From 6c21cc690280e974105b7b835556e471ff472002 Mon Sep 17 00:00:00 2001 From: Ethan Dickson Date: Fri, 8 Nov 2024 04:12:04 +0000 Subject: [PATCH] chore: use coder DNS service address --- net/dns/config.go | 5 +--- net/dns/manager_test.go | 54 +++++++++++++++++++++++++---------- net/tsaddr/tsaddr.go | 21 +++++++++----- net/tsaddr/tsaddr_test.go | 8 ++++++ wgengine/netstack/netstack.go | 26 +++++------------ 5 files changed, 69 insertions(+), 45 deletions(-) diff --git a/net/dns/config.go b/net/dns/config.go index 9c55f6d736e1b..9f81f752ecfc8 100644 --- a/net/dns/config.go +++ b/net/dns/config.go @@ -47,10 +47,7 @@ type Config struct { } func (c *Config) serviceIP() netip.Addr { - if c.OnlyIPv6 { - return tsaddr.TailscaleServiceIPv6() - } - return tsaddr.TailscaleServiceIP() + return tsaddr.CoderServiceIPv6() } // WriteToBufioWriter write a debug version of c for logs to w, omitting diff --git a/net/dns/manager_test.go b/net/dns/manager_test.go index 7997c4317e78a..334dfcb030f2b 100644 --- a/net/dns/manager_test.go +++ b/net/dns/manager_test.go @@ -211,7 +211,7 @@ func TestManager(t *testing.T) { "bar.tld.", "2.3.4.5"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), }, rs: resolver.Config{ Hosts: hosts( @@ -297,7 +297,7 @@ func TestManager(t *testing.T) { "bradfitz.ts.com.", "2.3.4.5"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), }, rs: resolver.Config{ @@ -320,7 +320,7 @@ func TestManager(t *testing.T) { }, split: true, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), }, rs: resolver.Config{ @@ -339,7 +339,7 @@ func TestManager(t *testing.T) { SearchDomains: fqdns("tailscale.com", "universe.tf"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), }, rs: resolver.Config{ @@ -357,7 +357,7 @@ func TestManager(t *testing.T) { }, split: true, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), }, rs: resolver.Config{ @@ -377,7 +377,7 @@ func TestManager(t *testing.T) { SearchDomains: fqdns("coffee.shop"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"), }, rs: resolver.Config{ @@ -412,7 +412,7 @@ func TestManager(t *testing.T) { SearchDomains: fqdns("coffee.shop"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"), }, rs: resolver.Config{ @@ -432,7 +432,7 @@ func TestManager(t *testing.T) { }, split: true, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), MatchDomains: fqdns("bigco.net", "corp.com"), }, @@ -456,7 +456,7 @@ func TestManager(t *testing.T) { SearchDomains: fqdns("coffee.shop"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"), }, rs: resolver.Config{ @@ -478,7 +478,7 @@ func TestManager(t *testing.T) { }, split: true, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), MatchDomains: fqdns("ts.com"), }, @@ -503,7 +503,7 @@ func TestManager(t *testing.T) { SearchDomains: fqdns("coffee.shop"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"), }, rs: resolver.Config{ @@ -529,7 +529,7 @@ func TestManager(t *testing.T) { }, split: true, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), MatchDomains: fqdns("corp.com", "ts.com"), }, @@ -551,7 +551,7 @@ func TestManager(t *testing.T) { SearchDomains: fqdns("tailscale.com", "universe.tf"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), SearchDomains: fqdns("tailscale.com", "universe.tf"), }, rs: resolver.Config{ @@ -579,7 +579,7 @@ func TestManager(t *testing.T) { DefaultResolvers: mustRes("2a07:a8c0::c3:a884"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), }, rs: resolver.Config{ Routes: upstreams(".", "2a07:a8c0::c3:a884"), @@ -591,12 +591,36 @@ func TestManager(t *testing.T) { DefaultResolvers: mustRes("https://dns.nextdns.io/c3a884"), }, os: OSConfig{ - Nameservers: mustIPs("100.100.100.100"), + Nameservers: mustIPs("fd60:627a:a42b::53"), }, rs: resolver.Config{ Routes: upstreams(".", "https://dns.nextdns.io/c3a884"), }, }, + { + name: "coder", + in: Config{ + OnlyIPv6: true, + Routes: map[dnsname.FQDN][]*dnstype.Resolver{ + "coder.": mustRes("fd60:627a:a42b::53"), + }, + Hosts: hosts( + "agent.myws.me.coder.", "fd60:627a:a42c::53", + ), + }, + os: OSConfig{ + Nameservers: mustIPs("fd60:627a:a42b::53"), + }, + rs: resolver.Config{ + Routes: upstreams( + ".", "", + "coder.", "fd60:627a:a42b::53", + ), + Hosts: hosts( + "agent.myws.me.coder.", "fd60:627a:a42c::53", + ), + }, + }, } trIP := cmp.Transformer("ipStr", func(ip netip.Addr) string { return ip.String() }) diff --git a/net/tsaddr/tsaddr.go b/net/tsaddr/tsaddr.go index 566e9716c177c..d35fce09994c3 100644 --- a/net/tsaddr/tsaddr.go +++ b/net/tsaddr/tsaddr.go @@ -35,13 +35,14 @@ func CGNATRange() netip.Prefix { } var ( - cgnatRange oncePrefix - ulaRange oncePrefix - tsUlaRange oncePrefix - tsViaRange oncePrefix - ula4To6Range oncePrefix - ulaEph6Range oncePrefix - serviceIPv6 oncePrefix + cgnatRange oncePrefix + ulaRange oncePrefix + tsUlaRange oncePrefix + tsViaRange oncePrefix + ula4To6Range oncePrefix + ulaEph6Range oncePrefix + serviceIPv6 oncePrefix + coderServiceIPv6 oncePrefix ) // TailscaleServiceIP returns the IPv4 listen address of services @@ -61,9 +62,15 @@ func TailscaleServiceIPv6() netip.Addr { return serviceIPv6.v.Addr() } +func CoderServiceIPv6() netip.Addr { + coderServiceIPv6.Do(func() { mustPrefix(&coderServiceIPv6.v, CoderServiceIPv6String+"/128") }) + return coderServiceIPv6.v.Addr() +} + const ( TailscaleServiceIPString = "100.100.100.100" TailscaleServiceIPv6String = "fd7a:115c:a1e0::53" + CoderServiceIPv6String = "fd60:627a:a42b::53" ) // IsTailscaleIP reports whether ip is an IP address in a range that diff --git a/net/tsaddr/tsaddr_test.go b/net/tsaddr/tsaddr_test.go index e745020059fdc..6f3b9026562df 100644 --- a/net/tsaddr/tsaddr_test.go +++ b/net/tsaddr/tsaddr_test.go @@ -53,6 +53,14 @@ func TestTailscaleServiceIPv6(t *testing.T) { } } +func TestCoderServiceIPv6(t *testing.T) { + got := CoderServiceIPv6().String() + want := "fd60:627a:a42b::53" + if got != want { + t.Errorf("got %q; want %q", got, want) + } +} + func TestChromeOSVMRange(t *testing.T) { if got, want := ChromeOSVMRange().String(), "100.115.92.0/23"; got != want { t.Errorf("got %q; want %q", got, want) diff --git a/wgengine/netstack/netstack.go b/wgengine/netstack/netstack.go index 80f1e2ea581b0..db060cc0ea4ba 100644 --- a/wgengine/netstack/netstack.go +++ b/wgengine/netstack/netstack.go @@ -56,10 +56,7 @@ const debugPackets = false var debugNetstack = envknob.RegisterBool("TS_DEBUG_NETSTACK") -var ( - magicDNSIP = tsaddr.TailscaleServiceIP() - magicDNSIPv6 = tsaddr.TailscaleServiceIPv6() -) +var coderDNSIPv6 = tsaddr.CoderServiceIPv6() func init() { mode := envknob.String("TS_DEBUG_NETSTACK_LEAK_MODE") @@ -464,7 +461,7 @@ func (ns *Impl) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper) filter.Re // If it's not traffic to the service IP (i.e. magicDNS) we don't // care; resume processing. - if dst := p.Dst.Addr(); dst != magicDNSIP && dst != magicDNSIPv6 { + if dst := p.Dst.Addr(); dst != coderDNSIPv6 { return filter.Accept } // Of traffic to the service IP, we only care about UDP 53, and TCP @@ -565,18 +562,9 @@ func (ns *Impl) inject() { // TODO(tom): Figure out if its safe to modify packet.Parsed to fill in // the IP src/dest even if its missing the rest of the pkt. // That way we dont have to do this twitchy-af byte-yeeting. - if b := pkt.NetworkHeader().Slice(); len(b) >= 20 { // min ipv4 header - switch b[0] >> 4 { // ip proto field - case 4: - if srcIP := netaddr.IPv4(b[12], b[13], b[14], b[15]); magicDNSIP == srcIP { - sendToHost = true - } - case 6: - if len(b) >= 40 { // min ipv6 header - if srcIP, ok := netip.AddrFromSlice(net.IP(b[8:24])); ok && magicDNSIPv6 == srcIP { - sendToHost = true - } - } + if b := pkt.NetworkHeader().Slice(); len(b) >= 40 && (b[0]>>4) == 6 { // min ipv6 header && ip proto field + if srcIP, ok := netip.AddrFromSlice(net.IP(b[8:24])); ok && coderDNSIPv6 == srcIP { + sendToHost = true } } @@ -939,7 +927,7 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) { } // DNS - if reqDetails.LocalPort == 53 && (dialIP == magicDNSIP || dialIP == magicDNSIPv6) { + if reqDetails.LocalPort == 53 && dialIP == coderDNSIPv6 { c := getConnOrReset() if c == nil { return @@ -1094,7 +1082,7 @@ func (ns *Impl) acceptUDP(r *udp.ForwarderRequest) { } // Handle magicDNS traffic (via UDP) here. - if dst := dstAddr.Addr(); dst == magicDNSIP || dst == magicDNSIPv6 { + if dst := dstAddr.Addr(); dst == coderDNSIPv6 { if dstAddr.Port() != 53 { ep.Close() return // Only MagicDNS traffic runs on the service IPs for now.