domain-joined devices or in environments that primarily rely on subnet routers.]]></string>
            <string id="InstallUpdates">Automatically install updates</string>
            <string id="InstallUpdates_Help"><![CDATA[This policy can be used to require that Automatically Install Updates is configured a certain way.

@@ -299,6 +308,9 @@ See https://tailscale.com/kb/1315/mdm-keys#set-your-organization-name for more d
                    <label>Exit Node:</label>
                </textBox>
            </presentation>
+            <presentation id="DNSRegistration">
+                <dropdownList refId="DNSRegistration_Mode" noSort="true" defaultItem="0">Registration mode:</dropdownList>
+            </presentation>
            <presentation id="AllowedSuggestedExitNodes">
                <listBox refId="AllowedSuggestedExitNodesList">Target IDs:</listBox>
            </presentation>
--- a/docs/windows/policy/tailscale.admx
+++ b/docs/windows/policy/tailscale.admx
@@ -58,6 +58,10 @@
                  displayName="$(string.SINCE_V1_82)">
        <and><reference ref="TAILSCALE_PRODUCT"/></and>
      </definition>
+      <definition name="SINCE_V1_84"
+                  displayName="$(string.SINCE_V1_84)">
+        <and><reference ref="TAILSCALE_PRODUCT"/></and>
+      </definition>
    </definitions>
  </supportedOn>
  <categories>
@@ -193,6 +197,24 @@
        <string>never</string>
      </disabledValue>
    </policy>
+    <policy name="DNSRegistration" class="Machine" displayName="$(string.DNSRegistration)" explainText="$(string.DNSRegistration_Help)" presentation="$(presentation.DNSRegistration)" key="Software\Policies\Tailscale" valueName="EnableDNSRegistration">
+      <parentCategory ref="Settings_Category" />
+      <supportedOn ref="SINCE_V1_84" />
+      <elements>
+        <enum id="DNSRegistration_Mode" valueName="EnableDNSRegistration">
+          <item displayName="$(string.AlwaysRegister)">
+            <value>
+              <string>always</string>
+            </value>
+          </item>
+          <item displayName="$(string.UseAdapterProperties)">
+            <value>
+              <string>user-decides</string>
+            </value>
+          </item>
+        </enum>
+      </elements>
+    </policy>
    <policy name="InstallUpdates" class="Machine" displayName="$(string.InstallUpdates)" explainText="$(string.InstallUpdates_Help)" key="Software\Policies\Tailscale" valueName="InstallUpdates">
      <parentCategory ref="Settings_Category" />
      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />