net/dnsfallback, control/controlknobs: add knob to disable recursive resolver

Updates tailscale/corp#15261 Change-Id: I099860c400c82617382723b96fd3a5193c45f0d7 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
2026-05-08 05:36:38 +02:00 · 2023-10-16 09:16:01 -07:00 · 2023-10-16 09:16:01 -07:00 · 9cedc55570
commit 9cedc55570
parent feabb34ea0
6 changed files with 23 additions and 5 deletions
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@ -235,7 +235,7 @@ func NewDirect(opts Options) (*Direct, error) {
 	dnsCache := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward, // use default cache's forwarder
 		UseLastGood:      true,
-		LookupIPFallback: dnsfallback.MakeLookupFunc(opts.Logf, opts.NetMon),
+		LookupIPFallback: dnsfallback.MakeLookupFunc(opts.Logf, opts.NetMon, opts.ControlKnobs.EnableRecursiveResolver),
 		Logf:             opts.Logf,
 		NetMon:           opts.NetMon,
 	}
--- a/control/controlhttp/client.go
+++ b/control/controlhttp/client.go
@ -390,7 +390,7 @@ func (a *Dialer) resolver() *dnscache.Resolver {

 	return &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward,
-		LookupIPFallback: dnsfallback.MakeLookupFunc(a.logf, a.NetMon),
+		LookupIPFallback: dnsfallback.MakeLookupFunc(a.logf, a.NetMon, func() bool { return false }),
 		UseLastGood:      true,
 		Logf:             a.Logf, // not a.logf method; we want to propagate nil-ness
 		NetMon:           a.NetMon,
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@ -52,6 +52,10 @@ type Knobs struct {
 	// DisableDNSForwarderTCPRetries is whether the DNS forwarder should
 	// skip retrying truncated queries over TCP.
 	DisableDNSForwarderTCPRetries atomic.Bool
+
+	// DisableRecursiveResolver is whether the node should disable the
+	// dnsfallback recursive resolver.
+	DisableRecursiveResolver atomic.Bool
 }

 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@ -74,6 +78,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 		forceBackgroundSTUN           = has(tailcfg.NodeAttrDebugForceBackgroundSTUN)
 		peerMTUEnable                 = has(tailcfg.NodeAttrPeerMTUEnable)
 		dnsForwarderDisableTCPRetries = has(tailcfg.NodeAttrDNSForwarderDisableTCPRetries)
+		dnsDisableRecursiveResolver   = has(tailcfg.NodeAttrDisableRecursiveResolver)
 	)

 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@ -91,6 +96,7 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 	k.DisableDeltaUpdates.Store(disableDeltaUpdates)
 	k.PeerMTUEnable.Store(peerMTUEnable)
 	k.DisableDNSForwarderTCPRetries.Store(dnsForwarderDisableTCPRetries)
+	k.DisableRecursiveResolver.Store(dnsDisableRecursiveResolver)
 }

 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@ -111,3 +117,12 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		"DisableDNSForwarderTCPRetries": k.DisableDNSForwarderTCPRetries.Load(),
 	}
 }
+
+// EnableRecursiveResolver is whether the node should use its DNS recursive resolver
+// as a fallback. It defaults to enabled unless disabled by the control plane.
+func (k *Knobs) EnableRecursiveResolver() bool {
+	if k == nil {
+		return true
+	}
+	return !k.DisableRecursiveResolver.Load()
+}
--- a/logpolicy/logpolicy.go
+++ b/logpolicy/logpolicy.go
@ -736,7 +736,7 @@ func dialContext(ctx context.Context, netw, addr string, netMon *netmon.Monitor,
 	dnsCache := &dnscache.Resolver{
 		Forward:          dnscache.Get().Forward, // use default cache's forwarder
 		UseLastGood:      true,
-		LookupIPFallback: dnsfallback.MakeLookupFunc(logf, netMon),
+		LookupIPFallback: dnsfallback.MakeLookupFunc(logf, netMon, func() bool { return false }),
 		NetMon:           netMon,
 	}
 	dialer := dnscache.Dialer(nd.DialContext, dnsCache)
--- a/net/dnsfallback/dnsfallback.go
+++ b/net/dnsfallback/dnsfallback.go
@ -44,9 +44,9 @@ var disableRecursiveResolver = envknob.RegisterBool("TS_DNSFALLBACK_DISABLE_RECU
 // MakeLookupFunc creates a function that can be used to resolve hostnames
 // (e.g. as a LookupIPFallback from dnscache.Resolver).
 // The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
-func MakeLookupFunc(logf logger.Logf, netMon *netmon.Monitor) func(ctx context.Context, host string) ([]netip.Addr, error) {
+func MakeLookupFunc(logf logger.Logf, netMon *netmon.Monitor, enableRecursive func() bool) func(ctx context.Context, host string) ([]netip.Addr, error) {
 	return func(ctx context.Context, host string) ([]netip.Addr, error) {
-		if disableRecursiveResolver() {
+		if disableRecursiveResolver() || !enableRecursive() {
 			return lookup(ctx, host, logf, netMon)
 		}

--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@ -2096,6 +2096,9 @@ const (
 	// See Issue 150.
 	NodeAttrDebugDisableDRPO NodeCapability = "debug-disable-drpo"

+	// NodeAttrDisableRecursiveResolver disables the recursive resolver.
+	NodeAttrDisableRecursiveResolver NodeCapability = "disable-recursive-resolver"
+
 	// NodeAttrDisableSubnetsIfPAC controls whether subnet routers should be
 	// disabled if WPAD is present on the network.
 	NodeAttrDisableSubnetsIfPAC NodeCapability = "debug-disable-subnets-if-pac"