Open
Description
What is the issue?
AFAIU all my DNS traffic should be direct between machines (using Exit Nodes and configured with Tailscale DNS settings) and the configured resolvers (100.X.X.X and 100.Y.Y.Y) in MagicDNS.
However, I am seeing an unexpected volume of DNS queries transiting through my Exit Nodes.
Steps to reproduce
On the Exit Node:
# tcpdump -i tailscale0 port 53 | grep pwet.com
Then on my machine configured with the Exit Node:
- https://thisisatestfromfirefox.pwet.com (From Firefox)
- https://thisisatestfrombrave.pwet.com (From Brave)
host thisisatestfromclihost.pwet.com(from terminal)doggo thisisatestfromclidoggo.pwet.com(from terminal with doggo)
tcpdump output
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tailscale0, link-type RAW (Raw IP), capture size 262144 bytes
17:08:45.524647 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.41264 > 100.100.100.100.domain: 43223+ AAAA? thisisatestfromfirefox.pwet.com. (49)
17:08:45.525156 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.45975 > 100.100.100.100.domain: 47571+ A? thisisatestfromfirefox.pwet.com. (49)
17:08:45.525408 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.54917 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 43223+ AAAA? thisisatestfromfirefox.pwet.com. (49)
17:08:45.525475 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.36297 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 47571+ A? thisisatestfromfirefox.pwet.com. (49)
17:08:45.525554 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.38827 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 43223+ AAAA? thisisatestfromfirefox.pwet.com. (49)
17:08:45.525836 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.36497 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 47571+ A? thisisatestfromfirefox.pwet.com. (49)
17:08:59.378228 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.36736 > 100.100.100.100.domain: 60315+ A? thisisatestfrombrave.pwet.com. (47)
17:08:59.378439 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.52490 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 60315+ A? thisisatestfrombrave.pwet.com. (47)
17:08:59.378517 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.39328 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 60315+ A? thisisatestfrombrave.pwet.com. (47)
17:08:59.378866 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.39841 > 100.100.100.100.domain: 21670+ AAAA? thisisatestfrombrave.pwet.com. (47)
17:08:59.379038 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.58586 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 21670+ AAAA? thisisatestfrombrave.pwet.com. (47)
17:08:59.379436 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.52197 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 21670+ AAAA? thisisatestfrombrave.pwet.com. (47)
17:09:37.317700 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.48574 > 100.100.100.100.domain: 41354+ A? thisisatestfromclihost.pwet.com. (49)
17:09:37.317856 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.48980 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 41354+ A? thisisatestfromclihost.pwet.com. (49)
17:09:37.317939 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.38877 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 41354+ A? thisisatestfromclihost.pwet.com. (49)
17:09:37.440755 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.37163 > 100.100.100.100.domain: 48641+ AAAA? thisisatestfromclihost.pwet.com. (49)
17:09:37.440957 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.42811 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 48641+ AAAA? thisisatestfromclihost.pwet.com. (49)
17:09:37.441059 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.56174 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 48641+ AAAA? thisisatestfromclihost.pwet.com. (49)
17:09:37.652010 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.58013 > 100.100.100.100.domain: 43816+ MX? thisisatestfromclihost.pwet.com. (49)
17:09:37.652220 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.44638 > dns-euc1b-infra-02.company.com.beta.tailscale.net.domain: 43816+ MX? thisisatestfromclihost.pwet.com. (49)
17:09:37.652277 IP tailscale-euc1c-infra-03.company.com.beta.tailscale.net.38792 > dns-euc1a-infra-01.company.com.beta.tailscale.net.domain: 43816+ MX? thisisatestfromclihost.pwet.com. (49)
Only the resolution made with doggo is not routed through the exit node (as expected ?).
My /etc/resolv.conf
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
# scutil --dns
#
# SEE ALSO
# dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
search company.com.beta.tailscale.net
nameserver 100.100.100.100
$ scutil --dns
resolver #1
search domain[0] : company.com.beta.tailscale.net
nameserver[0] : 100.100.100.100
if_index : 25 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 102400
resolver #2
nameserver[0] : 100.100.100.100
if_index : 25 (utun3)
flags : Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 200000
resolver #3
domain : company.com.beta.tailscale.net.
nameserver[0] : 100.100.100.100
if_index : 25 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 102401
resolver #4
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #5
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #6
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #7
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #8
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #9
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
nameserver[0] : 10.10.40.11
nameserver[1] : 10.10.40.1
if_index : 15 (en6)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
nameserver[0] : 10.10.40.11
nameserver[1] : 10.10.198.1
if_index : 14 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
resolver #3
search domain[0] :company.com.beta.tailscale.net
nameserver[0] : 100.100.100.100
if_index : 25 (utun3)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
Are there any recent changes that introduced the issue?
No response
OS
macOS
OS version
12.3 (21E230)
Tailscale version
1.22.1
Bug report
No response