MagicDNS base domain clobbers valid records #54

New Issue

adam · 2025-12-29T01:21:13+01:00

adam commented

2025-12-29 01:21:13 +01:00

Originally created by @nicka101 on GitHub (Oct 14, 2021).

The Domain used for MagicDNS' base domain must not match an actual domain, as any valid records within such domain are completely clobbered by MagicDNS and return NXDOMAIN.

In my own testing I use my domain (anstee.dev) as the base, knowing full well that MagicDNS will include the namespace ("nicka101" for my testing) in the produced records , and thus there should be no conflict with actual records visible to upstream DNS.

However checking DNS responses after making these changes reveals the following:

Relevant section of headscale config:

"dns_config": {
       "nameservers": ["8.8.4.4", "8.8.8.8"],
       "domains": [],
       "magic_dns": true,
       "base_domain": "anstee.dev"
   }

DNS query for the base domain against 8.8.8.8:

❯ dig @8.8.8.8 anstee.dev

; <<>> DiG 9.16.21 <<>> @8.8.8.8 anstee.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11423
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;anstee.dev.                    IN      A

;; ANSWER SECTION:
anstee.dev.             3600    IN      A       51.195.219.36

;; Query time: 116 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Oct 14 01:13:26 CEST 2021
;; MSG SIZE  rcvd: 55

DNS query for base domain against 100.100.100.100:

❯ dig @100.100.100.100 anstee.dev

; <<>> DiG 9.16.21 <<>> @100.100.100.100 anstee.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6569
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;anstee.dev.                    IN      A

;; Query time: 0 msec
;; SERVER: 100.100.100.100#53(100.100.100.100)
;; WHEN: Thu Oct 14 01:14:34 CEST 2021
;; MSG SIZE  rcvd: 28

Note that its not just the base domain that gets clobbered, any valid subdomains are also clobbered:

~ 
❯ dig @8.8.8.8 +noall +answer anstee.dev
anstee.dev.             2876    IN      A       51.195.219.36

~ 
❯ dig @8.8.8.8 +noall +answer git.anstee.dev
git.anstee.dev.         3600    IN      CNAME   anstee.dev.
anstee.dev.             3600    IN      A       51.195.219.36

~ 
❯ dig @100.100.100.100 +noall +answer git.anstee.dev

~ 
❯ dig @8.8.8.8 +noall +answer ldn1.anstee.dev
ldn1.anstee.dev.        3600    IN      A       51.195.219.36

~ 
❯ dig @100.100.100.100 +noall +answer ldn1.anstee.dev

~ 
❯

MagicDNS entries themselves are working as expected however:

❯ dig @100.100.100.100 +noall +answer pi4.nicka101.anstee.dev
pi4.nicka101.anstee.dev. 600    IN      A       100.99.123.231

Originally created by @nicka101 on GitHub (Oct 14, 2021). The Domain used for MagicDNS' base domain must not match an actual domain, as any valid records within such domain are completely clobbered by MagicDNS and return NXDOMAIN. In my own testing I use my domain (anstee.dev) as the base, knowing full well that MagicDNS will include the namespace ("nicka101" for my testing) in the produced records , and thus there should be no conflict with actual records visible to upstream DNS. However checking DNS responses after making these changes reveals the following: Relevant section of headscale config: ``` "dns_config": { "nameservers": ["8.8.4.4", "8.8.8.8"], "domains": [], "magic_dns": true, "base_domain": "anstee.dev" } ``` DNS query for the base domain against 8.8.8.8: ``` ❯ dig @8.8.8.8 anstee.dev ; <<>> DiG 9.16.21 <<>> @8.8.8.8 anstee.dev ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11423 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;anstee.dev. IN A ;; ANSWER SECTION: anstee.dev. 3600 IN A 51.195.219.36 ;; Query time: 116 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Oct 14 01:13:26 CEST 2021 ;; MSG SIZE rcvd: 55 ``` DNS query for base domain against 100.100.100.100: ``` ❯ dig @100.100.100.100 anstee.dev ; <<>> DiG 9.16.21 <<>> @100.100.100.100 anstee.dev ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6569 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;anstee.dev. IN A ;; Query time: 0 msec ;; SERVER: 100.100.100.100#53(100.100.100.100) ;; WHEN: Thu Oct 14 01:14:34 CEST 2021 ;; MSG SIZE rcvd: 28 ``` Note that its not just the base domain that gets clobbered, any valid subdomains are also clobbered: ``` ~ ❯ dig @8.8.8.8 +noall +answer anstee.dev anstee.dev. 2876 IN A 51.195.219.36 ~ ❯ dig @8.8.8.8 +noall +answer git.anstee.dev git.anstee.dev. 3600 IN CNAME anstee.dev. anstee.dev. 3600 IN A 51.195.219.36 ~ ❯ dig @100.100.100.100 +noall +answer git.anstee.dev ~ ❯ dig @8.8.8.8 +noall +answer ldn1.anstee.dev ldn1.anstee.dev. 3600 IN A 51.195.219.36 ~ ❯ dig @100.100.100.100 +noall +answer ldn1.anstee.dev ~ ❯ ``` MagicDNS entries themselves are working as expected however: ``` ❯ dig @100.100.100.100 +noall +answer pi4.nicka101.anstee.dev pi4.nicka101.anstee.dev. 600 IN A 100.99.123.231 ```

adam added the bug label 2025-12-29 01:21:13 +01:00

adam closed this issue

2025-12-29 01:21:13 +01:00

adam commented

2025-12-29 01:21:14 +01:00

@kradalby commented on GitHub (Oct 14, 2021):

Good observation, from what i understand, this is on the tailscale side and we can't really do anything else than warning/recommending people.

Would you be able to pr a doc change to inform the users?

Let me know if I misunderstood.

@kradalby commented on GitHub (Oct 14, 2021): Good observation, from what i understand, this is on the tailscale side and we can't really do anything else than warning/recommending people. Would you be able to pr a doc change to inform the users? Let me know if I misunderstood.

adam commented

2025-12-29 01:21:15 +01:00

@juanfont commented on GitHub (Oct 14, 2021):

I think this is a valid issue. Need to investigate a bit. I reckon we should only capture $NAMESPACE.$BASE_DOMAIN not the whole base domain.

@juanfont commented on GitHub (Oct 14, 2021): I think this is a valid issue. Need to investigate a bit. I reckon we should only capture $NAMESPACE.$BASE_DOMAIN not the whole base domain.

adam commented

2025-12-29 01:21:15 +01:00

@nicka101 commented on GitHub (Oct 15, 2021):

I would tend to agree with Juan that the expected behavior would be for headscale/tailscale to only capture $NAMESPACE.$BASE_DOMAIN (along with any additional namespaces visible to the current user), rather than clobbering the entire base domain.

I understand that the actual DNS responses are controlled by the tailscale client, which is running the DNS server, however it seems like modification of generateMagicDNSRootDomains within dns.go could resolve the issue if it were to actually specify the individual relevant subdomains, instead of the base domain itself like it currently does on dns.go#40

@nicka101 commented on GitHub (Oct 15, 2021): I would tend to agree with Juan that the expected behavior would be for headscale/tailscale to only capture $NAMESPACE.$BASE_DOMAIN (along with any additional namespaces visible to the current user), rather than clobbering the entire base domain. I understand that the actual DNS responses are controlled by the tailscale client, which is running the DNS server, however it seems like modification of `generateMagicDNSRootDomains` within dns.go could resolve the issue if it were to actually specify the individual relevant subdomains, instead of the base domain itself like it currently does on [dns.go#40](https://github.com/juanfont/headscale/blob/main/dns.go#L40)

adam commented

2025-12-29 01:21:15 +01:00

@juanfont commented on GitHub (Oct 15, 2021):

Yep, I am working on a patch that fixes that already. Will probably launch
a PR today.

On Fri, Oct 15, 2021, 13:48 Nick Anstee @.***> wrote:

I would tend to agree with Juan that the expected behavior would be for
headscale/tailscale to only capture $NAMESPACE.$BASE_DOMAIN (along with any
additional namespaces visible to the current user), rather than clobbering
the entire base domain.

I understand that the actual DNS responses are controlled by the tailscale
client, which is running the DNS server, however it seems like modification
of generateMagicDNSRootDomains within dns.go could resolve the issue if
it were to actually specify the individual relevant subdomains, instead of
the base domain itself like it currently does on dns.go#40
https://github.com/juanfont/headscale/blob/main/dns.go#L40

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/juanfont/headscale/issues/160#issuecomment-944234123,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABMGQ6VJEHPUOHVHAHZ3DTUHAIKDANCNFSM5F6KPQKQ
.

@juanfont commented on GitHub (Oct 15, 2021): Yep, I am working on a patch that fixes that already. Will probably launch a PR today. On Fri, Oct 15, 2021, 13:48 Nick Anstee ***@***.***> wrote: > I would tend to agree with Juan that the expected behavior would be for > headscale/tailscale to only capture $NAMESPACE.$BASE_DOMAIN (along with any > additional namespaces visible to the current user), rather than clobbering > the entire base domain. > > I understand that the actual DNS responses are controlled by the tailscale > client, which is running the DNS server, however it seems like modification > of generateMagicDNSRootDomains within dns.go could resolve the issue if > it were to actually specify the individual relevant subdomains, instead of > the base domain itself like it currently does on dns.go#40 > <https://github.com/juanfont/headscale/blob/main/dns.go#L40> > > — > You are receiving this because you commented. > Reply to this email directly, view it on GitHub > <https://github.com/juanfont/headscale/issues/160#issuecomment-944234123>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AABMGQ6VJEHPUOHVHAHZ3DTUHAIKDANCNFSM5F6KPQKQ> > . >

adam referenced this issue

2025-12-29 02:29:17 +01:00

[PR #54] [MERGED] Implement node deletion #1227

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#54