Internal DNS lookups go via relay

Linux
1

Hi,

Fairly new to tailscale, have scanned the forums and cannot see anything similar so hoping someone can advise if the behavior I am seeing is considered normal.

I am running TS in a k8s container, setup as a subnet router with appropriate (I believe!) forwarding and firewall rules set. I have split DNS in play and route everything destined for my domain to my own DNS servers. Other requests are sent via local DNS I am not using override.

It works perfectly.

Except… I note that when I am in the same local network on a device (iphone in this case) as the subnet router, if I make a DNS lookup for an internal host, the subnet router fires up a link to a relay to route the request back to the DNS servers that reside on the same network I am connected to, once the lookup has been done the connection proceeds as expected over the local network, I have confirmed this using tcpdump, additionally tailscale status shows the device as idle once the initial lookup has been completed.

This perplexes me a little as I would not expect there to be any need to connect to a relay when the DNS servers are one hop away on the same network as the client.

I realise k8s adds some complexity to networking and can provide many more details if there is any interest, just dipping my toe in the water here.

Much thanks!

2

It is common for tailscale to use a relay to negotiate a direct connection with another node - the nodes tell the relays where they are, and how to connect. Once a direct connection is established, it would be kept alive for several minutes so that it won’t need to negotiate that connection again. So if the connections are sporadic, they will usually start with a relay call.

3

Hi, thank you for taking a look, I have done some reading around tailscale and believe what you say to be true, however it does not seem to explain the issue I am seeing, I will try to apply some colour -

All this is whilst connected to an internal network 192.168.50.0/24

split dns *.mydomain.com → 192.168.50.10
everything else → local nameserver (also 192.168.50.10) in this scenario

TS connected iphone 192.168.50.1
k8s subnet container connect to TS and advertising 192.168.50.0/24
DNS server 192.168.50.10
webserver 192.168.50.20 (www.mydomain.com)

If at this point I fire up a browser on the iphone and use the IP 192.168.50.20 to hit the webserver, I see a connection come in from 192.168.50.1 in the nginx logs TS is not used and all is well. TS status show ‘idle’ or ‘-’ depending on when the client was last seen. There is no activity in the TS logs.

However if I attempt the same connection but use the FQDN in the browser (http://www.mydomain.com) I see

2022/04/26 07:44:03 Accept: UDP{100.64.xxx.xxx:52956 > 192.168.50.10:53} 77 ok
2022/04/26 07:44:03 Accept: UDP{192.168.50.10:53 > 100.64.xxx.xxx:52956} 164 ok out

in the TS logs, and status shows the client it has spun up a link to the local relay

100.110.xxx.xxx scoth-iphone xxx.xxx@ iOS active; relay “sin”, tx 1420 rx 996

looking at the logs on the webserver, I still see the hit come direct from 192.168.50.1 and have confirmed via tcpdump that the trafffic does not traverse TS.

So the question is when I am using DNS why does the iphone fire up a link to the relay, I see no good reason for this, given it can clearly route to the network and therefore the DNS server without it.

Have I misunderstood something or is my config a little wonky? :slight_smile: