Add flag to disable bootstrap dns
Adds an optional (default off) boolean environment flag `TS_NO_DNS_FALLBACK` which will simply disable functionality to fallback to using Tailscale DNS servers as indicated in text logs like: ``` trying bootstrapDNS("derp8c.tailscale.com", "2a03:b0c0:1:d0::e1f:4001") for "log.tailscale.io" ... ``` For some user environments, it is desirable to strictly control outbound access to external servers and and leaked data or metadata - and losing this functionality is a desired trade off. Closes #7981 Signed-off-by: Kevin Allen <kallen@bostondynamics.com>
This commit is contained in:
parent
c5bf868940
commit
c0c182f487
|
@ -169,6 +169,7 @@ func (r *Resolver) ttl() time.Duration {
|
|||
}
|
||||
|
||||
var debug = envknob.RegisterBool("TS_DEBUG_DNS_CACHE")
|
||||
var noDNSFallback = envknob.RegisterBool("TS_NO_DNS_FALLBACK")
|
||||
|
||||
// debugLogging allows enabling debug logging at runtime, via
|
||||
// SetDebugLoggingEnabled.
|
||||
|
@ -302,7 +303,7 @@ func (r *Resolver) lookupIP(host string) (ip, ip6 netip.Addr, allIPs []netip.Add
|
|||
ips, err = resolver.LookupNetIP(ctx, "ip", host)
|
||||
}
|
||||
}
|
||||
if (err != nil || len(ips) == 0) && r.LookupIPFallback != nil {
|
||||
if (err != nil || len(ips) == 0) && r.LookupIPFallback != nil && !noDNSFallback() {
|
||||
ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
|
||||
defer cancel()
|
||||
if err != nil {
|
||||
|
@ -451,6 +452,12 @@ func (d *dialer) shouldTryBootstrap(ctx context.Context, err error, dc *dialCall
|
|||
d.dnsCache.dlogf("not using bootstrap DNS: no fallback")
|
||||
return false
|
||||
}
|
||||
if noDNSFallback() {
|
||||
if debug() {
|
||||
log.Printf("dnscache: not using bootstrap DNS: disabled via TS_NO_DNS_FALLBACK")
|
||||
}
|
||||
return false
|
||||
}
|
||||
|
||||
// We can't retry if the context is canceled, since any further
|
||||
// operations with this context will fail.
|
||||
|
|
Loading…
Reference in New Issue