# DNS 云 tailscale + headscale 部署在公网服务器中,由于在某些云服务器场景,使用 tailscaled 会导致覆盖默认的 /etc/resolv.conf ,导致 sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --au thkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 无法在云服务器 ping mirrors.ivolces.com ping mirrors.ivolces.com ping: mirrors.ivolces.com: Name or service not known (base) root@iv-ydiskxo4xsqc6il525qi:~# dig mirrors.ivolces.com ; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> mirrors.ivolces.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51173 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;mirrors.ivolces.com. IN A ;; AUTHORITY SECTION: ivolces.com. 255 IN SOA ns1.bytedns.com. dnsadmin.bytedance.com. 2022092021 3600 1200 86400 300 ;; Query time: 908 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Fri Mar 07 00:34:49 CST 2025 ;; MSG SIZE rcvd: 115 resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eth0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.96.0.2 DNS Servers: 100.96.0.2 100.96.0.3 Link 7 (docker0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 8 (br-2cec65ee2526) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 62 (br-690d297c183d) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 71 (br-c893393fd0f9) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 73 (vethb0dd2c1) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 84 (vethbb1f31e) ...skipping... Link 73 (vethb0dd2c1) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 84 (vethbb1f31e) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 85 (br-c1e71b5657db) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 101 (veth0f10628) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 102 (br-eaaee9b7dfcc) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 165 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.100.100.100 DNS Servers: 100.100.100.100 DNS Domain: h.l ~. -------- tailscale + headscale 部署在公网服务器中,由于在某些云服务器场景,使用 tailscaled 会导致覆盖默认的 /etc/resolv.conf ,导致 sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --au thkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 无法在云服务器 ping mirrors.ivolces.com 后面我在官方文档找到如下解决方案: ```markdown Configuring Linux DNS There are an incredible number of ways to configure DNS on Linux. Tailscale attempts to interoperate with any Linux DNS configuration it finds already present. Unfortunately, some are not entirely amenable to cooperatively managing the host's DNS configuration. Common problems NetworkManager + systemd-resolved If you're using both NetworkManager and systemd-resolved (as in common in many distros), you'll want to make sure that /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf. That should be the default. If not, $ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf When NetworkManager sees that symlink is present, its default behavior is to use systemd-resolved and not take over the resolv.conf file. After fixing, restart everything: $ sudo systemctl restart systemd-resolved $ sudo systemctl restart NetworkManager $ sudo systemctl restart tailscaled DHCP dhclient overwriting /etc/resolv.conf Without any DNS management system installed, DHCP clients like dhclient and programs like tailscaled have no other options than rewriting the /etc/resolv.conf file themselves, which results in them sometimes fighting with each other. (For instance, a DHCP renewal rewriting the resolv.conf resulting in loss of MagicDNS functionality.) Possible workarounds are to use resolvconf or systemd-resolved. Issue 2334 tracks making Tailscale react to other programs updating resolv.conf so Tailscale can add itself back. Last updated Jan 10, 2025 ``` 在按照文档操作之前,我先查看云服务器内网的 dns 配置: sudo tcpdump -i eth0 udp port 53 -n tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 20:50:12.903647 IP 192.168.0.2.48543 > 100.96.0.3.53: 49478+ A? ntp2.ivolces.com. (34) 20:50:12.903690 IP 192.168.0.2.50660 > 100.96.0.2.53: 7537+ [1au] AAAA? ntp3.ivolces.com. (45) 20:50:12.903710 IP 192.168.0.2.58075 > 100.96.0.2.53: 59569+ [1au] AAAA? ntp3.ivolces.com.ivolces.com. (57) 20:50:12.903728 IP 192.168.0.2.54169 > 100.96.0.2.53: 28381+ [1au] A? ntp3.ivolces.com.ivolces.com. (57) 20:50:12.903747 IP 192.168.0.2.47311 > 100.96.0.2.53: 2338+ [1au] A? ntp3.ivolces.com. (45) 20:50:12.903790 IP 192.168.0.2.50133 > 100.96.0.2.53: 4483+ [1au] AAAA? ntp2.ivolces.com. (45) 20:50:12.904171 IP 100.96.0.2.53 > 192.168.0.2.47311: 2338* 1/0/1 A 100.96.0.13 (77) 20:50:12.904601 IP 100.96.0.2.53 > 192.168.0.2.50660: 7537* 0/1/1 (131) 20:50:12.904628 IP 100.96.0.2.53 > 192.168.0.2.54169: 28381 NXDomain* 0/1/1 (143) 20:50:12.905040 IP 100.96.0.2.53 > 192.168.0.2.50133: 4483* 0/1/1 (131) 20:50:12.905181 IP 100.96.0.2.53 > 192.168.0.2.58075: 59569 NXDomain* 0/1/1 (143) 20:50:12.906542 IP 100.96.0.3.53 > 192.168.0.2.48543: 49478* 1/0/0 A 100.96.0.12 (66) 20:50:15.241190 IP 192.168.0.2.52317 > 100.96.0.2.53: 17060+ [1au] A? mirrors.ivolces.com. (48) 20:50:15.241237 IP 192.168.0.2.43487 > 100.96.0.2.53: 50457+ [1au] AAAA? mirrors.ivolces.com. (48) ... resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eth0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.96.0.3 DNS Servers: 100.96.0.2 100.96.0.3 ... Link 155 (tailscale0) Current Scopes: none Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported ----- 可见 100. 地址是云服务器的 DNS 域名,里面配置了不少域名不局限于上述显示的这些。 当我启动 tailscale 后: ```shell sudo tailscale up --login-server http://127.0.0.1:27896 --accept-dns=true --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eth0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.96.0.3 DNS Servers: 100.96.0.2 100.96.0.3 ... Link 155 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.100.100.100 DNS Servers: 100.100.100.100 DNS Domain: h.l ~. udo tcpdump -i eth0 udp port 53 -n tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 21:26:46.661078 IP 192.168.0.2.44635 > 100.96.0.3.53: 34904+ [1au] AAAA? open.volcengineapi.com.h.l. (55) 21:26:46.661133 IP 192.168.0.2.38527 > 100.96.0.3.53: 31188+ [1au] A? open.volcengineapi.com.h.l. (55) 21:26:46.662072 IP 100.96.0.3.53 > 192.168.0.2.38527: 31188 NXDomain 0/1/1 (130) 21:26:46.662508 IP 100.96.0.3.53 > 192.168.0.2.44635: 34904 NXDomain 0/1/1 (130) 21:26:51.661835 IP 192.168.0.2.39804 > 100.96.0.3.53: 29966+ [1au] A? open.volcengineapi.com.h.l. (55) 21:26:51.661863 IP 192.168.0.2.48489 > 100.96.0.3.53: 48309+ [1au] AAAA? open.volcengineapi.com.h.l. (55) ... ``` - 我想使用 MagicDNS 功能, 如果 --accept-dns=false 参数会导致无法使用该功能对吗?我不希望这样 - 自定义规则使*.ivolces.com使用内部DNS sudo resolvectl domain eth0 ~ivolces.com sudo resolvectl dns eth0 100.96.0.2 100.96.0.3 会导致硬编码 based domain ,是吗?云服务器的域名地址可不仅仅是 ivolces.com ,可能还有其他域名,我不知道是否应该以 IP 100.96.0.2 100.96.0.3 地址为主。 - 修改 Headscale 服务器的配置文件(例如config.yaml)指定云服务器的DNS 100.96.0.2 100.96.0.3 会导致耦合对吗?这个 dns 地址仅仅是对于本服务器而言,我不想修改 Headscale 硬编码到该台服务器的 DNS - 我已经关闭防火墙 根据上述建议,我找到了某个解决方案: ```shell # 为 tailscale0 接口指定专属 DNS 和路由域 sudo resolvectl dns tailscale0 100.100.100.100 sudo resolvectl domain tailscale0 ~h.l # 为 eth0 接口设置默认 DNS(优先级高于全局) sudo resolvectl dns eth0 100.96.0.2 100.96.0.3 sudo resolvectl default-route eth0 yes # 重启服务 sudo systemctl restart systemd-resolved tailscaled ``` 然后在 tailscale 已经启动的情况下,查看状态 ```shell resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eth0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.96.0.2 DNS Servers: 100.96.0.2 100.96.0.3 ... Link 156 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.100.100.100 DNS Servers: 100.100.100.100 DNS Domain: h.l ~. ``` 结果云服务dns仍然不行: ```shell dig @100.96.0.2 ; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @100.96.0.2 ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached (base) root@iv-ydiskxo4xsqc6il525qi:~/program# sudo tailscale down (base) root@iv-ydiskxo4xsqc6il525qi:~/program# dig @100.96.0.2 ; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @100.96.0.2 ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29167 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 4589434174d8d4dc (echoed) ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 539 IN NS i.root-servers.net. . 539 IN NS d.root-servers.net. . 539 IN NS b.root-servers.net. . 539 IN NS e.root-servers.net. . 539 IN NS l.root-servers.net. . 539 IN NS j.root-servers.net. . 539 IN NS k.root-servers.net. . 539 IN NS a.root-servers.net. . 539 IN NS m.root-servers.net. . 539 IN NS f.root-servers.net. . 539 IN NS g.root-servers.net. . 539 IN NS h.root-servers.net. . 539 IN NS c.root-servers.net. ;; Query time: 0 msec ;; SERVER: 100.96.0.2#53(100.96.0.2) (UDP) ;; WHEN: Thu Mar 06 21:53:52 CST 2025 ;; MSG SIZE rcvd: 443 ``` 只有 tailscale 启动的时候才会无法 dig 云服务器, 到底是哪里没配置好导致 tailscale 启动后影响了云服务器默认的 dns 配置。 # fuck tailscale + headscale 部署在公网服务器中,由于在某些云服务器场景,使用 tailscaled 会导致覆盖默认的 /etc/resolv.conf ,导致 sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --au thkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 无法在云服务器 ping mirrors.ivolces.com 后面我在官方文档找到如下解决方案: ```markdown Configuring Linux DNS There are an incredible number of ways to configure DNS on Linux. Tailscale attempts to interoperate with any Linux DNS configuration it finds already present. Unfortunately, some are not entirely amenable to cooperatively managing the host's DNS configuration. Common problems NetworkManager + systemd-resolved If you're using both NetworkManager and systemd-resolved (as in common in many distros), you'll want to make sure that /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf. That should be the default. If not, $ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf When NetworkManager sees that symlink is present, its default behavior is to use systemd-resolved and not take over the resolv.conf file. After fixing, restart everything: $ sudo systemctl restart systemd-resolved $ sudo systemctl restart NetworkManager $ sudo systemctl restart tailscaled DHCP dhclient overwriting /etc/resolv.conf Without any DNS management system installed, DHCP clients like dhclient and programs like tailscaled have no other options than rewriting the /etc/resolv.conf file themselves, which results in them sometimes fighting with each other. (For instance, a DHCP renewal rewriting the resolv.conf resulting in loss of MagicDNS functionality.) Possible workarounds are to use resolvconf or systemd-resolved. Issue 2334 tracks making Tailscale react to other programs updating resolv.conf so Tailscale can add itself back. Last updated Jan 10, 2025 ``` 我按照文档来设置,发现还是不行。 ```shell ls -al /etc/resolv.conf lrwxrwxrwx 1 root root 37 Mar 6 18:21 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf sudo systemctl status systemd-resolved ● systemd-resolved.service - Network Name Resolution Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2025-03-06 18:28:57 CST; 8s ago sudo systemctl status tailscaled ● tailscaled.service - Tailscale node agent Loaded: loaded (/lib/systemd/system/tailscaled.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2025-03-06 18:21:42 CST; 5min ago sudo systemctl status NetworkManager ● NetworkManager.service - Network Manager Loaded: loaded (/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled) Active: active (running) since Thu 2025-03-06 18:21:36 CST; 6min ago ``` ```shell # tailscale 启动之前: cat /etc/resolv.conf # This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8). # Do not edit. # # This file might be symlinked as /etc/resolv.conf. If you're looking at # /etc/resolv.conf and seeing this text, you have followed the symlink. # # This is a dynamic resolv.conf file for connecting local clients to the # internal DNS stub resolver of systemd-resolved. This file lists all # configured search domains. # # Run "resolvectl status" to see details about the uplink DNS servers # currently in use. # # Third party programs should typically not access this file directly, but only # through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a # different way, replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 127.0.0.53 options edns0 trust-ad search . ping mirrors.ivolces.com PING mirrors.ivolces.com (100.96.0.22) 56(84) bytes of data. 64 bytes from 100.96.0.22 (100.96.0.22): icmp_seq=1 ttl=64 time=0.108 ms 64 bytes from 100.96.0.22 (100.96.0.22): icmp_seq=2 ttl=64 time=0.130 ms ``` ```shell # tailscale 启动之后: sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --authkey 90e2d5089 997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 # tailscale 启动之后: cat /etc/resolv.conf nameserver 127.0.0.53 options edns0 trust-ad search h.l ping mirrors.ivolces.com ping: mirrors.ivolces.com: Name or service not known ``` 甚至当我把参数设置为不接受 dns 的时候,也还是不行。即便我想使用 MagicDNS 因为对我来说很方便。 ```shell sudo tailscale up --login-server https://hs.magong.site --accept-dns=false --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 cat /etc/resolv.conf nameserver 127.0.0.53 options edns0 trust-ad search . ping mirrors.ivolces.com ping: mirrors.ivolces.com: Temporary failure in name resolution ``` 为了进一步查看 dns 管理状态: ```shell sudo tailscale up --login-server https://hs.magong.site -- accept-dns=true --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 (base) root@iv-ydiskxo4xsqc6il525qi:~/program/headscale# resolvectl dns tailscale0 Link 149 (tailscale0): 100.100.100.100 sudo tailscale down # 设置为 false 时 ,resolvectl dns 没有地址 sudo tailscale up --login-server https://hs.magong.site --accept-dns=false --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 resolvectl dns tailscale0 Link 149 (tailscale0): ``` 进一步检查 resolvectl status ```shell sudo tailscale down # 关闭后此时 ping 是起作用的 ping mirrors.ivolces.com PING mirrors.ivolces.com (100.96.0.22) 56(84) bytes of data. 64 bytes from 100.96.0.22 (100.96.0.22): icmp_seq=1 ttl=64 time=0.117 ms resolvectl status Current Scopes: none Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eth0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.96.0.2 DNS Servers: 100.96.0.2 100.96.0.3 ... Link 141 (veth928f8d8) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 149 (tailscale0) Current Scopes: none Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported ``` 设置tailscale接受 dns 后再次检查: ```shell sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (eth0) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.96.0.2 DNS Servers: 100.96.0.2 100.96.0.3 Link 7 (docker0) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported ... Link 141 (veth928f8d8) Current Scopes: none Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Link 149 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.100.100.100 DNS Servers: 100.100.100.100 DNS Domain: h.l ~. ``` 云服务默认配置依然不起作用: ```shell ping mirrors.ivolces.com ping: mirrors.ivolces.com: Name or service not known ``` 请问是什么原因导致我没有配置成功?我明明是按照官方文档来设置的。为什么会干扰到云服务的默认配置?我需要 MagicDNS 同时也需要不要干扰默认系统配置。