[HN Gopher] MagicDNS is generally available ___________________________________________________________________ MagicDNS is generally available Author : mfiguiere Score : 255 points Date : 2022-10-20 15:55 UTC (7 hours ago) (HTM) web link (tailscale.com) (TXT) w3m dump (tailscale.com) | natpunk wrote: | rrix2 wrote: | a cool thing you can do with MagicDNS: Set your "global | nameserver" to a host within your tailnet and run your own | resolver accessible "anywhere". | | It's easy enough to set up pi-hole.net on a machine on your LAN | and configure your home router to hand out DHCP records that will | instruct LAN machines to use it, but if I wanted to have DNS- | based ad-blocking at the coffee shop or library or elsewhere I | previously had my pi-hole listening on a public IPv4's port 53 | and deal with resolve.conf etc... and boy howdy does running an | internet-accessible DNS resolver suck! My server would receive | millions of requests, weird reflection attacks like [1], probes, | the whole nine, it made the dashboarding useless for personal | tracking. | | But now my pi-hole only listens on my LAN network and its tailnet | address, and any machine connected to the tailnet including my | phone will use the pi-hole without configuration on any network | via MagicDNS. | | [1]: https://www.linuxquestions.org/questions/linux- | newbie-8/ther... | moontear wrote: | Great setup! But you didn't say anything about MagicDNS, did | you? You just set your global Nameserver to something on your | tailnet and could disable MagicDNS for this use case? | rrix2 wrote: | I set my global nameserver _within the MagicDNS | configuration_ to use the pihole IP. If I didn 't use magic | DNS i would have to do this for each device, and on devices | like Android etc each network i connect to. This requires no- | thought for each device, just `tailscale up` | kinduff wrote: | I have a similar setup but deployed my PiHole in Fly.io using a | custom Docker image behind Tailscale. This way I can just | connect to Tailscale and I have ad blocking automatically using | their custom DNS servers. | | Very useful and I use it all the time on my mobile devices | including my laptop when I'm using guest wifis. | O_H_E wrote: | WOW, that is brilliant. | asymmetric wrote: | Just as a side note, I used to do this with plain WireGuard on | a Hetzner node. I switched to NextDNS because of latency | issues, but if this is not a concern, then it was a great | setup, and Tailscale makes it even easier! | Melatonic wrote: | This is cool but.....don't tons of DNS software already do this | and for many many years? | erdaniels wrote: | It is! But the usual thing with Tailscale is that this just | works out of the box. Any new person starting where I work has | Tailscale installed by default. Once they log in, they can | access any of our pis/servers that are setup with names like | rpi1. | | Furthermore, you've got ACLs + Tailscale SSH. That means you | can start day 1 and do ssh root@rpi1 and it just works. It's | amazing and worth so much money. | | Edit: I just really wish they would allow more than being tied | to Google SSO. I want to invite people outside of my domain | easily :o) | xena wrote: | I wrote a giant diatribe about this here: | https://tailscale.com/blog/magicdns-why-name/ | | It's not just a DNS server, it's everything _around_ the DNS | server. | VTimofeenko wrote: | Yeah, it's totally possible to configure a stack like that. I | roll my own stack of unbound+nsd as adblocking split-horizon | DNS for LAN, roaming and management WG network. | | Tailscale value prop as I understand it - they can manage this | whole thing for you. | S0und wrote: | PSA: Zerotier can do the same thing, just set a hostname for a | client in the control center. | tosh wrote: | rite of passage | | https://en.m.wikipedia.org/wiki/Right_of_passage | | edit: fixed | SergeAx wrote: | While this looks fun, I still prefer to register a short domain | (used free *.net.ru before war) and auto-populate DNS with | Terraform/Ansible on a provision stage. | asim wrote: | Most people do not want to use terraform... | SergeAx wrote: | Well, you need to automate your infra anyway, so just use | anything that converts a bunch of yamls into API calls, even | bash script. | pshirshov wrote: | It breaks things and you have little control over it. | | It replaces default search domain with its own. | | Also it does't keep your DNS servers in your resolv.conf nor | tries to forward your query to them when it fails to resolve it. | | So, you may experience a loss of connectivity for short hostnames | w/o tailscale (host instead of host.my.domain) or get unnecessary | overhead for TS-enabled hosts within your local network. | api wrote: | Any attempt to touch DNS always breaks things. | pshirshov wrote: | Not necessarily and in this particular case they had many | options to implement that better. | syats wrote: | What is tailscale? | | I don't like the world where every time someone launches a | feature on their product they get to top of HN by calling it | "generally available". | simonw wrote: | In this particular case I think Tailscale has been discussed | thoroughly enough on Hacker News in the past that it's OK that | they didn't include the "what is Tailscale" bit (https://hn.alg | olia.com/?dateRange=all&page=0&prefix=false&qu...) - but I | agree, it's always better to start a blog entry with a | reminder. Fly.io are great at this, e.g. | https://fly.io/blog/introducing-litefs/ | tinalumfoil wrote: | While this is cool I've had luck just purchasing a domain (not | that expensive), and manually setting up DNS through that. | | Some advantages that this doesn't look like this would replicate, | (1) I can have multiple domains for the same device, say | gitea.mytsnetwork.com and netxcloud.mytsnetwork.com can go to the | same device (2) I can get real HTTPS certificates for those | domains which I consider necessary nowadays if only just to | prevent errors (3) it's "real" DNS so when my browser decides to | ignore my system settings and use DNS-over-HTTPS instead | everything still works. | | EDIT: It looks like (2) is solved by the tailscale cert command. | I'd replace that point by saying owning the domain is important | to controlling the certificate for me. All that said, the more I | read into this, this looks like a really well thought-out | feature. | mynameisvlad wrote: | Tailscale has supported real certificates via LE for over a | year now: | | https://tailscale.com/blog/tls-certs/ | zacwest wrote: | Tailscale's certs are 1-per-machine so if you want to do any | kind of SNI-based certificate handling, you're out of luck and | need to drop back to real public certificates anyway. | mholt wrote: | Just wait'll you see what's possible with Caddy+Tailscale | (currently, and coming soon)! | moontear wrote: | Do tease! | michael_j_ward wrote: | > (1) I can have multiple domains for the same device, say | gitea.mytsnetwork.com and netxcloud.mytsnetwork.com can go to | the same device | | I tried setting up caddy on a machine and then using caddy to | reverse-proxy requests to each service i.e. `grafana.my- | machine.tail-hex.ts.net` and `controller.my-machine.tail- | hex.ts` | | Obviously, `caddy` has no problem with the reverse proxy bit, | but I did fail at being able to point multiple routes or | subnet routes at the same machine via tailscle / magic-dns. | | I'm sharing because it feels like something I _should_ be | able to do, and feel dumb not being able to figure it out. | xena wrote: | This is exactly what we've been working on. Stay tuned ^^ | danrochman wrote: | Stoked!! | maxmouchet wrote: | One downside of using tailscale cert, or LE for "private" | records is that it writes the domain name in a public | Certificate Transparency Log [1]. So make sure that the name | doesn't contain any sensitive information. | | An alternative is to issue wildcard certificates with LE, so | that the subdomains names are kept private. | | [1] https://crt.sh/ | xena wrote: | Yes, that's why we came up with the random-hex.ts.net domains | and the tails-scales.ts.net domains. This makes less publicly | recognizable things like `shark-harmonic.ts.net` get put into | the certificate transparency log instead of something like | "mycorporationname". | ehPReth wrote: | On a side note, is there a story behind acquiring ts.net or | how much it cost to do so? | therein wrote: | > An alternative is to issue wildcard certificates with LE, | so that the subdomains names are kept private. | | They'll still show up on crt.sh, though, won't they? All my | LE subdomains are visible (non-wildcard) but also my non-LE | paid-for 1-year wildcard ones are also showing up with all | the subdomains. | | Edit: Actually, nevermind, those are Cloudflare. My paid-for | wildcard doesn't show up. Well, that's a good reason to pay | up I guess. | psYchotic wrote: | If a certificate has been issued for a domain, and that | domain doesn't show up in the certificate transparency | logs, that's not something I'd cheer for: that issuer could | just as well hand out certificates for your domain to | others without you ever knowing about it. | | Conversely, if a domain shows up in the CT logs, then there | have been certificates issued for those domains, even if | there exists a wildcard certificate that is valid for that | domain. If that happens, check your settings, because | there's probably something requesting certificates you're | not aware of. | kosikond wrote: | Out of curiosity, would any Tailscaler please answer why the | exisiting $tailnet.beta.tailscale.net weren't just shortened to | $tailnet.ts.net ? | | (Some of us have had luck on beatiful DNS notations early) | bradfitz wrote: | Couple reasons. | | 1. We want you to be able to get HTTPS certs for these too | without having to manage multiple names, but HTTPS cert names | go on the CT log. See https://tailscale.com/blog/tls-certs/ and | https://tailscale.com/kb/1153/enabling-https/ . So having your | email address in your DNS name (and thus the CT log) from the | old beta.tailscale.net forms isn't great. | | 2. We want you to be able to have multiple separate tailnets | per org/account in the future. | diegs wrote: | Is this still incompatible with split horizon DNS? Whenever I'm | connected to my corporate tailnet I can no longer resolve | hostnames that are registered on my personal, DHCP-assigned DNS | server, breaking access to my home network. This also leads me to | believe that all my DNS requests are being routed through the | magic DNS server which is not cool IMO. | dave_universetf wrote: | It sounds like your corporate tailnet checked the "override | local DNS" setting and provided their own default nameservers, | so those are the ones that get used. They could also not do | that, at which point your LAN resolver would get consulted, but | I presume there's a policy reason in play? | | You say "the MagicDNS server" like it's a quad-8 thing out on | the internet. That server lives in the tailscale process on | localhost. In some configurations on some OSes, we do have to | route requests through that in order to polyfill missing OS | features (usually, implementing split-DNS policies that the OS | cannot represent natively, or transparently upgrading to DoH | for upstreams that support it). You can inspect the logic that | decides how to implement DNS policy depending on the policy and | OS in https://github.com/tailscale/tailscale/tree/main/net/dns, | as well as inspect what the in-process DNS forwarder does | (extremely boring: match query suffix in configuration, forward | packet to appropriate upstreams). | diegs wrote: | Weird, I asked our TS admin to disable "override local DNS" | and he claimed the option was disabled out, seemingly due to | magic DNS being enabled or something. I'll see if I can get | access myself to try and change it. Thank you for the reply! | dave_universetf wrote: | If things still aren't behaving, write in to | support@tailscale.com and we'll sort you out. It sounds | like the corporate setup wants to just push some custom DNS | routes for specific suffixes and leave everything else | alone, which is definitely a supported configuration. | bradfitz wrote: | Most of the Split DNS issues should be fixed now. | | If you're on Linux, you want systemd-resolved, as it's the only | Linux DNS resolver that's really any good, regardless of your | opinions on systemd overall (See | https://tailscale.com/blog/sisyphean-dns-client-linux/) | | In any case, file a bug with details and we'll fix it up if | there are still issues. | trashburger wrote: | You're right for most setups, but when Docker also comes into | play, systemd-resolved+Tailscale+Docker interacts really | badly and containers cannot resolve anything anymore. This | caused some serious hair-pulling at work a few months ago. | sally_glance wrote: | How did you solve it? | | I want to be prepared if it happens, spent too much time | figuring out weird Docker - DNS/network interactions on | hotel wifis and the like... | rs_rs_rs_rs_rs wrote: | You already know the comments on this posts, but that's for a | reason, Tailscale is that good people won't shut up about it. | naikrovek wrote: | > You already know the comments on this posts, but that's for a | reason, Tailscale is that good people won't shut up about it. | | what? that looks like English and uses English words, and I | can't make sense of it. | afturner wrote: | Really? | | > You already know the comments on this posts | | Without looking at the comments, you will already know what | they say. | | > but that's for a reason, Tailscale is that good people | won't shut up about it. | | Because this person is suggesting that Tailscale is so good, | people will rave about it whenever it's mentioned. | | Pretty easy to understand. | remram wrote: | All the comments here are about drawbacks and limitations. | The upvotes on the submission might be explained by quality | of the product, but the comments not so much. | naikrovek wrote: | > Pretty easy to understand. | | Due to the grammatical errors, there are about a dozen ways | to interpret the comment I replied to, as-written. All of | which require adding or changing words, or adding | punctuation in a certain place. | | Very hard to know what is intended when there is ambiguity | of that magnitude. | | Grammar is important. Punctuation is important. The point | of writing a comment at all is to communicate what you want | to say to others. If one can not be clear enough about the | idea they want to communicate, then there is no point | trying to communicate that point. | | Your explanation of what that person commented is a fine | and normal thing to comment about. Your explanation is only | one of a few ways I had to choose from when I read it. | | To maybe better understand what I am trying to explain; | there are seven ways to interpret this sentence, which is | the same number of words the sentence has: | | "I didn't say she murdered her boyfriend." | | with emphasis added, here are the seven ways to interpret | that sentence, as written: | | _I_ didn't say she murdered her boyfriend. | | I _didn't_ say she murdered her boyfriend. | | I didn't _say_ she murdered her boyfriend. | | I didn't say _she_ murdered her boyfriend. | | I didn't say she _murdered_ her boyfriend. | | I didn't say she murdered _her_ boyfriend. | | I didn't say she murdered her _boyfriend_. | | now, from the one without emphasis, can you tell which of | these seven was intended? I can't, and I wrote it. | tiagod wrote: | Meaning can be also inferred from context. Even in your | example, the conversation context and follow-up | statements could home in on the context. | | Sure, maybe it would be better if everyone just wrote in | a non-ambiguous way, but you're on an international forum | where many people don't have a native understanding of | the language (me included). | | I understood what he meant immediately. I also don't | agree with the comment, but that's another subject. | artdigital wrote: | Love tailscale! Set it up a couple weeks ago and it's very fun to | use. MagicDns is great! I can go http://macmini anywhere and it | just works | | Just wish they offered more subnet routers. I'm as much hobby as | hobby can be, and already hit the limit (one on my mini k8s | cluster, one at home, that's it. They don't allow you to have | more). Been stuffing the sidecar awkwardly into everything to get | around it | | If someone from tailscale is reading this - please consider | upping the limit of subnet routers. I'll have to switch to | ZeroTier once I want another one which doesn't have those | restrictions. | | Even paying for the hobby pro plan is just upping it from 1 -> 2 | chipsa wrote: | The Github team org plan (for connecting friends and family) | had a subnet router limit of 5, if you want to legitly get a | higher limit rather than just ignoring the limit that they | don't check. | artdigital wrote: | Oh what, is the limit not being enforced? I didn't even | bother trying to spin up another one because everything goes | through that admin console, so I was sure there'd be a "you | hit your limit" message | | Dang now I know what I'll be doing tonight | dfcarney wrote: | (co-founder here) | | We're definitely considering it. We introduced the limits a | while back as an experiment. In most cases, I believe the | current limits don't make a lot of sense. Fundamentally, we | were hoping to encourage the deployment of Tailscale to end | devices (partially to increase users' security, partially to | get a better idea of how widely Tailscale is actually being | used). Unfortunately, the limits introduce the kinds of | headaches that you're describing (and for IoT it can be a | showstopper). The net effect across all users could be to | actually discourage people from having fun and tinkering with | Tailscale, which is the last thing we want. | | Would you mind describing some of the other use cases you have | for subnet routers? Do you have other mini k8s clusters you | want to use them for? Other things? I'd love to learn more. | xena wrote: | Tailscalar here. For what it's worth there's no hard limit on | subnet routers at this time. My personal tailnet is using 8 of | them. | dfcarney wrote: | (co-founder here) | | To xena's point, we're not currently enforcing the limits :) | We've been very cautious about that since, as I mentioned in | a comment elsewhere, the limits have always been an | experiment. | ethanpil wrote: | As a long time ZeroTier user I want to point out that they have | some interesting DNS solutions as well.[1] | | (Personally, have not felt the need to change something that has | a great free tier, self hosting controllers, etc, and has been | working reliably for years... Tailscale looks cool though) | | [1]https://www.zerotier.com/2022/04/11/the-zerotier-dns-story/ | mdeeks wrote: | MagicDNS is really cool, but it seems like it is only a useful | for ssh-ing into hosts or for tiny home networks where you run a | service on a single box. And maybe that is totally fine! I just | don't see how to use it in a larger environment beyond `ssh | <hostname>`. | | In larger environments we never have any kind of internal web | site or service running on one host so we can't really have | MagicDNS short names for things. It would be nice for users to | just be able to type `https://deploy` to get to our deployment | tool for example. But that web interface runs across many nodes | behind a load balancer so there is no way to use MagicDNS here. | | I wonder if some day we can register duplicate hostnames and have | it do DNS load balancing? I'm not sure how that would work with | the tailscale cert command either. Each node would need the | private key. | | Anyway, we'll probably start using it but the only real use cases | I see right now are for ssh and for users accessing their remote | dev boxes. | cschmatzler wrote: | The way I have it set up is my Tailscale pod redirecting all | requests to an ingress controller, and then all subdomains | CNAMEd to the Tailscale DNS. That way, all requests are going | Tailscale pod -> nginx ingress controller -> service, no matter | which node everything is running on. | techsupporter wrote: | Completely off-topic but a continuously-looping very large GIF | smack in the middle of the feature post is really distracting. I | appreciate that GIFs are supposed to be animated loops, this one | is just too large and moves around too much. | | (Side note: setting image.animation_mode = none in Firefox stops | the animation.) | jadbox wrote: | Could this be used for DDNS for exposing a public web server? | donatj wrote: | Very exciting news. | | I have been using Tailscale for about two weeks now and I am SOO | happy with it. It's genuinely joyful software like I haven't used | in years. A modern version of the old Hamachi. | atonse wrote: | Glad to see someone else remembers Hamachi :) | | Tailscale feels as magical as Hamachi did. | imagine99 wrote: | I really want to like and recommend Tailscale more (and MagicDNS | is another bonus) but with the forced use of Google auth and | still no support for fast user switching and connections to | multiple networks, it just has too many dealbreakers for me and | many colleagues. | | Zerotier has had all of that figured out for years, in the | meantime Tailscale just locked the thread requesting multiple | connection support as "too heated" (after >2 years of no | progress). | | And putting access to our corporate networks in the hands of | Google & Co. and their trigger-happy account-blocking algos means | that TS gets an automatic thumbs down from compliance officers at | several of our clients. We can read stories on HN every week why | such authentication systems are a bad idea, and steadfastly | refusing to roll your own account system (all the while | justifying it with handwavy security concerns) just seems lazy to | me. | | I can follow their arguments to some extent, I just don't | understand why the TS people insist on exclusionary features | rather than letting the user choose. You believe multiple | simultaneous connections are somewhat insecure and that's why you | won't implement it? Okay, slap a warning sign on it if you want, | by all means, but who cares about this if all I want is to | connect to 5 branch offices at the same time. | | You believe forcing users to use their private, everyday Google | or Github accounts for authentication is safer than using a | special account registered on TS with safe, unique credentials | not used for any other purpose to minimze collateral damage (if | the Google or Github credentials get compromised you'd get their | emails or a bit of source code, but not access to the WHOLE | corporate network)? How about letting the user choose and show | some flexibility to use-cases that exist even if you can't | imagine them? | | Sorry for the rant, again, I want to love TS, it's UX is pretty | neat, but something about their supercilious attitude with which | they justify their (non-)features just rubs me the wrong way, I | guess. | | At the risk of downvotes (because I know TS has - rightfully - | many fans), if anyone from TS is reading this, I do implore you | to be more open-minded and give your users a choice rather than | patronising them on multiple fronts when using your product. Feel | free to recommend a "best practice" but understand that many | users who might love your product will want and have to use it in | a slightly different way than you intended - and that should be | okay. | tssva wrote: | Microsoft, GitHub, Okta, OneLogin and custom solutions for | enterprise customers are also available for authorization. | [deleted] | aaomidi wrote: | It also really feels like tailscale is holding iOS hostage to | reduce the users of headscale. | BrightOne wrote: | My tailnet is set up using a GitHub organization, without using | Google at all. I have sufficient security (2FA with security | keys, etc.) enforced for it. I think that hand-rolling their | own auth would not be a great idea just yet, while they are | still ironing out other features. | ev1 wrote: | The only choices being MS or Google for auth, both with | trigger happy defence mechanisms, is kind of annoying though. | dijit wrote: | There are more options than that, and I see your point. | | To take the contrarian stance though: SSO not being paid is | kinda nice, and not having yet another password for | something is nice. --- double and: then not being able to | leak a password or handle 2FA, instead focusing on their | actual product. | ev1 wrote: | For free users, it's pretty much just G, MS, and GH | (which is currently the only "tolerable" one, but there's | no reason why it won't turn into a MS account in the | future just like how they killed Minecraft) | nalllar wrote: | > but with the forced use of Google auth | | There are two other options - MS and GitHub (does that only | count as one?) - for free users. | jonpurdy wrote: | It took me six months to actually set up TS because of the lack | of email/password auth. So this is definitely a pain point. | It's such a good product that it's annoying that they don't | roll their own simple auth. | | I eventually gave up and used Github and it's definitely been | worth it for my personal use (a personal laptop accessing a Mac | Mini in SF while on vacation, as well as setting up exit nodes | on VPSs for getting around geo-restrictions). | andrelaszlo wrote: | They don't support SAML? It's not the nicest standard, sure... ___________________________________________________________________ (page generated 2022-10-20 23:00 UTC)