headscale/hscontrol/dns.go

152 lines
4.6 KiB
Go
Raw Normal View History

package hscontrol
import (
"fmt"
2022-09-02 03:15:05 -04:00
"net/netip"
"strings"
2022-09-02 03:15:05 -04:00
"go4.org/netipx"
"tailscale.com/util/dnsname"
)
const (
ByteSize = 8
)
2022-01-15 10:18:49 -05:00
const (
ipv4AddressLength = 32
ipv6AddressLength = 128
)
// generateMagicDNSRootDomains generates a list of DNS entries to be included in `Routes` in `MapResponse`.
// This list of reverse DNS entries instructs the OS on what subnets and domains the Tailscale embedded DNS
// server (listening in 100.100.100.100 udp/53) should be used for.
//
// Tailscale.com includes in the list:
// - the `BaseDomain` of the user
// - the reverse DNS entry for IPv6 (0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa., see below more on IPv6)
// - the reverse DNS entries for the IPv4 subnets covered by the user's `IPPrefix`.
// In the public SaaS this is [64-127].100.in-addr.arpa.
//
// The main purpose of this function is then generating the list of IPv4 entries. For the 100.64.0.0/10, this
// is clear, and could be hardcoded. But we are allowing any range as `IPPrefix`, so we need to find out the
// subnets when we have 172.16.0.0/16 (i.e., [0-255].16.172.in-addr.arpa.), or any other subnet.
//
// How IN-ADDR.ARPA domains work is defined in RFC1035 (section 3.5). Tailscale.com seems to adhere to this,
// and do not make use of RFC2317 ("Classless IN-ADDR.ARPA delegation") - hence generating the entries for the next
// class block only.
// From the netmask we can find out the wildcard bits (the bits that are not set in the netmask).
// This allows us to then calculate the subnets included in the subsequent class block and generate the entries.
2022-09-02 03:15:05 -04:00
func generateMagicDNSRootDomains(ipPrefixes []netip.Prefix) []dnsname.FQDN {
2022-01-16 08:16:59 -05:00
fqdns := make([]dnsname.FQDN, 0, len(ipPrefixes))
for _, ipPrefix := range ipPrefixes {
2022-09-02 03:15:05 -04:00
var generateDNSRoot func(netip.Prefix) []dnsname.FQDN
switch ipPrefix.Addr().BitLen() {
2022-01-15 10:18:49 -05:00
case ipv4AddressLength:
generateDNSRoot = generateIPv4DNSRootDomain
case ipv6AddressLength:
generateDNSRoot = generateIPv6DNSRootDomain
2022-01-16 08:16:59 -05:00
default:
2022-01-25 17:11:15 -05:00
panic(
fmt.Sprintf(
"unsupported IP version with address length %d",
2022-09-02 03:15:05 -04:00
ipPrefix.Addr().BitLen(),
2022-01-25 17:11:15 -05:00
),
)
2022-01-16 08:16:59 -05:00
}
2022-01-15 10:18:49 -05:00
fqdns = append(fqdns, generateDNSRoot(ipPrefix)...)
2022-01-16 08:16:59 -05:00
}
return fqdns
}
2022-09-02 03:15:05 -04:00
func generateIPv4DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
2021-10-09 18:40:25 -04:00
// Conversion to the std lib net.IPnet, a bit easier to operate
2022-09-02 03:15:05 -04:00
netRange := netipx.PrefixIPNet(ipPrefix)
maskBits, _ := netRange.Mask.Size()
// lastOctet is the last IP byte covered by the mask
lastOctet := maskBits / ByteSize
2021-10-09 18:40:25 -04:00
// wildcardBits is the number of bits not under the mask in the lastOctet
wildcardBits := ByteSize - maskBits%ByteSize
2021-10-09 18:40:25 -04:00
// min is the value in the lastOctet byte of the IP
// max is basically 2^wildcardBits - i.e., the value when all the wildcardBits are set to 1
min := uint(netRange.IP[lastOctet])
2021-11-14 11:49:54 -05:00
max := (min + 1<<uint(wildcardBits)) - 1
2021-10-09 18:40:25 -04:00
// here we generate the base domain (e.g., 100.in-addr.arpa., 16.172.in-addr.arpa., etc.)
rdnsSlice := []string{}
for i := lastOctet - 1; i >= 0; i-- {
rdnsSlice = append(rdnsSlice, fmt.Sprintf("%d", netRange.IP[i]))
}
rdnsSlice = append(rdnsSlice, "in-addr.arpa.")
rdnsBase := strings.Join(rdnsSlice, ".")
2022-01-15 10:18:49 -05:00
fqdns := make([]dnsname.FQDN, 0, max-min+1)
for i := min; i <= max; i++ {
fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%d.%s", i, rdnsBase))
if err != nil {
continue
}
fqdns = append(fqdns, fqdn)
}
2021-11-14 10:46:09 -05:00
2022-01-15 10:18:49 -05:00
return fqdns
}
2022-09-02 03:15:05 -04:00
func generateIPv6DNSRootDomain(ipPrefix netip.Prefix) []dnsname.FQDN {
2022-01-15 10:18:49 -05:00
const nibbleLen = 4
2022-09-02 03:15:05 -04:00
maskBits, _ := netipx.PrefixIPNet(ipPrefix).Mask.Size()
expanded := ipPrefix.Addr().StringExpanded()
2022-01-15 10:18:49 -05:00
nibbleStr := strings.Map(func(r rune) rune {
if r == ':' {
return -1
}
return r
}, expanded)
// TODO?: that does not look the most efficient implementation,
// but the inputs are not so long as to cause problems,
// and from what I can see, the generateMagicDNSRootDomains
// function is called only once over the lifetime of a server process.
prefixConstantParts := []string{}
for i := 0; i < maskBits/nibbleLen; i++ {
2022-01-25 17:11:15 -05:00
prefixConstantParts = append(
[]string{string(nibbleStr[i])},
prefixConstantParts...)
2022-01-15 10:18:49 -05:00
}
makeDomain := func(variablePrefix ...string) (dnsname.FQDN, error) {
prefix := strings.Join(append(variablePrefix, prefixConstantParts...), ".")
return dnsname.ToFQDN(fmt.Sprintf("%s.ip6.arpa", prefix))
}
var fqdns []dnsname.FQDN
if maskBits%4 == 0 {
dom, _ := makeDomain()
fqdns = append(fqdns, dom)
} else {
domCount := 1 << (maskBits % nibbleLen)
fqdns = make([]dnsname.FQDN, 0, domCount)
for i := 0; i < domCount; i++ {
varNibble := fmt.Sprintf("%x", i)
dom, err := makeDomain(varNibble)
if err != nil {
continue
}
fqdns = append(fqdns, dom)
}
}
return fqdns
}