Tailscale with pfsense exit node, no DNS

elvisimprsntr

1.82.0 is released with some MagicDNS fixes.

Changelog

I manually updated my NAS docker container.

tailscale update
reboot

Give it a few days for a FreeBSD package to be available.

Freshports

jacobhall

@elvisimprsntr I'll give it another try once that version makes it to Google Play, but at first glance this appears to be an unrelated bugfix. I have been experiencing this issue using a v1.82.0 client on Linux, which should include the patch you mention. My pfSense box is currently running 1.80.3, so maybe it's worth testing 1.80.3_1 in case that makes a difference.

I agree with @Soloam above that this is likely an issue only experienced by headscale users. Regardless, I think it's the pfSense package that requires fixing as my other exit nodes running Linux have not had any issues. I don't have the time right now to delve into the Tailscale, FreeBSD, and pfSense codebases at the moment, but I hope to support this bugfix however I can.

I am hopeful someone on this forum can help contextualize this issue in terms of pfSense's DNS system and point us (me) in the right direction for contributing a fix.

elvisimprsntr

I upgraded 2.7.2 CE to TS 1.82.0

No issues so far.

Defiling2063

@jacobhall

I was on the stock version (pfsense community 2.7.2) of tailslcale connecting to headscale.

I upgraded tailscale client on pfsense to 1.82.5 while leaving headscale unchanged. I was able to reproduce the problem -- my android tailscale client cannot resolve dns when using the tailscale client on pfsense as an exit node. If I disable "Use tailscale DNS" on my android client, internet connectivity works.

I am going to leave it broken for now, if anyone wants me to try different things. Thanks.

mathiashedberg

@jacobhall @Defiling2063
I think it has something to do with DNS over HTTPS DoH.

I have all the same issues. For me it worked after setup until i rebooted.

It seems that the clients are pushed a faulty dns config and thinks it can do dns over https:

sudo tailscale dns status

Resolvers (in preference order):

• 1.1.1.1
• 9.9.9.9

I can use dig to check that the dns resolves using these servers just fine.

When the system uses tailscales dns servers, the issue arises:

% tailscale dns query apple.com
DNS query for "apple.com" (A) using internal resolver:

failed to query DNS: 500 Internal Server Error: resolving using "/dns-query": unrecognized resolver type "/dns-query"
unrecognized resolver type "/dns-query"

My guess is that headscale is pushing a faulty dns config?

jacobhall

I would like to note here that Headscale recently released version v0.26.0, which included some significant changes. I intend to test if the DNS issues persist using this new version soon.

@mathiashedberg, would you be willing to share the software versions you tried in your testing, for our reference? Many thanks.

Additionally, I have been dealing with this unrelated issue with Tailscale (w/ Headscale) on Android. In case you fellow Headscale users are experiencing something similar...I'm trying to iron out the usability of this VPN system :)

jacobhall

Quick update: I upgraded my Headscale control server to version 0.26.0, and this issue persists. I continue to use the pfSense-pkg-Tailscale 0.1.4 and tailscale 1.80.3 in pfSense.

mathiashedberg

@jacobhall Hi.

For me the issue was prevalent pre 0.26. I set up a new fresh headscale instance with v0.26.0 (upgrade did not work) and everything worked until i rebooted pfsense.

I mitigate this by adding --accept-dns=False to my clients when using exit nodes, and then set that dns manually in the system.

Regarding issues, im dealing with this also: https://github.com/juanfont/headscale/issues/2634

jacobhall

@mathiashedberg to clarify, even using your fresh 0.26.0 instance, your clients had to disable the accept-dns option when using the pfSense exit node? This aligns with my experience (with both 0.26.0 and previous versions).

Setting the DNS manually is possible, but a headache. I don't want to make all of my users do so, especially on mobile.

Regarding issues, im dealing with this also: https://github.com/juanfont/headscale/issues/2634

Concerning indeed!

mathiashedberg

@jacobhall With my fresh instance on 0.26.0, and pfsense added to the net, my clients could use pfsense as an exit node without disabling accept-dns. It was only after rebooting that it stopped working.

lief480

Any luck getting this fixed? I am running into the exact same issue with my setup. Latest Headscale (0.26.1), PFSense 2.7.2, and Tailscale package 1.84.2 installed on PfSense.