Split DNS only works sporadically #388

New Issue

adam · 2025-12-29T01:28:10+01:00

adam commented

2025-12-29 01:28:10 +01:00

Originally created by @thorstenweber83 on GitHub (Dec 8, 2022).

Headscale version: 0.17.1
Platforms: Linux x86-64, aarch64 (some clients)
Tailscale versions: 1.32.2, 1.30.0
Kernel versions: 5.15.81 (hs server), 5.15.32, 5.19.5, 5.15.79 (ts clients)

So i have a headscale instance with the following config (generated via the headscale nixos module):

acl_policy_path: null
db_host: null
db_name: null
db_password_file: null
db_path: /var/lib/headscale/db.sqlite
db_port: null
db_type: sqlite3
db_user: null
derp:
  auto_update_enable: true
  paths: []
  update_frequency: 24h
  urls:
  - https://controlplane.tailscale.com/derpmap/default
disable_check_updates: true
dns_config:
  base_domain: ''
  domains: []
  magic_dns: true
  nameservers:
  - 1.1.1.1
  override_local_dns: true
  restricted_nameservers:
    my-domain.tld:
    - 100.64.0.5
ephemeral_node_inactivity_timeout: 30m
ip_prefixes:
- 100.64.0.0/10
listen_addr: 0.0.0.0:8081
log:
  format: text
  level: info
metrics_listen_addr: 0.0.0.0:9090
noise:
  private_key_path: /var/lib/headscale/noise_private.key
oidc:
  client_id: ''
  client_secret_file: null
  domain_map: {}
  issuer: ''
private_key_path: /var/lib/headscale/private.key
server_url: https://my-server.other-domain.tld
tls_cert_path: null
tls_key_path: null
tls_letsencrypt_cache_dir: /var/lib/headscale/.cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_hostname: ''
tls_letsencrypt_listen: :http
unix_socket: /run/headscale/headscale.sock

It is served on https://my-server.other-domain.tld via a nginx reverse proxy.
My nameserver for split dns is reachable at 100.64.0.5:53 inside the tailnet and works when i do

dig @100.64.0.5 subdomain.my-domain.tld

The problem is that resolving my-domain.tld domains via 100.100.100.100 like this:

dig @100.100.100.100 subdomain.my-domain.tld

only works sometimes.
Often the tailscale resolver gives NXDOMAIN.

Looking at the tailscale client's logs i discovered, that when reconfiguring, it does not always include my dns server in Resolvercfg:

- - - - 8< - - - - - - - - - - - - - - - - -
wgengine: Reconfig: configuring router
Dez 06 23:56:45 client1 tailscaled[864]: wgengine: Reconfig: configuring DNS
Dez 06 23:56:45 client1 tailscaled[864]: dns: Set: {DefaultResolvers:[1.1.1.1] Routes:{my-domain.tld.:[100.64.0.5]}+65arpa SearchDomains:[my-domain.tld.] Hosts:5}
Dez 06 23:56:45 client1 tailscaled[864]: dns: Resolvercfg: {Routes:{.:[1.1.1.1] my-domain.tld.:[100.64.0.5]} Hosts:5 LocalDomains:[]+65arpa}
Dez 06 23:56:45 client1 tailscaled[864]: dns: OScfg: {Hosts:[] Nameservers:[100.100.100.100] SearchDomains:[my-domain.tld.] MatchDomains:[]}o
- - - - 8< - - now it's working  - - - - - -
[...]
- - - - 8< - - - - - - - - - - - - - - - - - 
Dez 06 23:57:35 client1 tailscaled[864]: wgengine: Reconfig: configuring router
Dez 06 23:57:35 client1 tailscaled[864]: wgengine: Reconfig: configuring DNS
Dez 06 23:57:35 client1 tailscaled[864]: dns: Set: {DefaultResolvers:[1.1.1.1] Routes:{my-domain.tld.:[]}+65arpa SearchDomains:[my-domain.tld.] Hosts:5}
Dez 06 23:57:35 client1 tailscaled[864]: dns: Resolvercfg: {Routes:{.:[1.1.1.1]} Hosts:5 LocalDomains:[my-domain.tld.]+65arpa}
Dez 06 23:57:35 client1 tailscaled[864]: dns: OScfg: {Hosts:[] Nameservers:[100.100.100.100] SearchDomains:[my-domain.tld.] MatchDomains:[]}
- - - - 8< - - now it's broken - - - - - - -

When looking at my headscale logs, i couldn't find any suspicious log messages. The only log lines during the time in question were:

Dez 06 23:56:19 server1 headscale-start[43971]: 2022-12-06T23:56:19+01:00 INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=client1 noise=true
Dez 06 23:56:42 server1 headscale-start[43971]: 2022-12-06T23:56:42+01:00 INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=client1 noise=true
Dez 06 23:57:30 server1 headscale-start[43971]: 2022-12-06T23:57:30+01:00 INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=client1 noise=true

I'm not sure if this is an issue with headscale or the tailscale client, but i would like to rule out headscale before opening an issue with tailscale.

Any help is greatly appreciated.
Thank you very much!

Originally created by @thorstenweber83 on GitHub (Dec 8, 2022). Headscale version: 0.17.1 Platforms: Linux x86-64, aarch64 (some clients) Tailscale versions: 1.32.2, 1.30.0 Kernel versions: 5.15.81 (hs server), 5.15.32, 5.19.5, 5.15.79 (ts clients) So i have a headscale instance with the following config (generated via the headscale nixos module): ``` acl_policy_path: null db_host: null db_name: null db_password_file: null db_path: /var/lib/headscale/db.sqlite db_port: null db_type: sqlite3 db_user: null derp: auto_update_enable: true paths: [] update_frequency: 24h urls: - https://controlplane.tailscale.com/derpmap/default disable_check_updates: true dns_config: base_domain: '' domains: [] magic_dns: true nameservers: - 1.1.1.1 override_local_dns: true restricted_nameservers: my-domain.tld: - 100.64.0.5 ephemeral_node_inactivity_timeout: 30m ip_prefixes: - 100.64.0.0/10 listen_addr: 0.0.0.0:8081 log: format: text level: info metrics_listen_addr: 0.0.0.0:9090 noise: private_key_path: /var/lib/headscale/noise_private.key oidc: client_id: '' client_secret_file: null domain_map: {} issuer: '' private_key_path: /var/lib/headscale/private.key server_url: https://my-server.other-domain.tld tls_cert_path: null tls_key_path: null tls_letsencrypt_cache_dir: /var/lib/headscale/.cache tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_hostname: '' tls_letsencrypt_listen: :http unix_socket: /run/headscale/headscale.sock ``` It is served on https://my-server.other-domain.tld via a nginx reverse proxy.\ My nameserver for split dns is reachable at 100.64.0.5:53 inside the tailnet and works when i do ``` dig @100.64.0.5 subdomain.my-domain.tld ``` The problem is that resolving `my-domain.tld` domains via 100.100.100.100 like this: ``` dig @100.100.100.100 subdomain.my-domain.tld ``` only works sometimes.\ Often the tailscale resolver gives `NXDOMAIN`. Looking at the tailscale client's logs i discovered, that when reconfiguring, it does not always include my dns server in `Resolvercfg`: ``` - - - - 8< - - - - - - - - - - - - - - - - - wgengine: Reconfig: configuring router Dez 06 23:56:45 client1 tailscaled[864]: wgengine: Reconfig: configuring DNS Dez 06 23:56:45 client1 tailscaled[864]: dns: Set: {DefaultResolvers:[1.1.1.1] Routes:{my-domain.tld.:[100.64.0.5]}+65arpa SearchDomains:[my-domain.tld.] Hosts:5} Dez 06 23:56:45 client1 tailscaled[864]: dns: Resolvercfg: {Routes:{.:[1.1.1.1] my-domain.tld.:[100.64.0.5]} Hosts:5 LocalDomains:[]+65arpa} Dez 06 23:56:45 client1 tailscaled[864]: dns: OScfg: {Hosts:[] Nameservers:[100.100.100.100] SearchDomains:[my-domain.tld.] MatchDomains:[]}o - - - - 8< - - now it's working - - - - - - [...] - - - - 8< - - - - - - - - - - - - - - - - - Dez 06 23:57:35 client1 tailscaled[864]: wgengine: Reconfig: configuring router Dez 06 23:57:35 client1 tailscaled[864]: wgengine: Reconfig: configuring DNS Dez 06 23:57:35 client1 tailscaled[864]: dns: Set: {DefaultResolvers:[1.1.1.1] Routes:{my-domain.tld.:[]}+65arpa SearchDomains:[my-domain.tld.] Hosts:5} Dez 06 23:57:35 client1 tailscaled[864]: dns: Resolvercfg: {Routes:{.:[1.1.1.1]} Hosts:5 LocalDomains:[my-domain.tld.]+65arpa} Dez 06 23:57:35 client1 tailscaled[864]: dns: OScfg: {Hosts:[] Nameservers:[100.100.100.100] SearchDomains:[my-domain.tld.] MatchDomains:[]} - - - - 8< - - now it's broken - - - - - - - ``` When looking at my headscale logs, i couldn't find any suspicious log messages. The only log lines during the time in question were: ``` Dez 06 23:56:19 server1 headscale-start[43971]: 2022-12-06T23:56:19+01:00 INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=client1 noise=true Dez 06 23:56:42 server1 headscale-start[43971]: 2022-12-06T23:56:42+01:00 INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=client1 noise=true Dez 06 23:57:30 server1 headscale-start[43971]: 2022-12-06T23:57:30+01:00 INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=client1 noise=true ``` I'm not sure if this is an issue with headscale or the tailscale client, but i would like to rule out headscale before opening an issue with tailscale. Any help is greatly appreciated. Thank you very much!

adam added the bug label 2025-12-29 01:28:10 +01:00

adam closed this issue

2025-12-29 01:28:10 +01:00

adam commented

2025-12-29 01:28:10 +01:00

@thorstenweber83 commented on GitHub (Dec 12, 2022):

I found the cause of my problems:

My user account/namespace was named "my-domain.tld" which would have been nice with magic dns.

After choosing another name for my user account, the problems with DNS resolution went away.

@thorstenweber83 commented on GitHub (Dec 12, 2022): I found the cause of my problems: My user account/namespace was named "my-domain.tld" which would have been nice with magic dns. After choosing another name for my user account, the problems with DNS resolution went away.

adam referenced this issue

2025-12-29 01:29:54 +01:00

What specific services does 'embedded DERP (and STUN) server' provide #467

adam referenced this issue

2025-12-29 02:30:00 +01:00

[PR #388] [MERGED] Add an embedded DERP server to Headscale #1421

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#388