Fix MagicDNS incompatibility with Home Assistant's DNS

[lmagyar]

Proposed Changes

This was a permanent returning issue.

Problem:

• MagicDNS (TS DNS on 100.100.100.100 + magical modification of any system's DNS settings) when can't resolve something, doesn't return REFUSED, SERVFAIL or NXDOMAIN, but calls the original DNS server (based on the DNS config existed before TS started, in our case /etc/resolv.conf)
• on HA, this is hassio_dns, where we configure to first call 100.100.100.100
• loop, crash...

Not solutions:

• there is no way, to modify this TS DNS behavior
• permanent accept_dns=false disables the DNS config's magical modification, but also disables accepting configured global nameservers by 100.100.100.100 from TS admin page, they won't be called, it would break things
  • though Tailscale's docker image has accept_dns=false by default, but that doesn't solve the issue, when users enable it

Solution:

• mount an empty resolv.conf for tailscaled (for any other process, there is the default add-on resolv.conf pointing to hassio_dns)
  • if a resolution is requested by any process (in the TS add-on or in any other container), it first goes to hassio_dns, then hassio_dns calls 100.100.100.100 (if configured), if 100.100.100.100 returns an error, hassio_dns calls the next server, this is the normal HA way to do DNS queries
  • but TS fills the log with warnings for every non-resolved DNS request: dns: resolver: forward: no upstream resolvers set, returning SERVFAIL
• start a dummy dnsmasq, that answers REFUSED for everything, and use it in the fake resolv.conf for tailscaled
  • it runs on 127.52.52.52:53, only port 53 is allowed in resolv.conf (52 is TS's "magic number", also used in iptables, etc.)
  • I've tried to hide it with a network namespace, but my Linux (apparmor?) experience wasn't enough to achieve this

Positive side effects:

• name resolution works the same in the TS add-on as in any other container in HA
• if TS add-on (and DNS) is down, HA will work normally, though will resolve funnel-ed devices with their external public address, but even this is correct

Negative side effects:

• we must configure 100.100.100.100 in HA net settings, tailnet resolution even inside the TS add-on won't work without this, a bit strange for TS users (who should not cli into the TS container on the firs place), but correct for HA, so I think it is fine
• ping tailnet-device-name doesn't work, only ping tailnet-device-name.tailxxxx.ts.net, so without domain, only local.hass.io domain works, but this is the default HA behavior, so I think it is fine

Related Issues

Summary by CodeRabbit

• Documentation

  • Updated DNS section with detailed explanations of configuration options
  • Clarified accept_dns option behavior and its role in DNS settings

• New Features

  • Added dnsmasq package to improve DNS handling
  • Introduced new AppArmor profile for enhanced security

• Configuration

  • Added SYS_ADMIN privilege to expand service capabilities
  • Updated DNS configuration management

• Bug Fixes

  • Improved DNS configuration to prevent potential conflicts
  • Enhanced logging and error handling for DNS services

[coderabbitai]

Warning

Rate limit exceeded

@lmagyar has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 29 minutes and 33 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between e7bfcaf and a7e5131.

📒 Files selected for processing (1)

• tailscale/DOCS.md (4 hunks)

Walkthrough

This pull request introduces comprehensive changes to the Tailscale Home Assistant Community Add-on, focusing on DNS configuration and documentation improvements. The modifications include updating the documentation with clearer explanations of DNS settings, adding a new AppArmor profile, installing dnsmasq, and enhancing the S6 overlay scripts to manage DNS-related services more effectively. The changes aim to provide better control and understanding of DNS configuration within the Tailscale add-on.

Changes

File	Change Summary
DOCS.md	Added new DNS section, updated accept_dns option description, improved documentation clarity
Dockerfile	Added dnsmasq=2.90-r3 package installation
apparmor.txt	New AppArmor profile for Tailscale with enhanced permissions
config.yaml	Added SYS_ADMIN privilege
rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/*	New scripts for managing dnsmasq service (run, finish, type)
rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run	Updated script with new log level variables and DNS configuration handling
rootfs/etc/s6-overlay/scripts/stage2_hook.sh	Added conditional logic to manage dnsmasq service
translations/en.yaml	Updated accept_dns configuration description

Sequence Diagram

sequenceDiagram
    participant User
    participant Addon
    participant Tailscale
    participant DNSService

    User->>Addon: Configure DNS settings
    Addon->>Tailscale: Apply DNS configuration
    Tailscale->>DNSService: Initialize DNS handling
    DNSService-->>Tailscale: Confirm DNS settings
    Tailscale-->>Addon: DNS configuration complete

Loading

Possibly related PRs

• Make UDP port configurable #390: Updates documentation with UDP port configuration
• Update add-on docs to match updated Tailscale docs #416: Improves Tailscale documentation clarity
• Update docs with DNS settings #428: Updates documentation with DNS settings
• Update links to Tailscale documentation #444: Updates documentation links

Suggested labels

bugfix, documentation

Suggested reviewers

• frenck

Poem

🐰 A Tailscale Tail of DNS Delight

In the realm of networks, a rabbit's might,
Dnsmasq dances, configs shine bright,
AppArmor guards with permissions tight,
Resolving queries with magical sight,
Our addon's journey reaches new height! 🌐

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tailscale/DOCS.md (1)

438-469: Fix minor formatting and grammar issues in advanced DNS configuration.

The advanced DNS configuration section has some minor issues:

Apply these corrections:

• Line 444: Remove comma before "because"
• Line 450: Remove duplicate "the"
• Line 458: Change "eg." to "e.g."
• Line 465: Remove comma before "because"

🧰 Tools

🪛 LanguageTool

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

---

[formatting] ~444-~444: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...s global nameserver on the admin console, because you want to redirect all DNS queries wi...

(COMMA_BEFORE_BECAUSE)

---

[duplication] ~450-~450: Possible typo: you repeated a word.
Context: ...f your tailnet that are configured on the the admin console above. This will preven...

(ENGLISH_WORD_REPEAT_RULE)

---

[uncategorized] ~455-~455: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...gure your DNS as the only DNS server (eg. IPv4: 127.0.0.1, IPv6: ::1). - In your...

(E_G)

---

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

---

[uncategorized] ~458-~458: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...ailnet domain as upstream DNS server (eg. in case of AdGuard `[/tail1234.ts.net/]...

(E_G)

---

[uncategorized] ~461-~461: The abbreviation “e.g.” (= for example) requires two periods.
Context: ... can configure your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) at the second o...

(E_G)

---

[formatting] ~465-~465: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...n Home Assistant's network configuration, because when accept_dns option is disabled, T...

(COMMA_BEFORE_BECAUSE)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7438621 and e7bfcaf.

📒 Files selected for processing (10)

• tailscale/DOCS.md (4 hunks)
• tailscale/Dockerfile (1 hunks)
• tailscale/apparmor.txt (1 hunks)
• tailscale/config.yaml (1 hunks)
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish (1 hunks)
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run (1 hunks)
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type (1 hunks)
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (2 hunks)
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1 hunks)
• tailscale/translations/en.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type

🧰 Additional context used

🪛 LanguageTool

tailscale/DOCS.md

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

---

[uncategorized] ~368-~368: The abbreviation “i.e.” (= that is) requires two periods.
Context: ...n name instead of only the device name, ie. `ping some-tailnet-device.tail1234.ts.n...

(I_E)

---

[grammar] ~385-~385: It appears that a pronoun is missing.
Context: ... in the add-on, is that Tailscale's DNS when can't resolve a query, instead of retur...

(WHERE_MD_VB)

---

[uncategorized] ~404-~404: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...0::53). Move your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) to lower positi...

(E_G)

---

[uncategorized] ~429-~429: The abbreviation “e.g.” (= for example) requires two periods.
Context: ... can configure your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) at the second o...

(E_G)

---

[style] ~434-~434: The adverb ‘also’ is commonly used to connect clauses and isn’t usually used at the end of a phrase or before a conjunction. Consider replacing it with a more formal alternative.
Context: ... DNS will resolve non-tailnet addresses also. Whether you have your own DNS (like Ad...

(ALSO_AS_WELL)

---

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

---

[formatting] ~444-~444: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...s global nameserver on the admin console, because you want to redirect all DNS queries wi...

(COMMA_BEFORE_BECAUSE)

---

[duplication] ~450-~450: Possible typo: you repeated a word.
Context: ...f your tailnet that are configured on the the admin console above. This will preven...

(ENGLISH_WORD_REPEAT_RULE)

---

[uncategorized] ~455-~455: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...gure your DNS as the only DNS server (eg. IPv4: 127.0.0.1, IPv6: ::1). - In your...

(E_G)

---

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

---

[uncategorized] ~458-~458: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...ailnet domain as upstream DNS server (eg. in case of AdGuard `[/tail1234.ts.net/]...

(E_G)

---

[uncategorized] ~461-~461: The abbreviation “e.g.” (= for example) requires two periods.
Context: ... can configure your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) at the second o...

(E_G)

---

[formatting] ~465-~465: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...n Home Assistant's network configuration, because when accept_dns option is disabled, T...

(COMMA_BEFORE_BECAUSE)

🔇 Additional comments (13)

tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run (2)

8-8: LGTM! Good choice of IP address.

The chosen IP address (127.52.52.52) is within the loopback range but uses an uncommon subnet to avoid conflicts with other services.

---

12-16: LGTM! Well-configured dummy DNS setup.

The dnsmasq configuration is secure and properly isolated:

• Binds only to specific interface
• Runs in foreground for proper supervision
• Refuses all queries as intended
• Uses port 53 as required for resolv.conf

tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish (1)

15-25: LGTM! Robust exit handling implementation.

The script properly manages service shutdown with appropriate exit code handling:

• Preserves signal-based exits (code 256)
• Special handling for SIGTERM (signal 15)
• Maintains container exit codes

tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (2)

38-40: LGTM! Good DNS loop prevention strategy.

The implementation correctly prevents DNS loops by isolating tailscaled's DNS configuration from the system.

---

52-62: Verify mount namespace isolation.

While the mount namespace isolation is a good approach, ensure that:

1. The mount namespace is properly cleaned up on service restart
2. The file permissions are preserved during the move operation

tailscale/config.yaml (1)

24-24: Verify the necessity of SYS_ADMIN privilege.

While SYS_ADMIN is required for mount namespace operations, it's a powerful capability. Consider if a more limited capability like CAP_SYS_CHROOT would suffice for the mount --bind operation.

✅ Verification successful

SYS_ADMIN capability is required for Tailscale's core functionality

The capability is necessary for network namespace operations and interface management, which are essential for Tailscale's VPN functionality. CAP_SYS_CHROOT would not be sufficient as Tailscale requires full network namespace management capabilities.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check if the mount operation works with CAP_SYS_CHROOT
# Note: This is a theoretical check as the actual test would require runtime capabilities
capsh --print | grep cap_sys_admin

Length of output: 132

---

Script:

#!/bin/bash
# Search for mount-related operations and SYS_ADMIN references
echo "=== Searching for mount operations ==="
rg -i "mount" --type yaml --type go -C 2

echo -e "\n=== Searching for SYS_ADMIN references ==="
rg -i "sys_admin" --type yaml --type go -C 2

echo -e "\n=== Checking README and docs ==="
fd "README|\.md$" -t f -X cat

Length of output: 30735

tailscale/apparmor.txt (2)

3-9: LGTM! AppArmor profile correctly configured with necessary flags and base abstractions.

The profile is properly set up with:

• attach_disconnected flag for handling disconnected paths
• mediate_deleted flag for mediating deleted files
• Required signal capabilities for process management

---

43-47: Verify mount capabilities for DNS fix.

The mount capabilities and rules look correct for the MagicDNS fix:

• sys_admin capability for mount operations
• Root filesystem mount with rprivate for proper isolation
• Bind mount for tailscaled resolver configuration

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1)

8-15: LGTM! Correct service management logic for dnsmasq.

The conditional block properly handles dnsmasq service based on configuration:

• Disables when userspace networking is enabled
• Disables when DNS acceptance is disabled
• Correctly removes both service and dependency files

tailscale/Dockerfile (1)

13-13: Verify dnsmasq package version for security vulnerabilities.

The dnsmasq package version 2.90-r3 is added as a dependency.

tailscale/translations/en.yaml (1)

6-7: LGTM! Clear and accurate description of accept_dns option.

The updated description correctly explains:

• Purpose of accepting DNS settings from tailnet
• Configuration location in admin console

tailscale/DOCS.md (2)

348-394: LGTM! Comprehensive explanation of DNS functionality.

Excellent documentation of:

• DNS server functionality at 100.100.100.100
• MagicDNS components and limitations
• DNS resolution behavior
• Loop prevention mechanism

🧰 Tools

🪛 LanguageTool

[uncategorized] ~368-~368: The abbreviation “i.e.” (= that is) requires two periods.
Context: ...n name instead of only the device name, ie. `ping some-tailnet-device.tail1234.ts.n...

(I_E)

---

[grammar] ~385-~385: It appears that a pronoun is missing.
Context: ... in the add-on, is that Tailscale's DNS when can't resolve a query, instead of retur...

(WHERE_MD_VB)

---

397-415: LGTM! Clear instructions for basic DNS configuration.

Well-documented scenario for resolving only tailnet devices:

• Correct DNS server configuration
• Proper order of DNS servers
• Fallback behavior

🧰 Tools

🪛 LanguageTool

[uncategorized] ~404-~404: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...0::53). Move your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) to lower positi...

(E_G)