I am heavily using funnels, and so far they worked without problems.
I recently ran into the issue that 2 of my approx 20 nodes (both Ubuntu 22.04, tailscale 1.40), claim to serve my funnels correctly, like:
root@bear:~# sudo tailscale serve status
# Funnel on: # - https://bear.XXX.ts.net # - https://bear.XXX.ts.net:8443 https://bear.XXX.ts.net (Funnel on) |-- / proxy http://127.0.0.1:10000 https://bear.XXX.ts.net:8443 (Funnel on) |-- / proxy http://127.0.0.1:32400
However, bear.XXX.ts.net is only accessible from the tailnet, and the public DNS does not resolve the machine. Note, that other machine on the tailnet work fine, as seen here from an nslookup from a machine not in the tailnet:
[user@machine ~]$ nslookup moose.XXX.ts.net Server: 126.96.36.199 Address: 188.8.131.52#53 Non-authoritative answer: Name: moose.XXX.ts.net Address: 184.108.40.206 Name: moose.XXX.ts.net Address: 2a00:dd80:20::e3d [user@machine ~]$ nslookup bear.XXX.ts.net Server: 220.127.116.11 Address: 18.104.22.168#53 ** server can't find bear.XXXX.ts.net: NXDOMAIN
I waited more than 2 days, and restarted all servers / funnels several times.
My ISP became quite restrictive, and DNS lookups for tailscale machines are modified / intercepted. The funnels do not work on the nodes, where the ISP intercepts DNS lookups - I have no idea if even more “security” measures are implemented. To circumvent DNS interception, I use
dnscrypt-proxy to ensure this can’t be an issue.
How does tailscale make public DNS entries? Is there a connection from the tailscale node to tailscale server necessary, which could be blocked by the ISP? A
tcpdump didn’t help me (on a first glimpse). I don’t get the above behaviour, as also the tailscale management webpage looks exactly how it should look like, and all nodes work as expected, - only, since a few days, the public DNS entries disappeared and do not appear again for these two nodes.
Can someone help, or at least explain how this could happen?