Automatic hostname resolving

[mmachatschek]

Is it somehow possible to get automatic resolving of the internal hostnames of render to its internal ip address?

It would be great to configure a secondary DNS or something.

Maybe someone that already has a workaround for this could share it, how to configure this (probably something in the tailscale ui too)

@anurag maybe you can help.

[anurag]

We'll need to look into this. cc @crcastle for state.

[crcastle]

Hey @mmachatschek - Interesting idea. I have some questions to better understand what you want.

• You are looking to resolve a Render service's 10.0.0.0 IP address, not a Tailscale 100.64.0.0/10 address, right?
• Do you want to resolve that IP address from a DNS client inside your Render private network or a client in your Tailnet outside of Render or both?
• Do you have a more specific use case or cases you can share?

Thanks!

[mmachatschek]

@crcastle thanks for reaching out

You are looking to resolve a Render service's 10.0.0.0 IP address, not a Tailscale 100.64.0.0/10 address, right?

correct. I want my machine (that is connected to my tailscale network that has a subnetrouter to render) to automatically resolve the render service hostname visible in the UI, to the render service IP address 10.x.x.x

Do you want to resolve that IP address from a DNS client inside your Render private network or a client in your Tailnet outside of Render or both?

To get the 10.x.x.x IP address of the render service (even private services or background workers), I would need a DNS from inside my render private network.

Do you have a more specific use case or cases you can share?

• We have multiple team members of which not everyone has access to the render UI, but we want them to be able to connect e.g. to testing services (without opening the services to the whole internet 0.0.0.0/0) where they can test stuff. Managing IP addresses in a shared file that needs to be maintained everytime a service is recreated via a blueprint is tedious and error prone. Instead, just working with hostnames is very easy (can be fetched e.g. via the Render API getting the slugs of all services)
• IP addresses can be easily mixed up with staging/production services (if you copy the wrong IP from a shared file) which can lead to unwanted side effects. when you type staging-someservice-suffix you can immediately see you connect to a staging service, whereas if you type e.g. psql -h 10.x.x.x -d database_name ... you would need to verify that that IP-address is the correct service I want to connect to
• Copying the hostname from the render UI and just connect to the service, instead of going to the webshell and needing to get the correct IP-address is annoying
• Some managed services like redis or postgres don't even support the webshell, therefore you would need to copy the internal address, go to another service that has a shell, and get the IP address via dig of the redis/psql database

[anurag]

Hi @mmachatschek, this makes sense and we'll figure out how to make this possible in Tailscale. Until then, would SSH tunneling be an option? Here's an example: https://render.com/blog/ssh-vscode-remote-debugging. You can get the SSH URL for any service (not just web services) from the dashboard.

[CharlieMc0]

Agreed. DNS support would be super helpful. For us the goal is simply giving the developers a similar experience but over the VPN instead of public internet. This would allow us to protect certain admin pages and DBs connections behind the VPN. Currently they tend publicly expose services that should be kept private or have to whitelist their own IPs.

[CharlieMc0]

I spoke too soon. It looks like this is working now but took a little digging. I was able to lookup the IP of the DNS server in the private network and add it as a DNS server in Tailscale. Then I had to find the FQDN and add the domain as a Search Domain in Tailscale.

[Sytten]

Alright I spent way too many hours on this setup so I figured it would be nice to share.
We use two teams, one for production and one for staging because projects in render don't have network isolation nor access control to different team members (but let me stop my rant here, they know I am pissed at their team pricing).

Render network

• Each service gets a 10.204.X.0/24 subnet and each instance of that service gets a /32 IP in that subnet
• Each service gets an address like srv-<SERVICE ID>.own-<TEAM ID>.svc.cluster.local
• Each database gets a 10.205.Y.0/24 subnet and each instance (read replica) of that database gets a /32 IP in that subnet
• Each database gets an address like dpg-<DATABASE ID>.own-<TEAM ID>.svc.cluster.local
• The DNS server is always at IP 10.205.0.10 and it can resolve DNS names of ALL render services even if it is in a different team
• To get an address you can shell into a service and do getent hosts <SERVICE SHORT NAME>

Tailscale setup

• We deploy one router per team (see files below)
• We advertise /24 subnets, we were lucky since we had no overlap between production and staging but that is not guaranteed. If that happens you have to re-create your service.
• Make sure one router advertises the 10.205.0.0/24 subnet, it doesn't matter which
• In DNS, we added a split DNS nameserver for svc.cluster.local with the IP 10.205.0.10
• Disabled key expiration for the routers

Files

• render.yaml

services:
  - type: worker
    plan: Starter
    region: oregon
    name: tailscale-router
    env: docker
    dockerfilePath: ./applications/tailscale/Dockerfile
    dockerContext: ./applications/tailscale
    numInstances: 1
    autoDeploy: false
    envVars:
      - key: ADVERTISE_ROUTES
        value: '10.205.195.0/24,10.205.98.0/24,10.204.123.0/24,10.204.69.0/24'
      - key: TAILSCALE_AUTHKEY
        sync: false
    disk:
      name: tailscale-state
      mountPath: /var/lib/tailscale
      sizeGB: 1

• endpoint.sh

#!/bin/sh

tailscaled --tun=userspace-networking --socks5-server=localhost:1055 &
PID=$!

ADVERTISE_ROUTES=${ADVERTISE_ROUTES:-10.0.0.0/8}
until tailscale up --authkey="${TAILSCALE_AUTHKEY}" --hostname="${RENDER_SERVICE_NAME}" --advertise-routes="$ADVERTISE_ROUTES"; do
  sleep 0.1
done
export ALL_PROXY=socks5://localhost:1055/
tailscale_ip=$(tailscale ip)
echo "Tailscale is up at IP ${tailscale_ip}"

wait ${PID}

• Dockerfile

FROM tailscale/tailscale:v1.50.1

COPY "entrypoint.sh" .

ENTRYPOINT ["sh"]
CMD ["entrypoint.sh"]

[anurag]

cc @iandouglas

[Sytten]

@anurag I posted in community forum https://community.render.com/t/render-internals/17888
Maybe @iandouglas could engage there :)
I saw that the 10.204.X.0/24 are not as fixed as I thought so any precision on that would be nice, I had to change my tailscale config a few times.