Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

We’re using Tailscale for our internal network, and it’s amazing. We’re a team distributed across multiple countries, and with Tailscale, it’s like we’re sitting in a single office, connected to the same router. And on top of that, we get centrally managed ACLs for everyone, TLS certificates, and SSO with Microsoft accounts. Amazing stuff!

My main gripe, though, is DNS. It’s great to be able to reach prod-db-1, prod-db-2, and prod-db-3, tag them as „db“ and create a rule to allow TCP on db:5432. however, it’s annoying that all of this is supported, but not the obvious extension - DNS records for the tags, so I can point apps to a group of servers belonging to the same tag.



I don't get it. `db` should resolve to all host ips? Wouldnt a load balancer make more sense in that scenario?


Consider `db` resolves to multiple A records:

  db.   IN   A    100.64.123.1   # prod-db-1.
  db.   IN   A    100.64.123.2   # prod-db-2.
  db.   IN   A    100.64.123.3   # prod-db-3.
This is good for service discovery—e.g., you can configure something like RabbitMQ to discover cluster members from an A record—and it's nice for browsers, which will pick one host at random when connecting, which effectively is load balancing.

In a usual setup, the problem is that if a host goes down, clients will still try to reach it because it's still in the DNS record; but with Tailscale, the "DNS" is generated by the local Tailscale daemon on the fly, so you get a live view, and if this was implemented, it would be possible to only return available servers for tag queries.


Nit: the host is not picked at random, but according to the RFC3484 algorithm.

Since people typically don’t believe me about this, here it is from someone who has done a lot of networking programming:

https://daniel.haxx.se/blog/2012/01/03/getaddrinfo-with-roun...


Arghh. I want to love IPv6, but they really work hard against it, don't they.

Thanks, I didn't know this!


Even better: although the reason for the algorithm is IPv6, all mainstream implementations do it on IPv4 also.


I noticed that limitation quickly too. My solution was to just point A records on my domain to the tailscale internal ip and use the let's encrypt wildcard certificate my registrar (porkbun) provides out of the box.


Similar to how you would use keepalived to get a virtual IP and broker between addresses under it?


Yes, but with all the benefits of Tailscale nodes—automatic DNS resolution, ACLs, and TLS certificates out of the box, and so on. The building blocks are all there, it’s just that nobody has built the feature yet.


yup, I ended up implementing that myself via a coredns extension that does DNS for both tags and hosts. obviously not zero effort, but it ended up being quite straightforward, and has been working flawlessly since then.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: