I have two exit nodes in my tailnet that work completely fine including MagicDNS and DNS resolution when using them.
As soon as I remove {"action": "accept", "src": ["*"], "dst": ["*:*"]} from my ACL, none of my devices can resolve DNS names via 100.100.100.100 anymore when using one of the exit nodes. The DNS requests always time out. When not using the exit nodes, DNS resolution via 100.100.100.100 works fine. I can also ping the internet and other tailnet nodes while using the exit nodes, only reaching 100.100.100.100 breaks.
Do I need some specific ACL to allow access to 100.100.100.100 through exit nodes?
I tested this with Version 1.38.4 on macOS and 1.39.146 on iOS. The exit nodes (both Linux) are on 1.32.3-1 and 1.40.0.
My ACL (slightly redacted):
{
"tagOwners": {
"tag:someserver": ["autogroup:admin"],
"tag:somerouter": ["autogroup:admin"],
},
"acls": [
{
"action": "accept",
"proto": "udp",
"src": ["*"],
"dst": ["internalIPofDNS1:53", "internalIPofDNS2:53"],
},
{
"action": "accept",
"src": ["myuser@authprovider"],
"dst": ["CIDRofinternalnetwork:*"],
},
{"action": "accept", "src": ["myuser@authprovider"], "dst": ["100.0.0.0/8:*"]},
{"action": "accept", "src": ["tag:somerouter"], "dst": ["100.0.0.0/8:*"]},
],
"tests": [],
}
This ACL works as long as I don’t use exit nodes. When I use an exit node (e.g. somerouter), the clients can’t reach 100.100.100.100 anymore.