Tailscale DNS - Search domain "*.ts.net" is dangerously high up the hierarchy

[P-a-d-r-a-i-g]

What happened:

I got this error message when trying to add a search domain for a DNS entry:

failed to parse DNS server "dns://100.100.100.100?name=TailscaleDNS&search=*.ts.net&search-only" (#1): failed to validate search domain #1: search domain "*.ts.net" is dangerously high up the hierarchy, stay at or below "*.ts.net"

What did you expect to happen?:

The DNS to be added and any DNS requests for all Tailnets to get processed by 100.100.100.100
e.g.
DNS request for my-gaming-pc.alpha-beta.ts.net get resolved
DNS request for my-raspberry-pi.alpha-beta.ts.net get resolved
DNS request for my-office-pc.charlie-delta.ts.net get resolved
DNS request for my-dads-pc.some-other.ts.net get resolved

If I specifically set like search=alpha-beta.ts.net,charlie-delta.ts.net then those Tailnets will resolve

How did you reproduce it?:

Just add the following line like above:

dns://100.100.100.100?name=TailscaleDNS&search=*.ts.net&search-only

[github-actions]

Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:

• 🗣️ Our community on Discord is super helpful and active. We also have an AI-enabled support bot that knows Portmaster well and can give you immediate help.
• 📖 The Wiki answers all common questions and has many important details. If you can't find an answer there, let us know, so we can add anything that's missing.

[github-actions]

This issue has been automatically marked as inactive because it has not had activity in the past two months.

If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.

[P-a-d-r-a-i-g]

Bumping this, as it's still an active issue that hasn't been fixed.

[github-actions]

This issue has been automatically marked as inactive because it has not had activity in the past two months.

If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.

[P-a-d-r-a-i-g]

Bump again, as it's still not fixed.

[dhaavi]

Hey @P-a-d-r-a-i-g,

ts.net is defined as a public suffix, this is why just using ts.net is not allowed, as this easily allows configuration to scope creep and attackers to easily redirect loads of domains by mangling with the system settings or DHCP options.

Is your issue that you would like to use ts.net or do you believe the error message should be clarified?
As *.ts.net is meant to mean that you set your own value in there, such as alpha-beta.ts.net, not using *.ts.net literally.

[P-a-d-r-a-i-g]

Hi @dhaavi

I'd like to add *.ts.net as a wildcard (asterix always represents wildcard) so that any Tailnet I join will be automatically available.

I can add each Tailnet manually of course, like below, and they will work but I would rather not have to add them manually:

dns://100.100.100.100?name=TailscaleDNS&search=alpha-beta.ts.net,charlie-delta.ts.net,some-other.ts.net&search-only

Thanks.

[github-actions]

This issue has been automatically marked as inactive because it has not had activity in the past two months.

If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.

[github-actions]

This issue has been automatically closed because it has not had recent activity. Thank you for your contributions.

If the issue has not been resolved, you can find more information in our Wiki or continue the conversation on our Discord.