[HN Gopher] MagicDNS is generally available
___________________________________________________________________
MagicDNS is generally available
Author : mfiguiere
Score : 255 points
Date : 2022-10-20 15:55 UTC (7 hours ago)
(HTM) web link (tailscale.com)
(TXT) w3m dump (tailscale.com)
| natpunk wrote:
| rrix2 wrote:
| a cool thing you can do with MagicDNS: Set your "global
| nameserver" to a host within your tailnet and run your own
| resolver accessible "anywhere".
|
| It's easy enough to set up pi-hole.net on a machine on your LAN
| and configure your home router to hand out DHCP records that will
| instruct LAN machines to use it, but if I wanted to have DNS-
| based ad-blocking at the coffee shop or library or elsewhere I
| previously had my pi-hole listening on a public IPv4's port 53
| and deal with resolve.conf etc... and boy howdy does running an
| internet-accessible DNS resolver suck! My server would receive
| millions of requests, weird reflection attacks like [1], probes,
| the whole nine, it made the dashboarding useless for personal
| tracking.
|
| But now my pi-hole only listens on my LAN network and its tailnet
| address, and any machine connected to the tailnet including my
| phone will use the pi-hole without configuration on any network
| via MagicDNS.
|
| [1]: https://www.linuxquestions.org/questions/linux-
| newbie-8/ther...
| moontear wrote:
| Great setup! But you didn't say anything about MagicDNS, did
| you? You just set your global Nameserver to something on your
| tailnet and could disable MagicDNS for this use case?
| rrix2 wrote:
| I set my global nameserver _within the MagicDNS
| configuration_ to use the pihole IP. If I didn 't use magic
| DNS i would have to do this for each device, and on devices
| like Android etc each network i connect to. This requires no-
| thought for each device, just `tailscale up`
| kinduff wrote:
| I have a similar setup but deployed my PiHole in Fly.io using a
| custom Docker image behind Tailscale. This way I can just
| connect to Tailscale and I have ad blocking automatically using
| their custom DNS servers.
|
| Very useful and I use it all the time on my mobile devices
| including my laptop when I'm using guest wifis.
| O_H_E wrote:
| WOW, that is brilliant.
| asymmetric wrote:
| Just as a side note, I used to do this with plain WireGuard on
| a Hetzner node. I switched to NextDNS because of latency
| issues, but if this is not a concern, then it was a great
| setup, and Tailscale makes it even easier!
| Melatonic wrote:
| This is cool but.....don't tons of DNS software already do this
| and for many many years?
| erdaniels wrote:
| It is! But the usual thing with Tailscale is that this just
| works out of the box. Any new person starting where I work has
| Tailscale installed by default. Once they log in, they can
| access any of our pis/servers that are setup with names like
| rpi1.
|
| Furthermore, you've got ACLs + Tailscale SSH. That means you
| can start day 1 and do ssh root@rpi1 and it just works. It's
| amazing and worth so much money.
|
| Edit: I just really wish they would allow more than being tied
| to Google SSO. I want to invite people outside of my domain
| easily :o)
| xena wrote:
| I wrote a giant diatribe about this here:
| https://tailscale.com/blog/magicdns-why-name/
|
| It's not just a DNS server, it's everything _around_ the DNS
| server.
| VTimofeenko wrote:
| Yeah, it's totally possible to configure a stack like that. I
| roll my own stack of unbound+nsd as adblocking split-horizon
| DNS for LAN, roaming and management WG network.
|
| Tailscale value prop as I understand it - they can manage this
| whole thing for you.
| S0und wrote:
| PSA: Zerotier can do the same thing, just set a hostname for a
| client in the control center.
| tosh wrote:
| rite of passage
|
| https://en.m.wikipedia.org/wiki/Right_of_passage
|
| edit: fixed
| SergeAx wrote:
| While this looks fun, I still prefer to register a short domain
| (used free *.net.ru before war) and auto-populate DNS with
| Terraform/Ansible on a provision stage.
| asim wrote:
| Most people do not want to use terraform...
| SergeAx wrote:
| Well, you need to automate your infra anyway, so just use
| anything that converts a bunch of yamls into API calls, even
| bash script.
| pshirshov wrote:
| It breaks things and you have little control over it.
|
| It replaces default search domain with its own.
|
| Also it does't keep your DNS servers in your resolv.conf nor
| tries to forward your query to them when it fails to resolve it.
|
| So, you may experience a loss of connectivity for short hostnames
| w/o tailscale (host instead of host.my.domain) or get unnecessary
| overhead for TS-enabled hosts within your local network.
| api wrote:
| Any attempt to touch DNS always breaks things.
| pshirshov wrote:
| Not necessarily and in this particular case they had many
| options to implement that better.
| syats wrote:
| What is tailscale?
|
| I don't like the world where every time someone launches a
| feature on their product they get to top of HN by calling it
| "generally available".
| simonw wrote:
| In this particular case I think Tailscale has been discussed
| thoroughly enough on Hacker News in the past that it's OK that
| they didn't include the "what is Tailscale" bit (https://hn.alg
| olia.com/?dateRange=all&page=0&prefix=false&qu...) - but I
| agree, it's always better to start a blog entry with a
| reminder. Fly.io are great at this, e.g.
| https://fly.io/blog/introducing-litefs/
| tinalumfoil wrote:
| While this is cool I've had luck just purchasing a domain (not
| that expensive), and manually setting up DNS through that.
|
| Some advantages that this doesn't look like this would replicate,
| (1) I can have multiple domains for the same device, say
| gitea.mytsnetwork.com and netxcloud.mytsnetwork.com can go to the
| same device (2) I can get real HTTPS certificates for those
| domains which I consider necessary nowadays if only just to
| prevent errors (3) it's "real" DNS so when my browser decides to
| ignore my system settings and use DNS-over-HTTPS instead
| everything still works.
|
| EDIT: It looks like (2) is solved by the tailscale cert command.
| I'd replace that point by saying owning the domain is important
| to controlling the certificate for me. All that said, the more I
| read into this, this looks like a really well thought-out
| feature.
| mynameisvlad wrote:
| Tailscale has supported real certificates via LE for over a
| year now:
|
| https://tailscale.com/blog/tls-certs/
| zacwest wrote:
| Tailscale's certs are 1-per-machine so if you want to do any
| kind of SNI-based certificate handling, you're out of luck and
| need to drop back to real public certificates anyway.
| mholt wrote:
| Just wait'll you see what's possible with Caddy+Tailscale
| (currently, and coming soon)!
| moontear wrote:
| Do tease!
| michael_j_ward wrote:
| > (1) I can have multiple domains for the same device, say
| gitea.mytsnetwork.com and netxcloud.mytsnetwork.com can go to
| the same device
|
| I tried setting up caddy on a machine and then using caddy to
| reverse-proxy requests to each service i.e. `grafana.my-
| machine.tail-hex.ts.net` and `controller.my-machine.tail-
| hex.ts`
|
| Obviously, `caddy` has no problem with the reverse proxy bit,
| but I did fail at being able to point multiple routes or
| subnet routes at the same machine via tailscle / magic-dns.
|
| I'm sharing because it feels like something I _should_ be
| able to do, and feel dumb not being able to figure it out.
| xena wrote:
| This is exactly what we've been working on. Stay tuned ^^
| danrochman wrote:
| Stoked!!
| maxmouchet wrote:
| One downside of using tailscale cert, or LE for "private"
| records is that it writes the domain name in a public
| Certificate Transparency Log [1]. So make sure that the name
| doesn't contain any sensitive information.
|
| An alternative is to issue wildcard certificates with LE, so
| that the subdomains names are kept private.
|
| [1] https://crt.sh/
| xena wrote:
| Yes, that's why we came up with the random-hex.ts.net domains
| and the tails-scales.ts.net domains. This makes less publicly
| recognizable things like `shark-harmonic.ts.net` get put into
| the certificate transparency log instead of something like
| "mycorporationname".
| ehPReth wrote:
| On a side note, is there a story behind acquiring ts.net or
| how much it cost to do so?
| therein wrote:
| > An alternative is to issue wildcard certificates with LE,
| so that the subdomains names are kept private.
|
| They'll still show up on crt.sh, though, won't they? All my
| LE subdomains are visible (non-wildcard) but also my non-LE
| paid-for 1-year wildcard ones are also showing up with all
| the subdomains.
|
| Edit: Actually, nevermind, those are Cloudflare. My paid-for
| wildcard doesn't show up. Well, that's a good reason to pay
| up I guess.
| psYchotic wrote:
| If a certificate has been issued for a domain, and that
| domain doesn't show up in the certificate transparency
| logs, that's not something I'd cheer for: that issuer could
| just as well hand out certificates for your domain to
| others without you ever knowing about it.
|
| Conversely, if a domain shows up in the CT logs, then there
| have been certificates issued for those domains, even if
| there exists a wildcard certificate that is valid for that
| domain. If that happens, check your settings, because
| there's probably something requesting certificates you're
| not aware of.
| kosikond wrote:
| Out of curiosity, would any Tailscaler please answer why the
| exisiting $tailnet.beta.tailscale.net weren't just shortened to
| $tailnet.ts.net ?
|
| (Some of us have had luck on beatiful DNS notations early)
| bradfitz wrote:
| Couple reasons.
|
| 1. We want you to be able to get HTTPS certs for these too
| without having to manage multiple names, but HTTPS cert names
| go on the CT log. See https://tailscale.com/blog/tls-certs/ and
| https://tailscale.com/kb/1153/enabling-https/ . So having your
| email address in your DNS name (and thus the CT log) from the
| old beta.tailscale.net forms isn't great.
|
| 2. We want you to be able to have multiple separate tailnets
| per org/account in the future.
| diegs wrote:
| Is this still incompatible with split horizon DNS? Whenever I'm
| connected to my corporate tailnet I can no longer resolve
| hostnames that are registered on my personal, DHCP-assigned DNS
| server, breaking access to my home network. This also leads me to
| believe that all my DNS requests are being routed through the
| magic DNS server which is not cool IMO.
| dave_universetf wrote:
| It sounds like your corporate tailnet checked the "override
| local DNS" setting and provided their own default nameservers,
| so those are the ones that get used. They could also not do
| that, at which point your LAN resolver would get consulted, but
| I presume there's a policy reason in play?
|
| You say "the MagicDNS server" like it's a quad-8 thing out on
| the internet. That server lives in the tailscale process on
| localhost. In some configurations on some OSes, we do have to
| route requests through that in order to polyfill missing OS
| features (usually, implementing split-DNS policies that the OS
| cannot represent natively, or transparently upgrading to DoH
| for upstreams that support it). You can inspect the logic that
| decides how to implement DNS policy depending on the policy and
| OS in https://github.com/tailscale/tailscale/tree/main/net/dns,
| as well as inspect what the in-process DNS forwarder does
| (extremely boring: match query suffix in configuration, forward
| packet to appropriate upstreams).
| diegs wrote:
| Weird, I asked our TS admin to disable "override local DNS"
| and he claimed the option was disabled out, seemingly due to
| magic DNS being enabled or something. I'll see if I can get
| access myself to try and change it. Thank you for the reply!
| dave_universetf wrote:
| If things still aren't behaving, write in to
| support@tailscale.com and we'll sort you out. It sounds
| like the corporate setup wants to just push some custom DNS
| routes for specific suffixes and leave everything else
| alone, which is definitely a supported configuration.
| bradfitz wrote:
| Most of the Split DNS issues should be fixed now.
|
| If you're on Linux, you want systemd-resolved, as it's the only
| Linux DNS resolver that's really any good, regardless of your
| opinions on systemd overall (See
| https://tailscale.com/blog/sisyphean-dns-client-linux/)
|
| In any case, file a bug with details and we'll fix it up if
| there are still issues.
| trashburger wrote:
| You're right for most setups, but when Docker also comes into
| play, systemd-resolved+Tailscale+Docker interacts really
| badly and containers cannot resolve anything anymore. This
| caused some serious hair-pulling at work a few months ago.
| sally_glance wrote:
| How did you solve it?
|
| I want to be prepared if it happens, spent too much time
| figuring out weird Docker - DNS/network interactions on
| hotel wifis and the like...
| rs_rs_rs_rs_rs wrote:
| You already know the comments on this posts, but that's for a
| reason, Tailscale is that good people won't shut up about it.
| naikrovek wrote:
| > You already know the comments on this posts, but that's for a
| reason, Tailscale is that good people won't shut up about it.
|
| what? that looks like English and uses English words, and I
| can't make sense of it.
| afturner wrote:
| Really?
|
| > You already know the comments on this posts
|
| Without looking at the comments, you will already know what
| they say.
|
| > but that's for a reason, Tailscale is that good people
| won't shut up about it.
|
| Because this person is suggesting that Tailscale is so good,
| people will rave about it whenever it's mentioned.
|
| Pretty easy to understand.
| remram wrote:
| All the comments here are about drawbacks and limitations.
| The upvotes on the submission might be explained by quality
| of the product, but the comments not so much.
| naikrovek wrote:
| > Pretty easy to understand.
|
| Due to the grammatical errors, there are about a dozen ways
| to interpret the comment I replied to, as-written. All of
| which require adding or changing words, or adding
| punctuation in a certain place.
|
| Very hard to know what is intended when there is ambiguity
| of that magnitude.
|
| Grammar is important. Punctuation is important. The point
| of writing a comment at all is to communicate what you want
| to say to others. If one can not be clear enough about the
| idea they want to communicate, then there is no point
| trying to communicate that point.
|
| Your explanation of what that person commented is a fine
| and normal thing to comment about. Your explanation is only
| one of a few ways I had to choose from when I read it.
|
| To maybe better understand what I am trying to explain;
| there are seven ways to interpret this sentence, which is
| the same number of words the sentence has:
|
| "I didn't say she murdered her boyfriend."
|
| with emphasis added, here are the seven ways to interpret
| that sentence, as written:
|
| _I_ didn't say she murdered her boyfriend.
|
| I _didn't_ say she murdered her boyfriend.
|
| I didn't _say_ she murdered her boyfriend.
|
| I didn't say _she_ murdered her boyfriend.
|
| I didn't say she _murdered_ her boyfriend.
|
| I didn't say she murdered _her_ boyfriend.
|
| I didn't say she murdered her _boyfriend_.
|
| now, from the one without emphasis, can you tell which of
| these seven was intended? I can't, and I wrote it.
| tiagod wrote:
| Meaning can be also inferred from context. Even in your
| example, the conversation context and follow-up
| statements could home in on the context.
|
| Sure, maybe it would be better if everyone just wrote in
| a non-ambiguous way, but you're on an international forum
| where many people don't have a native understanding of
| the language (me included).
|
| I understood what he meant immediately. I also don't
| agree with the comment, but that's another subject.
| artdigital wrote:
| Love tailscale! Set it up a couple weeks ago and it's very fun to
| use. MagicDns is great! I can go http://macmini anywhere and it
| just works
|
| Just wish they offered more subnet routers. I'm as much hobby as
| hobby can be, and already hit the limit (one on my mini k8s
| cluster, one at home, that's it. They don't allow you to have
| more). Been stuffing the sidecar awkwardly into everything to get
| around it
|
| If someone from tailscale is reading this - please consider
| upping the limit of subnet routers. I'll have to switch to
| ZeroTier once I want another one which doesn't have those
| restrictions.
|
| Even paying for the hobby pro plan is just upping it from 1 -> 2
| chipsa wrote:
| The Github team org plan (for connecting friends and family)
| had a subnet router limit of 5, if you want to legitly get a
| higher limit rather than just ignoring the limit that they
| don't check.
| artdigital wrote:
| Oh what, is the limit not being enforced? I didn't even
| bother trying to spin up another one because everything goes
| through that admin console, so I was sure there'd be a "you
| hit your limit" message
|
| Dang now I know what I'll be doing tonight
| dfcarney wrote:
| (co-founder here)
|
| We're definitely considering it. We introduced the limits a
| while back as an experiment. In most cases, I believe the
| current limits don't make a lot of sense. Fundamentally, we
| were hoping to encourage the deployment of Tailscale to end
| devices (partially to increase users' security, partially to
| get a better idea of how widely Tailscale is actually being
| used). Unfortunately, the limits introduce the kinds of
| headaches that you're describing (and for IoT it can be a
| showstopper). The net effect across all users could be to
| actually discourage people from having fun and tinkering with
| Tailscale, which is the last thing we want.
|
| Would you mind describing some of the other use cases you have
| for subnet routers? Do you have other mini k8s clusters you
| want to use them for? Other things? I'd love to learn more.
| xena wrote:
| Tailscalar here. For what it's worth there's no hard limit on
| subnet routers at this time. My personal tailnet is using 8 of
| them.
| dfcarney wrote:
| (co-founder here)
|
| To xena's point, we're not currently enforcing the limits :)
| We've been very cautious about that since, as I mentioned in
| a comment elsewhere, the limits have always been an
| experiment.
| ethanpil wrote:
| As a long time ZeroTier user I want to point out that they have
| some interesting DNS solutions as well.[1]
|
| (Personally, have not felt the need to change something that has
| a great free tier, self hosting controllers, etc, and has been
| working reliably for years... Tailscale looks cool though)
|
| [1]https://www.zerotier.com/2022/04/11/the-zerotier-dns-story/
| mdeeks wrote:
| MagicDNS is really cool, but it seems like it is only a useful
| for ssh-ing into hosts or for tiny home networks where you run a
| service on a single box. And maybe that is totally fine! I just
| don't see how to use it in a larger environment beyond `ssh
| <hostname>`.
|
| In larger environments we never have any kind of internal web
| site or service running on one host so we can't really have
| MagicDNS short names for things. It would be nice for users to
| just be able to type `https://deploy` to get to our deployment
| tool for example. But that web interface runs across many nodes
| behind a load balancer so there is no way to use MagicDNS here.
|
| I wonder if some day we can register duplicate hostnames and have
| it do DNS load balancing? I'm not sure how that would work with
| the tailscale cert command either. Each node would need the
| private key.
|
| Anyway, we'll probably start using it but the only real use cases
| I see right now are for ssh and for users accessing their remote
| dev boxes.
| cschmatzler wrote:
| The way I have it set up is my Tailscale pod redirecting all
| requests to an ingress controller, and then all subdomains
| CNAMEd to the Tailscale DNS. That way, all requests are going
| Tailscale pod -> nginx ingress controller -> service, no matter
| which node everything is running on.
| techsupporter wrote:
| Completely off-topic but a continuously-looping very large GIF
| smack in the middle of the feature post is really distracting. I
| appreciate that GIFs are supposed to be animated loops, this one
| is just too large and moves around too much.
|
| (Side note: setting image.animation_mode = none in Firefox stops
| the animation.)
| jadbox wrote:
| Could this be used for DDNS for exposing a public web server?
| donatj wrote:
| Very exciting news.
|
| I have been using Tailscale for about two weeks now and I am SOO
| happy with it. It's genuinely joyful software like I haven't used
| in years. A modern version of the old Hamachi.
| atonse wrote:
| Glad to see someone else remembers Hamachi :)
|
| Tailscale feels as magical as Hamachi did.
| imagine99 wrote:
| I really want to like and recommend Tailscale more (and MagicDNS
| is another bonus) but with the forced use of Google auth and
| still no support for fast user switching and connections to
| multiple networks, it just has too many dealbreakers for me and
| many colleagues.
|
| Zerotier has had all of that figured out for years, in the
| meantime Tailscale just locked the thread requesting multiple
| connection support as "too heated" (after >2 years of no
| progress).
|
| And putting access to our corporate networks in the hands of
| Google & Co. and their trigger-happy account-blocking algos means
| that TS gets an automatic thumbs down from compliance officers at
| several of our clients. We can read stories on HN every week why
| such authentication systems are a bad idea, and steadfastly
| refusing to roll your own account system (all the while
| justifying it with handwavy security concerns) just seems lazy to
| me.
|
| I can follow their arguments to some extent, I just don't
| understand why the TS people insist on exclusionary features
| rather than letting the user choose. You believe multiple
| simultaneous connections are somewhat insecure and that's why you
| won't implement it? Okay, slap a warning sign on it if you want,
| by all means, but who cares about this if all I want is to
| connect to 5 branch offices at the same time.
|
| You believe forcing users to use their private, everyday Google
| or Github accounts for authentication is safer than using a
| special account registered on TS with safe, unique credentials
| not used for any other purpose to minimze collateral damage (if
| the Google or Github credentials get compromised you'd get their
| emails or a bit of source code, but not access to the WHOLE
| corporate network)? How about letting the user choose and show
| some flexibility to use-cases that exist even if you can't
| imagine them?
|
| Sorry for the rant, again, I want to love TS, it's UX is pretty
| neat, but something about their supercilious attitude with which
| they justify their (non-)features just rubs me the wrong way, I
| guess.
|
| At the risk of downvotes (because I know TS has - rightfully -
| many fans), if anyone from TS is reading this, I do implore you
| to be more open-minded and give your users a choice rather than
| patronising them on multiple fronts when using your product. Feel
| free to recommend a "best practice" but understand that many
| users who might love your product will want and have to use it in
| a slightly different way than you intended - and that should be
| okay.
| tssva wrote:
| Microsoft, GitHub, Okta, OneLogin and custom solutions for
| enterprise customers are also available for authorization.
| [deleted]
| aaomidi wrote:
| It also really feels like tailscale is holding iOS hostage to
| reduce the users of headscale.
| BrightOne wrote:
| My tailnet is set up using a GitHub organization, without using
| Google at all. I have sufficient security (2FA with security
| keys, etc.) enforced for it. I think that hand-rolling their
| own auth would not be a great idea just yet, while they are
| still ironing out other features.
| ev1 wrote:
| The only choices being MS or Google for auth, both with
| trigger happy defence mechanisms, is kind of annoying though.
| dijit wrote:
| There are more options than that, and I see your point.
|
| To take the contrarian stance though: SSO not being paid is
| kinda nice, and not having yet another password for
| something is nice. --- double and: then not being able to
| leak a password or handle 2FA, instead focusing on their
| actual product.
| ev1 wrote:
| For free users, it's pretty much just G, MS, and GH
| (which is currently the only "tolerable" one, but there's
| no reason why it won't turn into a MS account in the
| future just like how they killed Minecraft)
| nalllar wrote:
| > but with the forced use of Google auth
|
| There are two other options - MS and GitHub (does that only
| count as one?) - for free users.
| jonpurdy wrote:
| It took me six months to actually set up TS because of the lack
| of email/password auth. So this is definitely a pain point.
| It's such a good product that it's annoying that they don't
| roll their own simple auth.
|
| I eventually gave up and used Github and it's definitely been
| worth it for my personal use (a personal laptop accessing a Mac
| Mini in SF while on vacation, as well as setting up exit nodes
| on VPSs for getting around geo-restrictions).
| andrelaszlo wrote:
| They don't support SAML? It's not the nicest standard, sure...
___________________________________________________________________
(page generated 2022-10-20 23:00 UTC)