Fix MagicDNS incompatibility with Home Assistant's DNS #455

lmagyar · 2025-01-20T01:21:58Z

Proposed Changes

This was a permanent returning issue.

Problem:

MagicDNS (TS DNS on 100.100.100.100 + magical modification of any system's DNS settings) when can't resolve something, doesn't return REFUSED, SERVFAIL or NXDOMAIN, but calls the original DNS server (based on the DNS config existed before TS started, in our case /etc/resolv.conf)
on HA, this is hassio_dns, where we configure to first call 100.100.100.100
loop, crash...

Not solutions:

there is no way, to modify this TS DNS behavior
permanent accept_dns=false disables the DNS config's magical modification, but also disables accepting configured global nameservers by 100.100.100.100 from TS admin page, they won't be called, it would break things
- though Tailscale's docker image has accept_dns=false by default, but that doesn't solve the issue, when users enable it

Solution:

mount an empty resolv.conf for tailscaled (for any other process, there is the default add-on resolv.conf pointing to hassio_dns)
- if a resolution is requested by any process (in the TS add-on or in any other container), it first goes to hassio_dns, then hassio_dns calls 100.100.100.100 (if configured), if 100.100.100.100 returns an error, hassio_dns calls the next server, this is the normal HA way to do DNS queries
- but TS fills the log with warnings for every non-resolved DNS request: dns: resolver: forward: no upstream resolvers set, returning SERVFAIL
start a dummy dnsmasq, that answers REFUSED for everything, and use it in the fake resolv.conf for tailscaled
- it runs on 127.52.52.52:53, only port 53 is allowed in resolv.conf (52 is TS's "magic number", also used in iptables, etc.)
- I've tried to hide it with a network namespace, but my Linux (apparmor?) experience wasn't enough to achieve this
UPDATE: the dummy dnsmasq also provides bootstrap DNS resolution for the login_server option, to support headscale users

Positive side effects:

name resolution works the same in the TS add-on as in any other container in HA
if TS add-on (and DNS) is down, HA will work normally, though will resolve funnel-ed devices with their external public address, but even this is correct

Negative side effects:

we must configure 100.100.100.100 in HA net settings, tailnet resolution even inside the TS add-on won't work without this, a bit strange for TS users (who should not cli into the TS container on the firs place), but correct for HA, so I think it is fine
ping tailnet-device-name doesn't work, only ping tailnet-device-name.tailxxxx.ts.net, so without domain, only local.hass.io domain works, but this is the default HA behavior, so I think it is fine

Related Issues

Summary by CodeRabbit

Documentation
- Revised DNS section for improved clarity and detail on configuration options.
- Updated description of accept_dns option to reflect its role in accepting DNS settings.
New Features
- Included dnsmasq and bind-tools packages to enhance DNS functionality.
- Introduced new AppArmor profile for improved security.
- Added scripts for managing dnsmasq service operations effectively.
- Added new operational mode for dnsmasq service.
Configuration
- Added SYS_ADMIN privilege to expand service capabilities.
- Enhanced DNS configuration management for better flexibility.
Bug Fixes
- Improved DNS configuration to mitigate potential conflicts.
- Enhanced logging and error handling for DNS services.

coderabbitai · 2025-01-20T01:22:05Z

Warning

Rate limit exceeded

@lmagyar has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 5 minutes and 41 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a085117 and 4953ad0.

📒 Files selected for processing (1)

tailscale/DOCS.md (4 hunks)

Walkthrough

This pull request introduces comprehensive changes to the Tailscale Home Assistant Community Add-on, focusing on DNS configuration and documentation improvements. The modifications include updating the documentation with clearer explanations of DNS settings, adding a new AppArmor profile, installing dnsmasq, and enhancing the S6 overlay scripts to manage DNS-related services more effectively. The changes aim to provide better control and understanding of DNS configuration within the Tailscale add-on.

Changes

File	Change Summary
`tailscale/DOCS.md`	Added new DNS section, updated `accept_dns` option description, improved documentation clarity
`tailscale/Dockerfile`	Added `bind-tools=9.18.33-r0` and `dnsmasq=2.90-r3` package installations
`tailscale/apparmor.txt`	New AppArmor profile for Tailscale with enhanced permissions
`tailscale/config.yaml`	Added `SYS_ADMIN` privilege
`tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/*`	New scripts for managing `dnsmasq` service (run, finish, type)
`tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run`	Updated script with new log level variables and DNS configuration handling
`tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh`	Added conditional logic to manage `dnsmasq` service
`tailscale/translations/en.yaml`	Updated `accept_dns` configuration description

Possibly related PRs

Update docs with DNS settings #428: The changes in the main PR regarding the accept_dns option and DNS configuration in the documentation are directly related to the updates in the retrieved PR, which also focuses on enhancing clarity around DNS settings and their implications for users.
Update add-on docs to match updated Tailscale docs #416: The changes in the main PR regarding the accept_dns option and DNS configuration updates in the documentation are related to the modifications in the retrieved PR, which also focuses on enhancing the clarity of the Tailscale add-on documentation, including sections relevant to networking and configuration.

Suggested labels

bugfix, documentation

Suggested reviewers

frenck

Poem

🐰 A Tailscale Tail of DNS Delight
In the realm of networks, a rabbit's might,
Dnsmasq dances, configs shine bright,
AppArmor guards with permissions tight,
Resolving queries with magical sight,
Our addon's journey reaches new height! 🌐

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Generate unit testing code for this file.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai generate unit testing code for this file.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and generate unit testing code.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

coderabbitai · 2025-01-26T21:44:54Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai · 2025-01-26T23:09:31Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tailscale/DOCS.md (1)

438-469: Fix minor formatting and grammar issues in advanced DNS configuration.

The advanced DNS configuration section has some minor issues:

Apply these corrections:

Line 444: Remove comma before "because"

Line 450: Remove duplicate "the"

Line 458: Change "eg." to "e.g."

Line 465: Remove comma before "because"

🧰 Tools

🪛 LanguageTool

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[formatting] ~444-~444: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...s global nameserver on the admin console, because you want to redirect all DNS queries wi...

(COMMA_BEFORE_BECAUSE)

[duplication] ~450-~450: Possible typo: you repeated a word.
Context: ...f your tailnet that are configured on the the admin console above. This will preven...

(ENGLISH_WORD_REPEAT_RULE)

[uncategorized] ~455-~455: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...gure your DNS as the only DNS server (eg. IPv4: 127.0.0.1, IPv6: ::1). - In your...

(E_G)

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~458-~458: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...ailnet domain as upstream DNS server (eg. in case of AdGuard `[/tail1234.ts.net/]...

(E_G)

[uncategorized] ~461-~461: The abbreviation “e.g.” (= for example) requires two periods.
Context: ... can configure your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) at the second o...

(E_G)

[formatting] ~465-~465: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...n Home Assistant's network configuration, because when accept_dns option is disabled, T...

(COMMA_BEFORE_BECAUSE)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7438621 and e7bfcaf.

📒 Files selected for processing (10)

tailscale/DOCS.md (4 hunks)
tailscale/Dockerfile (1 hunks)
tailscale/apparmor.txt (1 hunks)
tailscale/config.yaml (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (2 hunks)
tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1 hunks)
tailscale/translations/en.yaml (1 hunks)

✅ Files skipped from review due to trivial changes (1)

tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type

🧰 Additional context used

🪛 LanguageTool

tailscale/DOCS.md

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~368-~368: The abbreviation “i.e.” (= that is) requires two periods.
Context: ...n name instead of only the device name, ie. `ping some-tailnet-device.tail1234.ts.n...

(I_E)

[grammar] ~385-~385: It appears that a pronoun is missing.
Context: ... in the add-on, is that Tailscale's DNS when can't resolve a query, instead of retur...

(WHERE_MD_VB)

[uncategorized] ~404-~404: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...0::53). Move your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) to lower positi...

(E_G)

[uncategorized] ~429-~429: The abbreviation “e.g.” (= for example) requires two periods.
Context: ... can configure your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) at the second o...

(E_G)

[style] ~434-~434: The adverb ‘also’ is commonly used to connect clauses and isn’t usually used at the end of a phrase or before a conjunction. Consider replacing it with a more formal alternative.
Context: ... DNS will resolve non-tailnet addresses also. Whether you have your own DNS (like Ad...

(ALSO_AS_WELL)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[formatting] ~444-~444: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...s global nameserver on the admin console, because you want to redirect all DNS queries wi...

(COMMA_BEFORE_BECAUSE)

[duplication] ~450-~450: Possible typo: you repeated a word.
Context: ...f your tailnet that are configured on the the admin console above. This will preven...

(ENGLISH_WORD_REPEAT_RULE)

[uncategorized] ~455-~455: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...gure your DNS as the only DNS server (eg. IPv4: 127.0.0.1, IPv6: ::1). - In your...

(E_G)

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~458-~458: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...ailnet domain as upstream DNS server (eg. in case of AdGuard `[/tail1234.ts.net/]...

(E_G)

[uncategorized] ~461-~461: The abbreviation “e.g.” (= for example) requires two periods.
Context: ... can configure your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) at the second o...

(E_G)

[formatting] ~465-~465: If the ‘because’ clause is essential to the meaning, do not use a comma before the clause.
Context: ...n Home Assistant's network configuration, because when accept_dns option is disabled, T...

(COMMA_BEFORE_BECAUSE)

🔇 Additional comments (13)

tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run (2)

8-8: LGTM! Good choice of IP address.

The chosen IP address (127.52.52.52) is within the loopback range but uses an uncommon subnet to avoid conflicts with other services.

12-16: LGTM! Well-configured dummy DNS setup.

The dnsmasq configuration is secure and properly isolated:

Binds only to specific interface

Runs in foreground for proper supervision

Refuses all queries as intended

Uses port 53 as required for resolv.conf

tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish (1)

15-25: LGTM! Robust exit handling implementation.

The script properly manages service shutdown with appropriate exit code handling:

Preserves signal-based exits (code 256)

Special handling for SIGTERM (signal 15)

Maintains container exit codes

tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (2)

38-40: LGTM! Good DNS loop prevention strategy.

The implementation correctly prevents DNS loops by isolating tailscaled's DNS configuration from the system.

52-62: Verify mount namespace isolation.

While the mount namespace isolation is a good approach, ensure that:

The mount namespace is properly cleaned up on service restart

The file permissions are preserved during the move operation
tailscale/config.yaml (1)

24-24: Verify the necessity of SYS_ADMIN privilege.

While SYS_ADMIN is required for mount namespace operations, it's a powerful capability. Consider if a more limited capability like CAP_SYS_CHROOT would suffice for the mount --bind operation.

✅ Verification successful

SYS_ADMIN capability is required for Tailscale's core functionality

The capability is necessary for network namespace operations and interface management, which are essential for Tailscale's VPN functionality. CAP_SYS_CHROOT would not be sufficient as Tailscale requires full network namespace management capabilities.
🏁 Scripts executed

The following scripts were executed for the analysis:

Script:
#!/bin/bash
# Check if the mount operation works with CAP_SYS_CHROOT
# Note: This is a theoretical check as the actual test would require runtime capabilities
capsh --print | grep cap_sys_admin
Length of output: 132

Script:
#!/bin/bash
# Search for mount-related operations and SYS_ADMIN references
echo "=== Searching for mount operations ==="
rg -i "mount" --type yaml --type go -C 2

echo -e "\n=== Searching for SYS_ADMIN references ==="
rg -i "sys_admin" --type yaml --type go -C 2

echo -e "\n=== Checking README and docs ==="
fd "README|\.md$" -t f -X cat
Length of output: 30735
tailscale/apparmor.txt (2)

3-9: LGTM! AppArmor profile correctly configured with necessary flags and base abstractions.

The profile is properly set up with:

attach_disconnected flag for handling disconnected paths

mediate_deleted flag for mediating deleted files

Required signal capabilities for process management

43-47: Verify mount capabilities for DNS fix.

The mount capabilities and rules look correct for the MagicDNS fix:

sys_admin capability for mount operations

Root filesystem mount with rprivate for proper isolation

Bind mount for tailscaled resolver configuration

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1)

8-15: LGTM! Correct service management logic for dnsmasq.

The conditional block properly handles dnsmasq service based on configuration:

Disables when userspace networking is enabled

Disables when DNS acceptance is disabled

Correctly removes both service and dependency files

tailscale/Dockerfile (1)

13-13: Verify dnsmasq package version for security vulnerabilities.

The dnsmasq package version 2.90-r3 is added as a dependency.

tailscale/translations/en.yaml (1)

6-7: LGTM! Clear and accurate description of accept_dns option.

The updated description correctly explains:

Purpose of accepting DNS settings from tailnet

Configuration location in admin console

tailscale/DOCS.md (2)

348-394: LGTM! Comprehensive explanation of DNS functionality.

Excellent documentation of:

DNS server functionality at 100.100.100.100

MagicDNS components and limitations

DNS resolution behavior

Loop prevention mechanism

🧰 Tools

🪛 LanguageTool

[uncategorized] ~368-~368: The abbreviation “i.e.” (= that is) requires two periods.
Context: ...n name instead of only the device name, ie. `ping some-tailnet-device.tail1234.ts.n...

(I_E)

[grammar] ~385-~385: It appears that a pronoun is missing.
Context: ... in the add-on, is that Tailscale's DNS when can't resolve a query, instead of retur...

(WHERE_MD_VB)

397-415: LGTM! Clear instructions for basic DNS configuration.

Well-documented scenario for resolving only tailnet devices:

Correct DNS server configuration

Proper order of DNS servers

Fallback behavior

🧰 Tools

🪛 LanguageTool

[uncategorized] ~404-~404: The abbreviation “e.g.” (= for example) requires two periods.
Context: ...0::53). Move your normal DNS servers (eg. 192.168.1.1 or 1.1.1.1) to lower positi...

(E_G)

coderabbitai · 2025-01-27T15:19:43Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (2)

tailscale/DOCS.md (2)
88-93: Add a comma for better readability.

Add a comma after "console" to improve readability.
-This option allows you to accept DNS settings of your tailnet that are
-configured on the [DNS page][tailscale_dns] of the admin console.
+This option allows you to accept DNS settings of your tailnet that are
+configured on the [DNS page][tailscale_dns] of the admin console,
🧰 Tools

🪛 LanguageTool

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

348-469: Excellent documentation of DNS configuration!

The new DNS section comprehensively addresses the MagicDNS incompatibility issue and provides clear guidance for different scenarios. The explanation of why MagicDNS's local DNS configuration manipulation is disabled (lines 384-390) is particularly valuable.

However, there are a few minor grammatical improvements needed:

Line 385: "is that Tailscale's DNS when can't resolve" should be "is that when Tailscale's DNS can't resolve"

Line 434: Move "also" before "resolve": "will also resolve non-tailnet addresses"

Lines 418, 421, 440, 443: Add commas after "console" and before "your"
-The reason that Tailscale's "magical" local DNS configuration manipulation is
-permanently disabled in the add-on, is that Tailscale's DNS when can't resolve
+The reason that Tailscale's "magical" local DNS configuration manipulation is
+permanently disabled in the add-on, is that when Tailscale's DNS can't resolve

-Tailscale's DNS will resolve non-tailnet addresses also.
+Tailscale's DNS will also resolve non-tailnet addresses.

-On the [DNS page][tailscale_dns] of the admin console you already enabled
+"On the [DNS page][tailscale_dns] of the admin console, you already enabled

-In this scenario your Home Assistant device's tailnet IP
+In this scenario, your Home Assistant device's tailnet IP
🧰 Tools

🪛 LanguageTool

[grammar] ~385-~385: It appears that a pronoun is missing.
Context: ... in the add-on, is that Tailscale's DNS when can't resolve a query, instead of retur...

(WHERE_MD_VB)

[uncategorized] ~418-~418: Possible missing comma found.
Context: ... [DNS page][tailscale_dns] of the admin console you already enabled "Override local DNS...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~421-~421: Possible missing comma found.
Context: ...l nameservers". Important: In this scenario your Home Assistant device's tailnet IP...

(AI_HYDRA_LEO_MISSING_COMMA)

[style] ~434-~434: The adverb ‘also’ is commonly used to connect clauses and isn’t usually used at the end of a phrase or before a conjunction. Consider replacing it with a more formal alternative.
Context: ... DNS will resolve non-tailnet addresses also. Whether you have your own DNS (like Ad...

(ALSO_AS_WELL)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[uncategorized] ~440-~440: Possible missing comma found.
Context: ... [DNS page][tailscale_dns] of the admin console you already enabled "Override local DNS...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~443-~443: Possible missing comma found.
Context: ...l nameservers". Important: In this scenario your Home Assistant device's tailnet IP...

(AI_HYDRA_LEO_MISSING_COMMA)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e7bfcaf and a7e5131.

📒 Files selected for processing (1)

tailscale/DOCS.md (4 hunks)

🧰 Additional context used

🪛 LanguageTool

tailscale/DOCS.md

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

[grammar] ~385-~385: It appears that a pronoun is missing.
Context: ... in the add-on, is that Tailscale's DNS when can't resolve a query, instead of retur...

(WHERE_MD_VB)

[uncategorized] ~418-~418: Possible missing comma found.
Context: ... [DNS page][tailscale_dns] of the admin console you already enabled "Override local DNS...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~421-~421: Possible missing comma found.
Context: ...l nameservers". Important: In this scenario your Home Assistant device's tailnet IP...

(AI_HYDRA_LEO_MISSING_COMMA)

[style] ~434-~434: The adverb ‘also’ is commonly used to connect clauses and isn’t usually used at the end of a phrase or before a conjunction. Consider replacing it with a more formal alternative.
Context: ... DNS will resolve non-tailnet addresses also. Whether you have your own DNS (like Ad...

(ALSO_AS_WELL)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[uncategorized] ~440-~440: Possible missing comma found.
Context: ... [DNS page][tailscale_dns] of the admin console you already enabled "Override local DNS...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~443-~443: Possible missing comma found.
Context: ...l nameservers". Important: In this scenario your Home Assistant device's tailnet IP...

(AI_HYDRA_LEO_MISSING_COMMA)

🔇 Additional comments (1)

tailscale/DOCS.md (1)

320-323: LGTM! Good cross-referencing.

The addition provides helpful context about DNS resolution and appropriately directs users to the detailed DNS configuration section.

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tailscale/DOCS.md (1)
394-394: Add a comma for better readability.
-More information: [What is 100.100.100.100][tailscale_info_quad100], [DNS in Tailscale][tailscale_info_dns], [MagicDNS][tailscale_info_magicdns], [Access a Pi-hole from anywhere][tailscale_info_pi_hole]
+More information: [What is 100.100.100.100][tailscale_info_quad100], [DNS in Tailscale][tailscale_info_dns], [MagicDNS][tailscale_info_magicdns], [Access a Pi-hole from anywhere][tailscale_info_pi_hole],
 
 Below we describe some typical scenarios for DNS configuration.
🧰 Tools

🪛 LanguageTool

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a7e5131 and 7a2beaa.

📒 Files selected for processing (1)

tailscale/DOCS.md (4 hunks)

🧰 Additional context used

🪛 LanguageTool

tailscale/DOCS.md

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~413-~413: Possible missing comma found.
Context: ...values remain in the DNS cache for some time even after the add-on is started and Ta...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~432-~432: Possible missing comma found.
Context: ...the second or lower positions. In this configuration Home Assistant (as any other general de...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

🔇 Additional comments (4)

tailscale/DOCS.md (4)

88-93: LGTM! Clear and accurate description of the accept_dns option.

The updated description precisely explains the option's purpose and provides helpful references to both the DNS configuration page and the detailed DNS section.

320-323: LGTM! Good addition about DNS resolution capabilities.

The new text effectively explains the relationship between userspace networking and DNS resolution, with a helpful reference to the detailed DNS section.

348-394: LGTM! Excellent explanation of DNS functionality and configuration.

The new section thoroughly explains the DNS configuration requirements and limitations, particularly addressing the MagicDNS incompatibility issue with Home Assistant's DNS. The root cause of the DNS loop issue is well-documented, helping users understand why certain configurations are necessary.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

397-469: LGTM! Well-structured DNS configuration scenarios.

The documentation provides clear, practical examples for common DNS configuration scenarios:

Using Tailscale DNS for tailnet devices only

Using Tailscale DNS for all resolution

Using Tailscale DNS with local DNS services

Each scenario includes proper configuration steps and important notes about potential issues.

🧰 Tools

🪛 LanguageTool

[uncategorized] ~413-~413: Possible missing comma found.
Context: ...values remain in the DNS cache for some time even after the add-on is started and Ta...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~432-~432: Possible missing comma found.
Context: ...the second or lower positions. In this configuration Home Assistant (as any other general de...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tailscale/DOCS.md (1)

91-91: Consider adding commas for improved readability.

Minor formatting suggestions to improve readability:

Line 91: Add comma after "console"

Line 394: Add comma after "pi-hole]"

Line 432: Add comma after "positions"

Line 438: Add comma before "and"

Line 457: Add comma after "::1)"

Also applies to: 394-394, 432-432, 438-438, 457-457

🧰 Tools

🪛 LanguageTool

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7be97d4 and f218500.

📒 Files selected for processing (10)

tailscale/DOCS.md (4 hunks)
tailscale/Dockerfile (1 hunks)
tailscale/apparmor.txt (1 hunks)
tailscale/config.yaml (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (2 hunks)
tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1 hunks)
tailscale/translations/en.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (8)

tailscale/config.yaml
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type
tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
tailscale/apparmor.txt
tailscale/Dockerfile
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish
tailscale/translations/en.yaml
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run

🧰 Additional context used

🪛 LanguageTool

tailscale/DOCS.md

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~432-~432: Possible missing comma found.
Context: ...the second or lower positions. In this configuration Home Assistant (as any other general de...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

🔇 Additional comments (5)

tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (3)

8-9: LGTM! Well-structured log level variables.

The readonly variables provide clear and informative messages about log suppression behavior.

40-50: LGTM! Clean implementation of the regular execution path.

The code properly handles both debug and non-debug modes while maintaining consistent log suppression behavior.

52-62: Verify mount namespace isolation.

The implementation uses unshare -m to isolate the mount changes, which is crucial for preventing DNS loops. The mount binding of the fake resolv.conf appears correct.

Let's verify the mount namespace isolation:

tailscale/DOCS.md (2)

348-394: LGTM! Excellent documentation of DNS behavior and limitations.

The documentation clearly explains:

The components of MagicDNS

Why automatic DNS configuration is disabled

The DNS loop issue and its solution

🧰 Tools

🪛 LanguageTool

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

397-469: LGTM! Comprehensive coverage of DNS configuration scenarios.

The documentation provides clear instructions for common scenarios:

Using Tailscale DNS for tailnet devices only

Using Tailscale DNS for all resolution

Integration with local DNS services

🧰 Tools

🪛 LanguageTool

[uncategorized] ~432-~432: Possible missing comma found.
Context: ...the second or lower positions. In this configuration Home Assistant (as any other general de...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (1)

tailscale/DOCS.md (1)

91-91: Consider adding commas for improved readability.

Add commas in the following places:

Line 91: "For more information, see the "DNS" section"

Line 394: "Tailscale_info_pi_hole], Below we describe"

Line 438: "resolve everything, and you have your own DNS"

Line 448: "configuration, disable accept_dns"

Line 457: "In your DNS, configure Tailscale DNS"

Also applies to: 394-394, 438-438, 448-448, 457-457

🧰 Tools

🪛 LanguageTool

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f218500 and b5ca06f.

📒 Files selected for processing (10)

tailscale/DOCS.md (4 hunks)
tailscale/Dockerfile (1 hunks)
tailscale/apparmor.txt (1 hunks)
tailscale/config.yaml (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type (1 hunks)
tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (2 hunks)
tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1 hunks)
tailscale/translations/en.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (8)

tailscale/config.yaml
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/type
tailscale/Dockerfile
tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/finish
tailscale/translations/en.yaml
tailscale/apparmor.txt
tailscale/rootfs/etc/s6-overlay/s6-rc.d/dnsmasq/run

🧰 Additional context used

🪛 LanguageTool

tailscale/DOCS.md

[uncategorized] ~91-~91: Possible missing comma found.
Context: ...le_dns] of the admin console. For more information see the "DNS" section of this documenta...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[uncategorized] ~448-~448: Possible missing comma found.
Context: ...ning on this device. - In the add-on's configuration disable accept_dns option and restart...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

🔇 Additional comments (6)

tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (4)

8-9: LGTM! Well-structured logging configuration.

The readonly variables improve maintainability by centralizing log suppression messages.

38-40: LGTM! Effective DNS loop prevention.

The implementation elegantly prevents DNS loops by mounting a separate resolv.conf only for tailscaled using namespace isolation.

41-50: LGTM! Clean execution path implementation.

The code maintains a clear separation between debug and non-debug modes while implementing consistent log suppression.

52-62: LGTM! Safe namespace isolation implementation.

The code safely isolates DNS configuration changes using mount namespace separation while maintaining consistent logging behavior.

tailscale/DOCS.md (2)

348-394: LGTM! Comprehensive DNS documentation.

The new DNS section effectively explains:

The DNS resolution mechanism

Special considerations for the add-on

The rationale behind disabling MagicDNS's local DNS configuration manipulation

🧰 Tools

🪛 LanguageTool

[uncategorized] ~394-~394: Possible missing comma found.
Context: ...from anywhere][tailscale_info_pi_hole] Below we describe some typical scenarios for ...

(AI_HYDRA_LEO_MISSING_COMMA)

397-469: LGTM! Well-documented DNS configuration scenarios.

The documentation effectively covers:

Using Tailscale DNS for tailnet devices only

Using Tailscale DNS for all resolution

Complex scenarios with local DNS services

🧰 Tools

🪛 LanguageTool

[uncategorized] ~438-~438: Use a comma before ‘and’ if it connects two independent clauses (unless they are closely connected and short).
Context: ...sing Tailscale DNS to resolve everything and you have your own DNS (like AdGuard) _o...

(COMMA_COMPOUND_SENTENCE)

[uncategorized] ~448-~448: Possible missing comma found.
Context: ...ning on this device. - In the add-on's configuration disable accept_dns option and restart...

(AI_HYDRA_LEO_MISSING_COMMA)

[uncategorized] ~457-~457: Possible missing comma found.
Context: ...IPv4: 127.0.0.1, IPv6: ::1). - In your DNS configure Tailscale DNS for your tailne...

(AI_HYDRA_LEO_MISSING_COMMA)

coderabbitai

Actionable comments posted: 0

🧹 Nitpick comments (2)

tailscale/DOCS.md (2)

88-93: Clarify the accept_dns Option Description

The updated description now clearly states that enabling accept_dns causes the add-on to accept DNS settings as configured on the Tailnet’s DNS page. This improves the clarity over the previous version. Consider, however, whether mentioning consequences of disabling the option or linking to further configuration examples might be beneficial for less experienced users.

348-395: Comprehensive New DNS Section Added

The new DNS section is a significant improvement. It thoroughly explains how Tailscale’s DNS operates in relation to the userspace_networking mode and details the pitfalls of the "magical" local DNS configuration manipulation that has been disabled in this add-on. The explanation about the dual components of MagicDNS is informative. A few minor grammatical tweaks (for example, ensuring sentences like “and completely disabled in this add-on” read as “and is completely disabled in this add-on”) and a potential use of bullet points to break down the key points could further enhance readability.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b5ca06f and a085117.

📒 Files selected for processing (1)

tailscale/DOCS.md (4 hunks)

🔇 Additional comments (2)

tailscale/DOCS.md (2)

320-323: Detail on Userspace Networking Configuration

The additional lines clearly explain that disabling userspace networking results in the creation of a tailscale0 network interface and points users to the "DNS" section for further guidance on hostname resolution within the tailnet. This extra context is valuable for troubleshooting name resolution issues in Home Assistant.

548-557: Updated Reference Links Verification

Several reference links (e.g., [tailscale_info_dns], [tailscale_info_magicdns], [tailscale_info_pi_hole], and [tailscale_info_quad100]) have been updated. Please double-check that all URLs are correct and reflect the latest documentation on Tailscale’s website.

lmagyar marked this pull request as ready for review January 26, 2025 21:25

coderabbitai bot reviewed Jan 26, 2025

View reviewed changes

coderabbitai bot reviewed Jan 27, 2025

View reviewed changes

lmagyar force-pushed the pr-dns branch from 7be97d4 to f218500 Compare February 2, 2025 00:24

coderabbitai bot reviewed Feb 2, 2025

View reviewed changes

lmagyar added 15 commits February 3, 2025 14:01

enable mounting

3ef349e

fake empty resolv.conf for tailscaled

e5417b3

fix arguments

457ca80

add dummy dnsmasq as upstream for tailscaled

de45b08

port as constant

d598738

fix chmod on dnsmasq

a517b3d

fix dnsmasq port and when to run

aa9a1ca

fine tune dnsmasq

64e55ae

fix dnsmasq binding

74afb90

DNS docs

33be144

fine tune apparmor

b452740

fine tune dns docs

3812264

bunny is right on dns

dcfe422

fix grammar based on bunny's suggestions for dns

179986e

bugfix for headscale

b5ca06f

lmagyar force-pushed the pr-dns branch from f218500 to b5ca06f Compare February 3, 2025 13:01

coderabbitai bot reviewed Feb 3, 2025

View reviewed changes

fix grammar based on bunny's suggestions

491e99e

lmagyar mentioned this pull request Feb 4, 2025

userspace_networking needs to be enabled and disabled to allow for peer to peer connections #462

Open

add missing paragraph to the dns docs

a085117

coderabbitai bot reviewed Feb 5, 2025

View reviewed changes

fix grammar in dns

4953ad0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix MagicDNS incompatibility with Home Assistant's DNS #455

Fix MagicDNS incompatibility with Home Assistant's DNS #455

lmagyar commented Jan 20, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jan 20, 2025 •

edited

Loading

Rate limit exceeded

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (`.coderabbit.yaml`)

Documentation and Community

coderabbitai bot commented Jan 26, 2025

coderabbitai bot commented Jan 26, 2025

coderabbitai bot left a comment

coderabbitai bot commented Jan 27, 2025

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

coderabbitai bot left a comment

Fix MagicDNS incompatibility with Home Assistant's DNS #455

Are you sure you want to change the base?

Fix MagicDNS incompatibility with Home Assistant's DNS #455

Conversation

lmagyar commented Jan 20, 2025 • edited by coderabbitai bot Loading

Proposed Changes

Related Issues

Summary by CodeRabbit

Summary by CodeRabbit

coderabbitai bot commented Jan 20, 2025 • edited Loading

Rate limit exceeded

Walkthrough

Changes

Possibly related PRs

Suggested labels

Suggested reviewers

Poem

Chat

CodeRabbit Commands (Invoked using PR comments)

Other keywords and placeholders

CodeRabbit Configuration File (.coderabbit.yaml)

Documentation and Community

coderabbitai bot commented Jan 26, 2025

coderabbitai bot commented Jan 26, 2025

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot commented Jan 27, 2025

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

coderabbitai bot left a comment

Choose a reason for hiding this comment

lmagyar commented Jan 20, 2025 •

edited by coderabbitai bot

Loading

coderabbitai bot commented Jan 20, 2025 •

edited

Loading

CodeRabbit Configuration File (`.coderabbit.yaml`)