Fix MagicDNS incompatibility with Home Assistant's DNS

tailscale/DOCS.md

@@ -86,15 +86,14 @@ userspace_networking: true
 
 ### Option: `accept_dns`
 
-If you are experiencing trouble with MagicDNS on this device and wish to
-disable, you can do so using this option.
+This option allows you to accept the DNS settings of your tailnet that are
+configured on the [DNS page][tailscale_dns] of the admin console. When disabled,
+Tailscale's DNS resolves only tailnet addresses, no global nameservers from the
+admin console are applied.
 
-When not set, this option is enabled by default.
+For more information, see the "DNS" section of this documentation.
 
-MagicDNS may cause issues if you run things like Pi-hole or AdGuard Home
-on the same machine as this add-on. In such cases disabling `accept_dns`
-will help. You can still leverage MagicDNS on other devices on your network,
-by adding `100.100.100.100` as a DNS server in your Pi-hole or AdGuard Home.
+When not set, this option is enabled by default.
 
 ### Option: `accept_routes`
 
@@ -339,9 +338,10 @@ When not set, this option is enabled by default.
 
 If you need to access other clients on your tailnet from your Home Assistant
 instance, disable userspace networking mode, which will create a `tailscale0`
-network interface on your host. To be able to address those clients not only
-with their tailnet IP, but with their tailnet name, you have to configure Home
-Assistant's DNS options also.
+network interface on your host.
+
+To be able to address other clients on your tailnet not only by their tailnet IP
+but also by their tailnet name, see the "DNS" section of this documentation.
 
 If you want to access other clients on your tailnet even from your local subnet,
 follow steps in the [Site-to-site networking][tailscale_info_site_to_site] guide
@@ -377,6 +377,46 @@ CGNAT networks). You can test connections with `tailscale ping
 
 When not set, an automatically selected port is used by default.
 
+## DNS
+
+When the `userspace_networking` option is disabled, Tailscale provides a DNS (at
+100.100.100.100 and fd7a:115c:a1e0::53) to be able to address other clients on
+your tailnet not only by their tailnet IP but also by their tailnet name.
+
+More information: [What is 100.100.100.100][tailscale_info_quad100],
+[DNS in Tailscale][tailscale_info_dns], [MagicDNS][tailscale_info_magicdns],
+[Access a Pi-hole from anywhere][tailscale_info_pi_hole].
+
+1. Check that the `userspace_networking` option is disabled.
+
+1. Check that under **Settings** -> **System** -> **Network** Tailscale's DNS is
+   **_not_** configured as a DNS server.
+
+1. In the command line, execute `ha dns options --servers dns://100.100.100.100`.
+
+   **Note:** _This command replaces the existing DNS server list in Home
+   Assistant and restarts the internal DNS server. To specify an empty DNS list
+   (i.e. to remove `dns://100.100.100.100` from the list), you must use
+   `ha dns reset` and `ha dns restart` commands both. This server list is
+   additional and queried before the DNS servers specified in Network settings
+   above._
+
+**Note:** The only difference compared to the general Tailscale experience, is
+that you always have to use the fully qualified domain name instead of only the
+device name, i.e. `ping some-tailnet-device.tail1234.ts.net` works, but `ping
+some-tailnet-device` does not work.
+
+**Note:** If you are running your own DNS (like AdGuard) on this Home Assistant
+device also, and this device is configured as global nameserver on the [DNS
+page][tailscale_dns] of the admin console, then:
+
+1. Disable the `accept_dns` option to prevent the Tailscale DNS from redirecting
+   queries from your device back to itself, which would cause a loop.
+
+1. Configure your DNS for Home Assistant, and in your DNS configure Tailscale
+   DNS for your tailnet domain as upstream DNS server (e.g. in case of AdGuard
+   `[/tail1234.ts.net/]100.100.100.100`).
+
 ## Changelog & Releases
 
 This repository keeps a change log using [GitHub's releases][releases]
@@ -451,12 +491,16 @@ SOFTWARE.
 [semver]: https://semver.org/spec/v2.0.0.html
 [tailscale_acls]: https://login.tailscale.com/admin/acls
 [tailscale_dns]: https://login.tailscale.com/admin/dns
+[tailscale_info_dns]: https://tailscale.com/kb/1054/dns
 [tailscale_info_exit_nodes]: https://tailscale.com/kb/1103/exit-nodes
 [tailscale_info_app_connectors]: https://tailscale.com/kb/1281/app-connectors
 [tailscale_info_funnel]: https://tailscale.com/kb/1223/funnel
 [tailscale_info_funnel_policy_requirement]: https://tailscale.com/kb/1223/funnel#requirements-and-limitations
 [tailscale_info_https]: https://tailscale.com/kb/1153/enabling-https
 [tailscale_info_key_expiry]: https://tailscale.com/kb/1028/key-expiry
+[tailscale_info_magicdns]: https://tailscale.com/kb/1081/magicdns
+[tailscale_info_pi_hole]: https://tailscale.com/kb/1114/pi-hole
+[tailscale_info_quad100]: https://tailscale.com/kb/1381/what-is-quad100
 [tailscale_info_serve]: https://tailscale.com/kb/1312/serve
 [tailscale_info_site_to_site]: https://tailscale.com/kb/1214/site-to-site
 [tailscale_info_subnets]: https://tailscale.com/kb/1019/subnets

tailscale/Dockerfile

@@ -10,6 +10,8 @@ ARG BUILD_ARCH=amd64
 ARG TAILSCALE_VERSION="v1.90.2"
 RUN \
     apk add --no-cache \
+        bind-tools=9.20.15-r0 \
+        dnsmasq=2.91-r0 \
         ethtool=6.14.1-r0 \
         ipcalc=1.0.3-r0 \
         iproute2=6.15.0-r0 \

tailscale/apparmor.txt

@@ -0,0 +1,47 @@
+#include <tunables/global>
+
+profile tailscale flags=(attach_disconnected,mediate_deleted) {
+  #include <abstractions/base>
+
+  # Capabilities
+  file,
+  signal (send) set=(kill,term,int,hup,cont),
+
+  # S6-Overlay
+  /init ix,
+  /bin/** ix,
+  /usr/bin/** ix,
+  /run/{s6,s6-rc*,service}/** ix,
+  /package/** ix,
+  /command/** ix,
+  /etc/services.d/** rwix,
+  /etc/cont-init.d/** rwix,
+  /etc/cont-finish.d/** rwix,
+  /run/{,**} rwk,
+  /dev/tty rw,
+
+  # Bashio
+  /usr/lib/bashio/** ix,
+  /tmp/** rwk,
+
+  # Access to options.json and other files within your addon
+  /data/** rw,
+
+  # General - based on complain
+  capability net_bind_service,
+  capability dac_override,
+  capability fsetid,
+  capability setgid,
+  capability setuid,
+  capability chown,
+  capability kill,
+
+  # General - based on Config.yaml
+  capability net_admin,
+  capability net_raw,
+
+  # Mount for MagicDNS fix
+  capability sys_admin,
+  mount options=(rw, rprivate) -> /, # unshare -m
+  mount options=(rw, bind) /etc/resolv.for-tailscaled.conf -> /etc/resolv.conf, # mount --bind
+}

tailscale/config.yaml

@@ -21,6 +21,7 @@ host_dbus: true
 privileged:
   - NET_ADMIN
   - NET_RAW
+  - SYS_ADMIN
 devices:
   - /dev/net/tun
 map:

tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/down

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/finish

tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/finish

@@ -0,0 +1,8 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Remove forwarding
+# ==============================================================================
+
+magicdns-ingress-proxy-forwarding remove drop

tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/run

@@ -0,0 +1,74 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Runs the dnsmasq proxies initialization
+# ==============================================================================
+
+readonly MAGIC_DNS_IPV4="100.100.100.100"
+readonly MAGIC_DNS_IPV6="fd7a:115c:a1e0::53"
+
+readonly DEFAULT_LOGIN_SERVER="controlplane.tailscale.com"
+readonly LOG_SERVER="log.tailscale.com"
+readonly LETSENCRYPT_API="acme-v02.api.letsencrypt.org"
+readonly DNSMASQ_BLACK_WHITE_LIST_LOCATION="/etc/dnsmasq-black-white-list"
+
+declare dns
+declare invalid_dns_config
+
+declare login_server="${DEFAULT_LOGIN_SERVER}"
+declare -a black_white_list=()
+
+# Check DNS configuration
+invalid_dns_config="true"
+for dns in $(bashio::dns.servers); do
+  if bashio::var.equals "${dns}" "dns://${MAGIC_DNS_IPV4}" || \
+    bashio::var.equals "${dns}" "dns://${MAGIC_DNS_IPV6}"
+  then
+    invalid_dns_config="false"
+    break
+  fi
+done
+if bashio::var.true "${invalid_dns_config}"; then
+  bashio::log.notice \
+    "To use MagicDNS in Home Assistant, configure MagicDNS's IP address as DNS server with cli," \
+    "eg. 'ha dns options --servers dns://${MAGIC_DNS_IPV4}'"
+  bashio::log.notice \
+    "Please check your configuration based on the add-on's documentation under the \"DNS\" section"
+fi
+invalid_dns_config="false"
+for dns in $(bashio::dns.locals); do
+  if bashio::var.equals "${dns}" "dns://${MAGIC_DNS_IPV4}" || \
+    bashio::var.equals "${dns}" "dns://${MAGIC_DNS_IPV6}"
+  then
+    bashio::log.fatal "Do not configure MagicDNS's IP address (${dns:6}) as DNS server under Settings -> System -> Network"
+    invalid_dns_config="true"
+  fi
+done
+if bashio::var.true "${invalid_dns_config}"; then
+  bashio::exit.nok
+fi
+
+# We have to be able to determine login_server from this address
+if ! login_server=$(awk -F[/:] '{print $4}' <<<$(bashio::config "login_server")) || \
+  ! bashio::var.has_value "${login_server}"
+then
+  bashio::exit.nok "Determining host name from '$(bashio::config "login_server")' has failed"
+fi
+black_white_list+=(${login_server})
+
+# When log upload is enabled, resolve log server also
+if bashio::debug; then
+  black_white_list+=(${LOG_SERVER})
+fi
+
+# If serve or funnel is used, resolve letsencrypt's api also
+if ! bashio::config.equals 'share_homeassistant' 'disabled'; then
+  black_white_list+=(${LETSENCRYPT_API})
+fi
+
+printf "%s" "${black_white_list[@]/%/$'\n'}" > "${DNSMASQ_BLACK_WHITE_LIST_LOCATION}"
+
+# This is necessary to prevent accessing MagicDNS before the ingress proxy starts up
+# The ingress proxy will remove these entries on startup
+magicdns-ingress-proxy-forwarding setup drop

tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/type

@@ -0,0 +1 @@
+oneshot

tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/up

@@ -0,0 +1 @@
+/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/run

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/finish

@@ -0,0 +1,25 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Take down the S6 supervision tree when MagicDNS egress proxy fails
+# ==============================================================================
+readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="magicdns-egress-proxy"
+
+bashio::log.info \
+  "Service ${service} exited with code ${exit_code_service}" \
+  "(by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + $exit_code_signal)) > /run/s6-linux-init-container-results/exitcode
+  fi
+  [[ "${exit_code_signal}" -eq 15 ]] && exec /run/s6/basedir/bin/halt
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" > /run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/notification-fd

@@ -0,0 +1 @@
+3

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/run

@@ -0,0 +1,74 @@
+#!/command/with-contenv bashio
+# shellcheck shell=bash
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Runs the MagicDNS egress proxy
+# ==============================================================================
+
+# Note: This script assumes that internal hassio network is available in IPv4.
+# Sets up IPv4 upstream DNS for tailscaled, and redirects the white_list to IPv4 hassio DNS.
+# In case of an IPv6-only hassio network this IPv4 solution won't work.
+# But running an egress DNS proxy on ::1 IPv6 localhost is impossible, because DNS add-ons can bind to this address also,
+# but we can specify only port 53 DNS in resolv.conf for tailscaled.
+# So in case of IPv6-only hassio, we can't use [::1]:53 for the egress DNS proxy, but we can't use anything else in resolv.conf for tailscaled.
+# For the status of IPv6 support see https://github.com/home-assistant/supervisor/issues/2133
+
+source /usr/lib/trace.sh
+
+readonly DNSMASQ_EGRESS_ADDRESS_IPV4="127.100.100.100"
+readonly DNSMASQ_EGRESS_PORT=53
+readonly DNSMASQ_BLACK_WHITE_LIST_LOCATION="/etc/dnsmasq-black-white-list"
+
+declare hassio_dns_ipv4
+declare -a white_list
+declare domain
+declare -a options
+
+bashio::log.info "Starting MagicDNS egress proxy..."
+
+function dig_hassio_dns() {
+  local type="${1}"
+  dig dns.local.hass.io "${type}" +short \
+    | { grep -Ev '^;|\.$|^$' || true ;} \
+    | head -n 1
+}
+
+options+=(--no-hosts)
+options+=(--no-resolv)
+options+=(--conf-file=/dev/null)
+options+=(--keep-in-foreground)
+options+=(--log-facility='-')
+options+=(--cache-size=0)
+
+options+=(--listen-address=${DNSMASQ_EGRESS_ADDRESS_IPV4})
+options+=(--bind-dynamic)
+options+=(--port=${DNSMASQ_EGRESS_PORT})
+
+# Hassio DNS's IP addresses
+if ! hassio_dns_ipv4=$(dig_hassio_dns A) || \
+  bashio::var.is_empty "${hassio_dns_ipv4}"
+then
+  bashio::exit.nok "Failed to resolve Home Assistant's IPv4 DNS address"
+fi
+
+# White-list
+readarray -t white_list < "${DNSMASQ_BLACK_WHITE_LIST_LOCATION}"
+
+# Return NXDOMAIN for everything, except the white_list
+options+=(--address=/#/)
+for domain in "${white_list[@]}"; do
+  options+=(--server=/${domain}/${hassio_dns_ipv4})
+done
+
+if bashio_custom::trace; then
+  options+=(--log-queries)
+  options+=(--log-debug)
+fi
+
+# We need to delay the starting of the dependent services until the conf file is written
+echo "nameserver ${DNSMASQ_EGRESS_ADDRESS_IPV4}" > /etc/resolv.dnsmasq.conf
+echo "" >&3
+
+# This DNS forwards the white_list to HA's DNS, otherwise replies NXDOMAIN for everything
+# It must run on port 53 to be able to specify it in a resolv.conf
+exec dnsmasq "${options[@]}"

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/type

@@ -0,0 +1 @@
+longrun

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/finish

@@ -0,0 +1,28 @@
+#!/command/with-contenv bashio
+# ==============================================================================
+# Home Assistant Community Add-on: Tailscale
+# Take down the S6 supervision tree when MagicDNS ingress proxy fails
+# ==============================================================================
+readonly exit_code_container=$(</run/s6-linux-init-container-results/exitcode)
+readonly exit_code_service="${1}"
+readonly exit_code_signal="${2}"
+readonly service="magicdns-ingress-proxy"
+
+magicdns-ingress-proxy-forwarding setup drop
+magicdns-ingress-proxy-forwarding remove forwarding
+
+bashio::log.info \
+  "Service ${service} exited with code ${exit_code_service}" \
+  "(by signal ${exit_code_signal})"
+
+if [[ "${exit_code_service}" -eq 256 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo $((128 + $exit_code_signal)) > /run/s6-linux-init-container-results/exitcode
+  fi
+  [[ "${exit_code_signal}" -eq 15 ]] && exec /run/s6/basedir/bin/halt
+elif [[ "${exit_code_service}" -ne 0 ]]; then
+  if [[ "${exit_code_container}" -eq 0 ]]; then
+    echo "${exit_code_service}" > /run/s6-linux-init-container-results/exitcode
+  fi
+  exec /run/s6/basedir/bin/halt
+fi

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/notification-fd

@@ -0,0 +1 @@
+3