Using names instead of ports to access hosted applications?

So, I got tailscale set up in docker on my synology.

I like it a lot… Except for the need to specify ports to access other hosted applications. For example, with a more traditional dns/rp setup, I could specify plex as a subdomain, route to port 32400 with nginx, and ultimately access it through a url: plex.nas.net

With tailscale, I need to specify nas:32400 if I wanted to access a service that way

Is there a way of routing names to ports so it’s a bit more human-friendly?

(I’m aware plex doesn’t really need this. It was just an example for any number of different applications)

There’s actually two ways, both using DNS: SRV records and SVBC records.


SRV records are quite simple:

_serviceName._transportName.domainName priorityNumber weightNumber portNumber targetName

A fair number of applications and protocols will automatically use these, but I recommend configuring it even for ones that don’t. It’s very helpful for keeping track of what things are doing and where. In your case, assuming a single endpoint of <yourdevice.yourtailnet.ts.net>:

_plex._tcp.plex.nas.net 0 0 32400 yourdevice.yourtailnet.ts.net

That translates to “the Plex server at <plex.nas.net> is accessible on TCP port 32400 of <yourdevice.yourtailnet.ts.net>”.


SVBC records are an Internet Draft right now, but they’re nearly finalized. I won’t go into too much detail here, but they’re basically SRV records with the ability to include far more information. Right now they are mainly for HTTPS servers and DNS resolvers, but any protocol could specify their use in the future.


MagicDNS won’t let you add records like this directly, unfortunately. If Tailscale supports SRP once that is finalized, that’d be ideal: it allows devices to set these records automatically without overly-chatty multicast DNS.

Appreciate the info

I don’t know if it’s a lack of experience on my side, or a config thing. But try as I may, I can’t seem to get that working.

Is there anything else I should be doing or setting up or have ready to get that to work? I’m using cloudflare, for what it’s worth

The way I’m doing it is via an internal DNS server and a reverse proxy.
But the following only works because I’m not using domains that are resolvable via the internet.
More on that later.

My DNS server resolves plex.nas to the IP where the reverse proxy is running.
The reverse proxy redirects all request for plex.nas to the server where Plex is running.
Since the reverse proxy and Plex are running on the same server, the redirect simply goes to localhost:32400

Then I need to make Tailscale able to route requests for plex.nas:
In the DNS settings of the tailscale admin console, I add my DNS server as a (custom) nameserver.
I make sure to enable the “Split DNS” setting and enter “nas”, because I only want tailscale to defer DNS requests to my DNS server for all *.nas domains.

Done!
 


 
So now, if I’m away from home and (while connected to my tailnet) enter “https://plex.nas” into my laptop’s browser, this happens:

  1. The local DNS settings of the laptop can’t resolve “plex.nas”, so now tailscale gets a shot.
  2. Tailscale sees that requests for *.nas are to be forwarded to my DNS server.
  3. My DNS server finds the entry for “plex.nas” and responds with the IP.
  4. My browser sends the web-request to that IP, which is the server Plex is running on.
  5. The reverse proxy on that server sees an incoming request for “plex.nas” and redirects it to localhost:32400.
  6. Finally Plex receives the request.

 


 
BUT: If you want to use a domain that is resolvable on the internet, the this will fail at the first step, because - by default - tailscale will let your device try to resolve domains with its local settings first. For example, had I used plex.nas.net instead of plex.nas, then my laptop would’ve tried to find plex.nas.net on the internet.

 
I currently know of two ways to work around that:

  • A) You could set a host entry on your laptop, that maps plex.nas.net to the tailnet IP where Plex is running.
  • B) You don’t use split DNS for your DNS server and enable the setting “Override local DNS” (also in the DNS settings of tailscale).

 
The caveat with B) is that all your tailnet devices will ignore their local DNS settings and only resolve via tailscale.
But since you can also add external DNS servers to tailscale (e.g. Google, Cloudflare, your ISP’s DNS, etc.) that shouldn’t pose too much of a problem.
But if you had specific DNS settings that are on your laptop only and shouldn’t be used for the whole tailnet, then you either have to temporarily disconnect from your tailnet or use solution A).

I had no such need yet, but your mileage may vary. ¯_(ツ)_/¯