coder · ethanndickson · Jan 29, 2025 · Nov 8, 2024
@@ -47,10 +47,7 @@ type Config struct {
 }
 
 func (c *Config) serviceIP() netip.Addr {
-	if c.OnlyIPv6 {
-		return tsaddr.TailscaleServiceIPv6()
-	}
-	return tsaddr.TailscaleServiceIP()
+	return tsaddr.CoderServiceIPv6()
 }
 
 // WriteToBufioWriter write a debug version of c for logs to w, omitting

@@ -211,7 +211,7 @@ func TestManager(t *testing.T) {
 					"bar.tld.", "2.3.4.5"),
 			},
 			os: OSConfig{
-				Nameservers: mustIPs("100.100.100.100"),
+				Nameservers: mustIPs("fd60:627a:a42b::53"),
 			},
 			rs: resolver.Config{
 				Hosts: hosts(
@@ -297,7 +297,7 @@ func TestManager(t *testing.T) {
 					"bradfitz.ts.com.", "2.3.4.5"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
@@ -320,7 +320,7 @@ func TestManager(t *testing.T) {
 			},
 			split: true,
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
@@ -339,7 +339,7 @@ func TestManager(t *testing.T) {
 				SearchDomains:    fqdns("tailscale.com", "universe.tf"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
@@ -357,7 +357,7 @@ func TestManager(t *testing.T) {
 			},
 			split: true,
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
@@ -377,7 +377,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("coffee.shop"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
 			},
 			rs: resolver.Config{
@@ -412,7 +412,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("coffee.shop"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
 			},
 			rs: resolver.Config{
@@ -432,7 +432,7 @@ func TestManager(t *testing.T) {
 			},
 			split: true,
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 				MatchDomains:  fqdns("bigco.net", "corp.com"),
 			},
@@ -456,7 +456,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("coffee.shop"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
 			},
 			rs: resolver.Config{
@@ -478,7 +478,7 @@ func TestManager(t *testing.T) {
 			},
 			split: true,
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 				MatchDomains:  fqdns("ts.com"),
 			},
@@ -503,7 +503,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("coffee.shop"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf", "coffee.shop"),
 			},
 			rs: resolver.Config{
@@ -529,7 +529,7 @@ func TestManager(t *testing.T) {
 			},
 			split: true,
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 				MatchDomains:  fqdns("corp.com", "ts.com"),
 			},
@@ -551,7 +551,7 @@ func TestManager(t *testing.T) {
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			os: OSConfig{
-				Nameservers:   mustIPs("100.100.100.100"),
+				Nameservers:   mustIPs("fd60:627a:a42b::53"),
 				SearchDomains: fqdns("tailscale.com", "universe.tf"),
 			},
 			rs: resolver.Config{
@@ -579,7 +579,7 @@ func TestManager(t *testing.T) {
 				DefaultResolvers: mustRes("2a07:a8c0::c3:a884"),
 			},
 			os: OSConfig{
-				Nameservers: mustIPs("100.100.100.100"),
+				Nameservers: mustIPs("fd60:627a:a42b::53"),
 			},
 			rs: resolver.Config{
 				Routes: upstreams(".", "2a07:a8c0::c3:a884"),
@@ -591,12 +591,36 @@ func TestManager(t *testing.T) {
 				DefaultResolvers: mustRes("https://dns.nextdns.io/c3a884"),
 			},
 			os: OSConfig{
-				Nameservers: mustIPs("100.100.100.100"),
+				Nameservers: mustIPs("fd60:627a:a42b::53"),
 			},
 			rs: resolver.Config{
 				Routes: upstreams(".", "https://dns.nextdns.io/c3a884"),
 			},
 		},
+		{
+			name: "coder",
+			in: Config{
+				OnlyIPv6: true,
+				Routes: map[dnsname.FQDN][]*dnstype.Resolver{
+					"coder.": nil,
+				},
+				Hosts: hosts(
+					"agent.myws.me.coder.", "fd60:627a:a42c::53",
+				),
+			},
+			os: OSConfig{
+				Nameservers: mustIPs("fd60:627a:a42b::53"),
+			},
+			rs: resolver.Config{
+				Routes: upstreams(
+					".", "",
+				),
+				Hosts: hosts(
+					"agent.myws.me.coder.", "fd60:627a:a42c::53",
+				),
+				LocalDomains: fqdns("coder."),
+			},
+		},
 	}
 
 	trIP := cmp.Transformer("ipStr", func(ip netip.Addr) string { return ip.String() })

@@ -35,13 +35,14 @@ func CGNATRange() netip.Prefix {
 }
 
 var (
-	cgnatRange   oncePrefix
-	ulaRange     oncePrefix
-	tsUlaRange   oncePrefix
-	tsViaRange   oncePrefix
-	ula4To6Range oncePrefix
-	ulaEph6Range oncePrefix
-	serviceIPv6  oncePrefix
+	cgnatRange       oncePrefix
+	ulaRange         oncePrefix
+	tsUlaRange       oncePrefix
+	tsViaRange       oncePrefix
+	ula4To6Range     oncePrefix
+	ulaEph6Range     oncePrefix
+	serviceIPv6      oncePrefix
+	coderServiceIPv6 oncePrefix
 )
 
 // TailscaleServiceIP returns the IPv4 listen address of services
@@ -61,9 +62,15 @@ func TailscaleServiceIPv6() netip.Addr {
 	return serviceIPv6.v.Addr()
 }
 
+func CoderServiceIPv6() netip.Addr {
+	coderServiceIPv6.Do(func() { mustPrefix(&coderServiceIPv6.v, CoderServiceIPv6String+"/128") })
+	return coderServiceIPv6.v.Addr()
+}
+
 const (
 	TailscaleServiceIPString   = "100.100.100.100"
 	TailscaleServiceIPv6String = "fd7a:115c:a1e0::53"
+	CoderServiceIPv6String     = "fd60:627a:a42b::53"
 )
 
 // IsTailscaleIP reports whether ip is an IP address in a range that

@@ -53,6 +53,14 @@ func TestTailscaleServiceIPv6(t *testing.T) {
 	}
 }
 
+func TestCoderServiceIPv6(t *testing.T) {
+	got := CoderServiceIPv6().String()
+	want := "fd60:627a:a42b::53"
+	if got != want {
+		t.Errorf("got %q; want %q", got, want)
+	}
+}
+
 func TestChromeOSVMRange(t *testing.T) {
 	if got, want := ChromeOSVMRange().String(), "100.115.92.0/23"; got != want {
 		t.Errorf("got %q; want %q", got, want)

@@ -56,10 +56,7 @@ const debugPackets = false
 
 var debugNetstack = envknob.RegisterBool("TS_DEBUG_NETSTACK")
 
-var (
-	magicDNSIP   = tsaddr.TailscaleServiceIP()
-	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
-)
+var coderDNSIPv6 = tsaddr.CoderServiceIPv6()
 
 func init() {
 	mode := envknob.String("TS_DEBUG_NETSTACK_LEAK_MODE")
@@ -464,7 +461,7 @@ func (ns *Impl) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper) filter.Re
 
 	// If it's not traffic to the service IP (i.e. magicDNS) we don't
 	// care; resume processing.
-	if dst := p.Dst.Addr(); dst != magicDNSIP && dst != magicDNSIPv6 {
+	if dst := p.Dst.Addr(); dst != coderDNSIPv6 {
 		return filter.Accept
 	}
 	// Of traffic to the service IP, we only care about UDP 53, and TCP
@@ -565,18 +562,9 @@ func (ns *Impl) inject() {
 		// TODO(tom): Figure out if its safe to modify packet.Parsed to fill in
 		//            the IP src/dest even if its missing the rest of the pkt.
 		//            That way we dont have to do this twitchy-af byte-yeeting.
-		if b := pkt.NetworkHeader().Slice(); len(b) >= 20 { // min ipv4 header
-			switch b[0] >> 4 { // ip proto field
-			case 4:
-				if srcIP := netaddr.IPv4(b[12], b[13], b[14], b[15]); magicDNSIP == srcIP {
-					sendToHost = true
-				}
-			case 6:
-				if len(b) >= 40 { // min ipv6 header
-					if srcIP, ok := netip.AddrFromSlice(net.IP(b[8:24])); ok && magicDNSIPv6 == srcIP {
-						sendToHost = true
-					}
-				}
+		if b := pkt.NetworkHeader().Slice(); len(b) >= 40 && (b[0]>>4) == 6 { // min ipv6 header && ip proto field
+			if srcIP, ok := netip.AddrFromSlice(net.IP(b[8:24])); ok && coderDNSIPv6 == srcIP {
+				sendToHost = true
 			}
 		}
 
@@ -939,7 +927,7 @@ func (ns *Impl) acceptTCP(r *tcp.ForwarderRequest) {
 	}
 
 	// DNS
-	if reqDetails.LocalPort == 53 && (dialIP == magicDNSIP || dialIP == magicDNSIPv6) {
+	if reqDetails.LocalPort == 53 && dialIP == coderDNSIPv6 {
 		c := getConnOrReset()
 		if c == nil {
 			return
@@ -1094,7 +1082,7 @@ func (ns *Impl) acceptUDP(r *udp.ForwarderRequest) {
 	}
 
 	// Handle magicDNS traffic (via UDP) here.
-	if dst := dstAddr.Addr(); dst == magicDNSIP || dst == magicDNSIPv6 {
+	if dst := dstAddr.Addr(); dst == coderDNSIPv6 {
 		if dstAddr.Port() != 53 {
 			ep.Close()
 			return // Only MagicDNS traffic runs on the service IPs for now.