gpt.md 19 KB
DNS 云
tailscale + headscale 部署在公网服务器中,由于在某些云服务器场景,使用 tailscaled 会导致覆盖默认的 /etc/resolv.conf ,导致 sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --au thkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 无法在云服务器 ping mirrors.ivolces.com
ping mirrors.ivolces.com ping: mirrors.ivolces.com: Name or service not known (base) root@iv-ydiskxo4xsqc6il525qi:~# dig mirrors.ivolces.com
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> mirrors.ivolces.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51173 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;mirrors.ivolces.com. IN A
;; AUTHORITY SECTION: ivolces.com. 255 IN SOA ns1.bytedns.com. dnsadmin.bytedance.com. 2022092021 3600 1200 86400 300
;; Query time: 908 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Fri Mar 07 00:34:49 CST 2025 ;; MSG SIZE rcvd: 115 resolvectl status Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.96.0.2
DNS Servers: 100.96.0.2 100.96.0.3
Link 7 (docker0) Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 8 (br-2cec65ee25)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 62 (br-690d297c18)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 71 (br-c893393fd0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 73 (vethb0dd2c1) Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 84 (vethbb1f31e) ...skipping...
Link 73 (vethb0dd2c1) Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 84 (vethbb1f31e) Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 85 (br-c1e71b5657)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 101 (veth0f10628) Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 102 (br-eaaee9b7df)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 165 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
DNS Servers: 100.100.100.100
DNS Domain: h.l ~.
tailscale + headscale 部署在公网服务器中,由于在某些云服务器场景,使用 tailscaled 会导致覆盖默认的 /etc/resolv.conf ,导致 sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --au thkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 无法在云服务器 ping mirrors.ivolces.com
后面我在官方文档找到如下解决方案:
Configuring Linux DNS
There are an incredible number of ways to configure DNS on Linux.
Tailscale attempts to interoperate with any Linux DNS configuration it finds already present. Unfortunately, some are not entirely amenable to cooperatively managing the host's DNS configuration.
Common problems
NetworkManager + systemd-resolved
If you're using both NetworkManager and systemd-resolved (as in common in many distros), you'll want to make sure that /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf. That should be the default. If not,
$ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
When NetworkManager sees that symlink is present, its default behavior is to use systemd-resolved and not take over the resolv.conf file.
After fixing, restart everything:
$ sudo systemctl restart systemd-resolved
$ sudo systemctl restart NetworkManager
$ sudo systemctl restart tailscaled
DHCP dhclient overwriting /etc/resolv.conf
Without any DNS management system installed, DHCP clients like dhclient and programs like tailscaled have no other options than rewriting the /etc/resolv.conf file themselves, which results in them sometimes fighting with each other. (For instance, a DHCP renewal rewriting the resolv.conf resulting in loss of MagicDNS functionality.)
Possible workarounds are to use resolvconf or systemd-resolved. Issue 2334 tracks making Tailscale react to other programs updating resolv.conf so Tailscale can add itself back.
Last updated Jan 10, 2025
在按照文档操作之前,我先查看云服务器内网的 dns 配置: sudo tcpdump -i eth0 udp port 53 -n tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 20:50:12.903647 IP 192.168.0.2.48543 > 100.96.0.3.53: 49478+ A? ntp2.ivolces.com. (34) 20:50:12.903690 IP 192.168.0.2.50660 > 100.96.0.2.53: 7537+ [1au] AAAA? ntp3.ivolces.com. (45) 20:50:12.903710 IP 192.168.0.2.58075 > 100.96.0.2.53: 59569+ [1au] AAAA? ntp3.ivolces.com.ivolces.com. (57) 20:50:12.903728 IP 192.168.0.2.54169 > 100.96.0.2.53: 28381+ [1au] A? ntp3.ivolces.com.ivolces.com. (57) 20:50:12.903747 IP 192.168.0.2.47311 > 100.96.0.2.53: 2338+ [1au] A? ntp3.ivolces.com. (45) 20:50:12.903790 IP 192.168.0.2.50133 > 100.96.0.2.53: 4483+ [1au] AAAA? ntp2.ivolces.com. (45) 20:50:12.904171 IP 100.96.0.2.53 > 192.168.0.2.47311: 2338* 1/0/1 A 100.96.0.13 (77) 20:50:12.904601 IP 100.96.0.2.53 > 192.168.0.2.50660: 7537* 0/1/1 (131) 20:50:12.904628 IP 100.96.0.2.53 > 192.168.0.2.54169: 28381 NXDomain* 0/1/1 (143) 20:50:12.905040 IP 100.96.0.2.53 > 192.168.0.2.50133: 4483* 0/1/1 (131) 20:50:12.905181 IP 100.96.0.2.53 > 192.168.0.2.58075: 59569 NXDomain* 0/1/1 (143) 20:50:12.906542 IP 100.96.0.3.53 > 192.168.0.2.48543: 49478* 1/0/0 A 100.96.0.12 (66) 20:50:15.241190 IP 192.168.0.2.52317 > 100.96.0.2.53: 17060+ [1au] A? mirrors.ivolces.com. (48) 20:50:15.241237 IP 192.168.0.2.43487 > 100.96.0.2.53: 50457+ [1au] AAAA? mirrors.ivolces.com. (48) ... resolvectl status Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.96.0.3
DNS Servers: 100.96.0.2 100.96.0.3
... Link 155 (tailscale0) Current Scopes: none
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
可见 100. 地址是云服务器的 DNS 域名,里面配置了不少域名不局限于上述显示的这些。
当我启动 tailscale 后:
sudo tailscale up --login-server http://127.0.0.1:27896 --accept-dns=true --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1
resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.96.0.3
DNS Servers: 100.96.0.2 100.96.0.3
...
Link 155 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
DNS Servers: 100.100.100.100
DNS Domain: h.l ~.
udo tcpdump -i eth0 udp port 53 -n
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:26:46.661078 IP 192.168.0.2.44635 > 100.96.0.3.53: 34904+ [1au] AAAA? open.volcengineapi.com.h.l. (55)
21:26:46.661133 IP 192.168.0.2.38527 > 100.96.0.3.53: 31188+ [1au] A? open.volcengineapi.com.h.l. (55)
21:26:46.662072 IP 100.96.0.3.53 > 192.168.0.2.38527: 31188 NXDomain 0/1/1 (130)
21:26:46.662508 IP 100.96.0.3.53 > 192.168.0.2.44635: 34904 NXDomain 0/1/1 (130)
21:26:51.661835 IP 192.168.0.2.39804 > 100.96.0.3.53: 29966+ [1au] A? open.volcengineapi.com.h.l. (55)
21:26:51.661863 IP 192.168.0.2.48489 > 100.96.0.3.53: 48309+ [1au] AAAA? open.volcengineapi.com.h.l. (55)
...
- 我想使用 MagicDNS 功能, 如果 --accept-dns=false 参数会导致无法使用该功能对吗?我不希望这样
- 自定义规则使*.ivolces.com使用内部DNS sudo resolvectl domain eth0 ~ivolces.com sudo resolvectl dns eth0 100.96.0.2 100.96.0.3 会导致硬编码 based domain ,是吗?云服务器的域名地址可不仅仅是 ivolces.com ,可能还有其他域名,我不知道是否应该以 IP 100.96.0.2 100.96.0.3 地址为主。
- 修改 Headscale 服务器的配置文件(例如config.yaml)指定云服务器的DNS 100.96.0.2 100.96.0.3 会导致耦合对吗?这个 dns 地址仅仅是对于本服务器而言,我不想修改 Headscale 硬编码到该台服务器的 DNS
- 我已经关闭防火墙
根据上述建议,我找到了某个解决方案:
# 为 tailscale0 接口指定专属 DNS 和路由域
sudo resolvectl dns tailscale0 100.100.100.100
sudo resolvectl domain tailscale0 ~h.l
# 为 eth0 接口设置默认 DNS(优先级高于全局)
sudo resolvectl dns eth0 100.96.0.2 100.96.0.3
sudo resolvectl default-route eth0 yes
# 重启服务
sudo systemctl restart systemd-resolved tailscaled
然后在 tailscale 已经启动的情况下,查看状态
resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.96.0.2
DNS Servers: 100.96.0.2 100.96.0.3
...
Link 156 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
DNS Servers: 100.100.100.100
DNS Domain: h.l ~.
结果云服务dns仍然不行:
dig @100.96.0.2
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @100.96.0.2
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
(base) root@iv-ydiskxo4xsqc6il525qi:~/program# sudo tailscale down
(base) root@iv-ydiskxo4xsqc6il525qi:~/program# dig @100.96.0.2
; <<>> DiG 9.18.1-1ubuntu1.1-Ubuntu <<>> @100.96.0.2
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29167
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4589434174d8d4dc (echoed)
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 539 IN NS i.root-servers.net.
. 539 IN NS d.root-servers.net.
. 539 IN NS b.root-servers.net.
. 539 IN NS e.root-servers.net.
. 539 IN NS l.root-servers.net.
. 539 IN NS j.root-servers.net.
. 539 IN NS k.root-servers.net.
. 539 IN NS a.root-servers.net.
. 539 IN NS m.root-servers.net.
. 539 IN NS f.root-servers.net.
. 539 IN NS g.root-servers.net.
. 539 IN NS h.root-servers.net.
. 539 IN NS c.root-servers.net.
;; Query time: 0 msec
;; SERVER: 100.96.0.2#53(100.96.0.2) (UDP)
;; WHEN: Thu Mar 06 21:53:52 CST 2025
;; MSG SIZE rcvd: 443
只有 tailscale 启动的时候才会无法 dig 云服务器, 到底是哪里没配置好导致 tailscale 启动后影响了云服务器默认的 dns 配置。
fuck
tailscale + headscale 部署在公网服务器中,由于在某些云服务器场景,使用 tailscaled 会导致覆盖默认的 /etc/resolv.conf ,导致 sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --au thkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1 无法在云服务器 ping mirrors.ivolces.com
后面我在官方文档找到如下解决方案:
Configuring Linux DNS
There are an incredible number of ways to configure DNS on Linux.
Tailscale attempts to interoperate with any Linux DNS configuration it finds already present. Unfortunately, some are not entirely amenable to cooperatively managing the host's DNS configuration.
Common problems
NetworkManager + systemd-resolved
If you're using both NetworkManager and systemd-resolved (as in common in many distros), you'll want to make sure that /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf. That should be the default. If not,
$ sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
When NetworkManager sees that symlink is present, its default behavior is to use systemd-resolved and not take over the resolv.conf file.
After fixing, restart everything:
$ sudo systemctl restart systemd-resolved
$ sudo systemctl restart NetworkManager
$ sudo systemctl restart tailscaled
DHCP dhclient overwriting /etc/resolv.conf
Without any DNS management system installed, DHCP clients like dhclient and programs like tailscaled have no other options than rewriting the /etc/resolv.conf file themselves, which results in them sometimes fighting with each other. (For instance, a DHCP renewal rewriting the resolv.conf resulting in loss of MagicDNS functionality.)
Possible workarounds are to use resolvconf or systemd-resolved. Issue 2334 tracks making Tailscale react to other programs updating resolv.conf so Tailscale can add itself back.
Last updated Jan 10, 2025
我按照文档来设置,发现还是不行。
ls -al /etc/resolv.conf
lrwxrwxrwx 1 root root 37 Mar 6 18:21 /etc/resolv.conf -> /run/systemd/resolve/stub-resolv.conf
sudo systemctl status systemd-resolved
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2025-03-06 18:28:57 CST; 8s ago
sudo systemctl status tailscaled
● tailscaled.service - Tailscale node agent
Loaded: loaded (/lib/systemd/system/tailscaled.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2025-03-06 18:21:42 CST; 5min ago
sudo systemctl status NetworkManager
● NetworkManager.service - Network Manager
Loaded: loaded (/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2025-03-06 18:21:36 CST; 6min ago
# tailscale 启动之前:
cat /etc/resolv.conf
# This is /run/systemd/resolve/stub-resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients to the
# internal DNS stub resolver of systemd-resolved. This file lists all
# configured search domains.
#
# Run "resolvectl status" to see details about the uplink DNS servers
# currently in use.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 127.0.0.53
options edns0 trust-ad
search .
ping mirrors.ivolces.com
PING mirrors.ivolces.com (100.96.0.22) 56(84) bytes of data.
64 bytes from 100.96.0.22 (100.96.0.22): icmp_seq=1 ttl=64 time=0.108 ms
64 bytes from 100.96.0.22 (100.96.0.22): icmp_seq=2 ttl=64 time=0.130 ms
# tailscale 启动之后:
sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --authkey 90e2d5089
997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1
# tailscale 启动之后:
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search h.l
ping mirrors.ivolces.com
ping: mirrors.ivolces.com: Name or service not known
甚至当我把参数设置为不接受 dns 的时候,也还是不行。即便我想使用 MagicDNS 因为对我来说很方便。
sudo tailscale up --login-server https://hs.magong.site --accept-dns=false --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1
cat /etc/resolv.conf
nameserver 127.0.0.53
options edns0 trust-ad
search .
ping mirrors.ivolces.com
ping: mirrors.ivolces.com: Temporary failure in name resolution
为了进一步查看 dns 管理状态:
sudo tailscale up --login-server https://hs.magong.site --
accept-dns=true --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1
(base) root@iv-ydiskxo4xsqc6il525qi:~/program/headscale# resolvectl dns tailscale0
Link 149 (tailscale0): 100.100.100.100
sudo tailscale down
# 设置为 false 时 ,resolvectl dns 没有地址
sudo tailscale up --login-server https://hs.magong.site --accept-dns=false --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1
resolvectl dns tailscale0
Link 149 (tailscale0):
进一步检查 resolvectl status
sudo tailscale down
# 关闭后此时 ping 是起作用的
ping mirrors.ivolces.com
PING mirrors.ivolces.com (100.96.0.22) 56(84) bytes of data.
64 bytes from 100.96.0.22 (100.96.0.22): icmp_seq=1 ttl=64 time=0.117 ms
resolvectl status
Current Scopes: none
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.96.0.2
DNS Servers: 100.96.0.2 100.96.0.3
...
Link 141 (veth928f8d8)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 149 (tailscale0)
Current Scopes: none
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
设置tailscale接受 dns 后再次检查:
sudo tailscale up --login-server https://hs.magong.site --accept-dns=true --authkey 90e2d5089997c0ef0929eaa8475ac441de0fe9acae43cfbd --hostname dy1
resolvectl status
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Link 2 (eth0)
Current Scopes: DNS
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.96.0.2
DNS Servers: 100.96.0.2 100.96.0.3
Link 7 (docker0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
...
Link 141 (veth928f8d8)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Link 149 (tailscale0)
Current Scopes: DNS
Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
DNS Servers: 100.100.100.100
DNS Domain: h.l ~.
云服务默认配置依然不起作用:
ping mirrors.ivolces.com
ping: mirrors.ivolces.com: Name or service not known
请问是什么原因导致我没有配置成功?我明明是按照官方文档来设置的。为什么会干扰到云服务的默认配置?我需要 MagicDNS 同时也需要不要干扰默认系统配置。