restricted_nameservers resolution fails when --accept-routes is false #530

New Issue

adam · 2025-12-29T02:19:35+01:00

adam commented

2025-12-29 02:19:35 +01:00

Originally created by @RUzOfuz5m on GitHub (Jul 11, 2023).

Why

This request is for when --accept-routes is false the restricted_nameservers: should not be used.

To me, it's reasonable that restricted_nameservers are DNS servers that are hosted on a private network. When using --accept-routes it makes sense that you can expect that you're on the private network and should have access to the restricted DNS hosts.

If --accept-routes is false, you want to be on the "raw" Internet, either from an exit node or from your current connection. using restricted_nameservers here doesn't make sense as it fails in my example below.

Description

I have Split DNS setup:

dns_config:
  nameservers:
    - 208.67.222.222
    - 208.67.220.220
  restricted_nameservers:
    example.ca:
      - 192.168.0.1

Internal to the 192.168.0.0/24 network, example.ca will resolve to 192.168.0.200
external to the 192.168.0.0/24 network, example.ca will resolve to $Public_IP

When I connect to an exit node and I'm away from the 192.168.0.0/24 network, I use tailscale up --login-server=https://headscale.example.ca --exit-node=100.64.0.1 --reset This does not include a route to 192.168.0.1 so any DNS resolution for example.ca will fail. I'm looking for a solution that will allow me to continue to resolve example.ca. My suggestion is above but anything that works would be fine.

Originally created by @RUzOfuz5m on GitHub (Jul 11, 2023). ## Why This request is for when `--accept-routes is false` the `restricted_nameservers:` should not be used. To me, it's reasonable that restricted_nameservers are DNS servers that are hosted on a private network. When using --accept-routes it makes sense that you can expect that you're on the private network and should have access to the restricted DNS hosts. If --accept-routes is false, you want to be on the "raw" Internet, either from an exit node or from your current connection. using restricted_nameservers here doesn't make sense as it fails in my example below. ## Description I have Split DNS setup: ``` dns_config: nameservers: - 208.67.222.222 - 208.67.220.220 restricted_nameservers: example.ca: - 192.168.0.1 ``` Internal to the 192.168.0.0/24 network, example.ca will resolve to 192.168.0.200 external to the 192.168.0.0/24 network, example.ca will resolve to $Public_IP When I connect to an exit node and I'm away from the 192.168.0.0/24 network, I use `tailscale up --login-server=https://headscale.example.ca --exit-node=100.64.0.1 --reset` This does not include a route to 192.168.0.1 so any DNS resolution for example.ca will fail. I'm looking for a solution that will allow me to continue to resolve example.ca. My suggestion is above but anything that works would be fine.

adam added the enhancement stale labels 2025-12-29 02:19:35 +01:00

adam closed this issue

2025-12-29 02:19:35 +01:00

adam commented

2025-12-29 02:19:35 +01:00

@sjansen1 commented on GitHub (Jul 18, 2023):

I am not so sure if this is good idea, what if you never use subnet gateways but want another tailscale node to be your nameserver?

@sjansen1 commented on GitHub (Jul 18, 2023): I am not so sure if this is good idea, what if you never use subnet gateways but want another tailscale node to be your nameserver?

adam commented

2025-12-29 02:19:36 +01:00

@RUzOfuz5m commented on GitHub (Jul 19, 2023):

Why not put the tailscale node as a nameserver instead of a restricted_nameserver in that case @sjansen1?

When you connect to the tailscale network all of the tailscale nodes will be available (assuming no ACLs) so putting one as the nameserver shouldn't be a problem as far as I understand it.

Do you have any suggestions for the problem I'm having? if --accept-routes is false DNS fails for my restricted_nameservers because they're on a private IP and reslove private addresses. I'd like the option to resolve the public IPs.

@RUzOfuz5m commented on GitHub (Jul 19, 2023): Why not put the tailscale node as a nameserver instead of a restricted_nameserver in that case @sjansen1? When you connect to the tailscale network all of the tailscale nodes will be available (assuming no ACLs) so putting one as the nameserver shouldn't be a problem as far as I understand it. Do you have any suggestions for the problem I'm having? if `--accept-routes` is false DNS fails for my restricted_nameservers because they're on a private IP and reslove private addresses. I'd like the option to resolve the public IPs.

adam commented

2025-12-29 02:19:36 +01:00

@sjansen1 commented on GitHub (Jul 19, 2023):

Sorry i have no idea for a solution because i use subnet routers for reaching out to our nameservers. I have different problems like tailscale is unable to bootstrap (start) if required nameserver are in a network that is provided over tailscale and the person is present at the location where the subnets are, but thats something different i am struggle with.

@sjansen1 commented on GitHub (Jul 19, 2023): Sorry i have no idea for a solution because i use subnet routers for reaching out to our nameservers. I have different problems like tailscale is unable to bootstrap (start) if required nameserver are in a network that is provided over tailscale and the person is present at the location where the subnets are, but thats something different i am struggle with.

adam commented

2025-12-29 02:19:36 +01:00

@github-actions[bot] commented on GitHub (Dec 12, 2023):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Dec 12, 2023): This issue is stale because it has been open for 90 days with no activity.

adam commented

2025-12-29 02:19:36 +01:00

@github-actions[bot] commented on GitHub (Dec 20, 2023):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Dec 20, 2023): This issue was closed because it has been inactive for 14 days since being marked as stale.

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#530