[Feature] Wildcard support for split DNS configuration #905

New Issue

adam · 2025-12-29T02:25:45+01:00

adam commented

2025-12-29 02:25:45 +01:00

Originally created by @lgrn on GitHub (Jan 10, 2025).

Use case

There is a split attribute in config-example.yaml that allows you to configure "a map of domains and which DNS server to use for each". In cases of a split VPN scenario, where Headscale is only used to access "internal" resources but not the rest of the Internet, it seems likely that one would want to configure entire domains or subdomains rather than explicit domain names to be passed to a separate DNS.

Description

Functionality today:

  nameservers:
    global:
      - 1.1.1.1
      - 1.0.0.1

    split:
      foo.internal.domain:
        - 10.10.10.10
      bar.internal.domain:
        - 10.10.10.10

Feature request:

  nameservers:
    global:
      - 1.1.1.1
      - 1.0.0.1

    split:
      *.internal.domain:
        - 10.10.10.10

If starting an attribute with * causes yaml or other syntax issues, perhaps the syntax .internal.domain or similar could be considered instead.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

No response

Originally created by @lgrn on GitHub (Jan 10, 2025). ### Use case There is a [split attribute](https://github.com/juanfont/headscale/blob/10a72e8d542af68c0c280f2a6ccc84849719b24c/config-example.yaml#L287) in `config-example.yaml` that allows you to configure "_a map of domains and which DNS server to use for each_". In cases of a split VPN scenario, where Headscale is only used to access "internal" resources but not the rest of the Internet, it seems likely that one would want to configure entire domains or subdomains rather than explicit domain names to be passed to a separate DNS. ### Description Functionality today: ```yaml nameservers: global: - 1.1.1.1 - 1.0.0.1 split: foo.internal.domain: - 10.10.10.10 bar.internal.domain: - 10.10.10.10 ``` Feature request: ```yaml nameservers: global: - 1.1.1.1 - 1.0.0.1 split: *.internal.domain: - 10.10.10.10 ``` If starting an attribute with `*` causes yaml or other syntax issues, perhaps the syntax `.internal.domain` or similar could be considered instead. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? _No response_

adam added the enhancement label 2025-12-29 02:25:45 +01:00

adam closed this issue

2025-12-29 02:25:45 +01:00

adam commented

2025-12-29 02:25:46 +01:00

@Nathanael-Mtd commented on GitHub (Jan 10, 2025):

You can just set internal.domain to your specified DNS server, every request to that domain or subdomain will be handeled by the specified server.

For example:

  nameservers:
    global:
      - 1.1.1.1
      - 1.0.0.1

    split:
      internal.domain:
        - 10.10.10.10

@Nathanael-Mtd commented on GitHub (Jan 10, 2025): You can just set ``internal.domain`` to your specified DNS server, every request to that domain or subdomain will be handeled by the specified server. For example: ``` nameservers: global: - 1.1.1.1 - 1.0.0.1 split: internal.domain: - 10.10.10.10 ```

adam commented

2025-12-29 02:25:46 +01:00

@lgrn commented on GitHub (Jan 10, 2025):

That's great, if that already works then I'll just suggest that it's maybe clarified in the comments in config-example.yamland/or the docs (most of the attribute documentation seems to be in the config example itself).

If I understand the behavior correctly then adding foo.bar.com would also mean that sub.foo.bar.com triggers the same DNS rule which may be unexpected, so maybe that should be documented as well.

@lgrn commented on GitHub (Jan 10, 2025): That's great, if that already works then I'll just suggest that it's maybe clarified in the comments in `config-example.yaml`and/or [the docs](https://headscale.net/stable/ref/configuration/) (most of the attribute documentation seems to be in the config example itself). If I understand the behavior correctly then adding `foo.bar.com` would also mean that `sub.foo.bar.com` triggers the same DNS rule which may be unexpected, so maybe that should be documented as well.

adam commented

2025-12-29 02:25:46 +01:00

@Nathanael-Mtd commented on GitHub (Jan 10, 2025):

Yeah, DNS docs seems outdated.

It's not really unexpected, that's how DNS servers works.

Every requests you send with a specified suffix (zone is the right word) will be sent to the specified DNS server.
If the specified DNS server got the entry in his zone, it will return the answer, if not (depends of the DNS server config) it will check recursively the authoritative DNS server for the zone and get DNS entry and return that to you.

@Nathanael-Mtd commented on GitHub (Jan 10, 2025): Yeah, DNS docs seems outdated. It's not really unexpected, that's how DNS servers works. Every requests you send with a specified suffix (zone is the right word) will be sent to the specified DNS server. If the specified DNS server got the entry in his zone, it will return the answer, if not (depends of the DNS server config) it will check recursively the authoritative DNS server for the zone and get DNS entry and return that to you.

adam commented

2025-12-29 02:25:46 +01:00

@lgrn commented on GitHub (Jan 10, 2025):

Yeah, I guess the comment does kind of already explain it since it says that it's a "map of domains" and not a map of hostnames. Anyway, thanks for the quick feedback.

@lgrn commented on GitHub (Jan 10, 2025): Yeah, I guess the comment does kind of already explain it since it says that it's a "_map of domains_" and not a map of hostnames. Anyway, thanks for the quick feedback.

adam referenced this issue

2025-12-29 02:31:27 +01:00

[PR #905] [MERGED] Add support for "override local DNS" #1726

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#905