Skip to content

Commit

Permalink
chore: use coder DNS service address
Browse files Browse the repository at this point in the history
  • Loading branch information
ethanndickson committed Nov 12, 2024
1 parent 02286e5 commit 26868cc
Show file tree
Hide file tree
Showing 5 changed files with 69 additions and 45 deletions.
5 changes: 1 addition & 4 deletions net/dns/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,7 @@ type Config struct {
}

func (c *Config) serviceIP() netip.Addr {
if c.OnlyIPv6 {
return tsaddr.TailscaleServiceIPv6()
}
return tsaddr.TailscaleServiceIP()
return tsaddr.CoderServiceIPv6()
}

// WriteToBufioWriter write a debug version of c for logs to w, omitting
Expand Down
54 changes: 39 additions & 15 deletions net/dns/manager_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -211,7 +211,7 @@ func TestManager(t *testing.T) {
"bar.tld.", "2.3.4.5"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
},
rs: resolver.Config{
Hosts: hosts(
Expand Down Expand Up @@ -297,7 +297,7 @@ func TestManager(t *testing.T) {
"bradfitz.ts.com.", "2.3.4.5"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
rs: resolver.Config{
Expand All @@ -320,7 +320,7 @@ func TestManager(t *testing.T) {
},
split: true,
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
rs: resolver.Config{
Expand All @@ -339,7 +339,7 @@ func TestManager(t *testing.T) {
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
rs: resolver.Config{
Expand All @@ -357,7 +357,7 @@ func TestManager(t *testing.T) {
},
split: true,
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
rs: resolver.Config{
Expand All @@ -377,7 +377,7 @@ func TestManager(t *testing.T) {
SearchDomains: fqdns("coffee.shop"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
},
rs: resolver.Config{
Expand Down Expand Up @@ -412,7 +412,7 @@ func TestManager(t *testing.T) {
SearchDomains: fqdns("coffee.shop"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
},
rs: resolver.Config{
Expand All @@ -432,7 +432,7 @@ func TestManager(t *testing.T) {
},
split: true,
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
MatchDomains: fqdns("bigco.net", "corp.com"),
},
Expand All @@ -456,7 +456,7 @@ func TestManager(t *testing.T) {
SearchDomains: fqdns("coffee.shop"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
},
rs: resolver.Config{
Expand All @@ -478,7 +478,7 @@ func TestManager(t *testing.T) {
},
split: true,
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
MatchDomains: fqdns("ts.com"),
},
Expand All @@ -503,7 +503,7 @@ func TestManager(t *testing.T) {
SearchDomains: fqdns("coffee.shop"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
},
rs: resolver.Config{
Expand All @@ -529,7 +529,7 @@ func TestManager(t *testing.T) {
},
split: true,
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
MatchDomains: fqdns("corp.com", "ts.com"),
},
Expand All @@ -551,7 +551,7 @@ func TestManager(t *testing.T) {
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
SearchDomains: fqdns("tailscale.com", "universe.tf"),
},
rs: resolver.Config{
Expand Down Expand Up @@ -579,7 +579,7 @@ func TestManager(t *testing.T) {
DefaultResolvers: mustRes("2a07:a8c0::c3:a884"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
},
rs: resolver.Config{
Routes: upstreams(".", "2a07:a8c0::c3:a884"),
Expand All @@ -591,12 +591,36 @@ func TestManager(t *testing.T) {
DefaultResolvers: mustRes("https://dns.nextdns.io/c3a884"),
},
os: OSConfig{
Nameservers: mustIPs("100.100.100.100"),
Nameservers: mustIPs("fd60:627a:a42b::53"),
},
rs: resolver.Config{
Routes: upstreams(".", "https://dns.nextdns.io/c3a884"),
},
},
{
name: "coder",
in: Config{
OnlyIPv6: true,
Routes: map[dnsname.FQDN][]*dnstype.Resolver{
"coder.": nil,
},
Hosts: hosts(
"agent.myws.me.coder.", "fd60:627a:a42c::53",
),
},
os: OSConfig{
Nameservers: mustIPs("fd60:627a:a42b::53"),
},
rs: resolver.Config{
Routes: upstreams(
".", "",
),
Hosts: hosts(
"agent.myws.me.coder.", "fd60:627a:a42c::53",
),
LocalDomains: fqdns("coder."),
},
},
}

trIP := cmp.Transformer("ipStr", func(ip netip.Addr) string { return ip.String() })
Expand Down
21 changes: 14 additions & 7 deletions net/tsaddr/tsaddr.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,13 +35,14 @@ func CGNATRange() netip.Prefix {
}

var (
cgnatRange oncePrefix
ulaRange oncePrefix
tsUlaRange oncePrefix
tsViaRange oncePrefix
ula4To6Range oncePrefix
ulaEph6Range oncePrefix
serviceIPv6 oncePrefix
cgnatRange oncePrefix
ulaRange oncePrefix
tsUlaRange oncePrefix
tsViaRange oncePrefix
ula4To6Range oncePrefix
ulaEph6Range oncePrefix
serviceIPv6 oncePrefix
coderServiceIPv6 oncePrefix
)

// TailscaleServiceIP returns the IPv4 listen address of services
Expand All @@ -61,9 +62,15 @@ func TailscaleServiceIPv6() netip.Addr {
return serviceIPv6.v.Addr()
}

func CoderServiceIPv6() netip.Addr {
coderServiceIPv6.Do(func() { mustPrefix(&coderServiceIPv6.v, CoderServiceIPv6String+"/128") })
return coderServiceIPv6.v.Addr()
}

const (
TailscaleServiceIPString = "100.100.100.100"
TailscaleServiceIPv6String = "fd7a:115c:a1e0::53"
CoderServiceIPv6String = "fd60:627a:a42b::53"
)

// IsTailscaleIP reports whether ip is an IP address in a range that
Expand Down
8 changes: 8 additions & 0 deletions net/tsaddr/tsaddr_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,14 @@ func TestTailscaleServiceIPv6(t *testing.T) {
}
}

func TestCoderServiceIPv6(t *testing.T) {
got := CoderServiceIPv6().String()
want := "fd60:627a:a42b::53"
if got != want {
t.Errorf("got %q; want %q", got, want)
}
}

func TestChromeOSVMRange(t *testing.T) {
if got, want := ChromeOSVMRange().String(), "100.115.92.0/23"; got != want {
t.Errorf("got %q; want %q", got, want)
Expand Down
26 changes: 7 additions & 19 deletions wgengine/netstack/netstack.go
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,7 @@ const debugPackets = false

var debugNetstack = envknob.RegisterBool("TS_DEBUG_NETSTACK")

var (
magicDNSIP = tsaddr.TailscaleServiceIP()
magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
)
var coderDNSIPv6 = tsaddr.CoderServiceIPv6()

func init() {
mode := envknob.String("TS_DEBUG_NETSTACK_LEAK_MODE")
Expand Down Expand Up @@ -464,7 +461,7 @@ func (ns *Impl) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper) filter.Re

// If it's not traffic to the service IP (i.e. magicDNS) we don't
// care; resume processing.
if dst := p.Dst.Addr(); dst != magicDNSIP && dst != magicDNSIPv6 {
if dst := p.Dst.Addr(); dst != coderDNSIPv6 {
return filter.Accept
}
// Of traffic to the service IP, we only care about UDP 53, and TCP
Expand Down Expand Up @@ -565,18 +562,9 @@ func (ns *Impl) inject() {
// TODO(tom): Figure out if its safe to modify packet.Parsed to fill in
// the IP src/dest even if its missing the rest of the pkt.
// That way we dont have to do this twitchy-af byte-yeeting.
if b := pkt.NetworkHeader().Slice(); len(b) >= 20 { // min ipv4 header
switch b[0] >> 4 { // ip proto field
case 4:
if srcIP := netaddr.IPv4(b[12], b[13], b[14], b[15]); magicDNSIP == srcIP {
sendToHost = true
}
case 6:
if len(b) >= 40 { // min ipv6 header
if srcIP, ok := netip.AddrFromSlice(net.IP(b[8:24])); ok && magicDNSIPv6 == srcIP {
sendToHost = true
}
}
if b := pkt.NetworkHeader().Slice(); len(b) >= 40 && (b[0]>>4) == 6 { // min ipv6 header && ip proto field
if srcIP, ok := netip.AddrFromSlice(net.IP(b[8:24])); ok && coderDNSIPv6 == srcIP {
sendToHost = true
}
}

Expand Down Expand Up @@ -939,7 +927,7 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
}

// DNS
if reqDetails.LocalPort == 53 && (dialIP == magicDNSIP || dialIP == magicDNSIPv6) {
if reqDetails.LocalPort == 53 && dialIP == coderDNSIPv6 {
c := getConnOrReset()
if c == nil {
return
Expand Down Expand Up @@ -1094,7 +1082,7 @@ func (ns *Impl) acceptUDP(r *udp.ForwarderRequest) {
}

// Handle magicDNS traffic (via UDP) here.
if dst := dstAddr.Addr(); dst == magicDNSIP || dst == magicDNSIPv6 {
if dst := dstAddr.Addr(); dst == coderDNSIPv6 {
if dstAddr.Port() != 53 {
ep.Close()
return // Only MagicDNS traffic runs on the service IPs for now.
Expand Down

0 comments on commit 26868cc

Please sign in to comment.