From 26edf24477f6bc615242264e792fbeba9f50c359 Mon Sep 17 00:00:00 2001
From: Dominic Bevacqua <bev@treatwell.com>
Date: Mon, 23 Jan 2023 11:34:12 +0000
Subject: [PATCH] Allow split DNS configuration without requiring global
 nameservers

Align behaviour of dns_config.restricted_nameservers to tailscale.

Tailscale allows split DNS configuration without requiring global nameservers.

In addition, as per [the docs](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console):

> These nameservers also configure search domains for your devices

This commit aligns headscale to tailscale by:

 * honouring dns_config.restricted_nameservers regardless of whether any global resolvers are configured
 * adding a search domain for each restricted_nameserver
---
 config.go | 46 ++++++++++++++++++++++------------------------
 1 file changed, 22 insertions(+), 24 deletions(-)

diff --git a/config.go b/config.go
index 6865b301..fed9b032 100644
--- a/config.go
+++ b/config.go
@@ -411,34 +411,32 @@ func GetDNSConfig() (*tailcfg.DNSConfig, string) {
 		}
 
 		if viper.IsSet("dns_config.restricted_nameservers") {
-			if len(dnsConfig.Resolvers) > 0 {
-				dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
-				restrictedDNS := viper.GetStringMapStringSlice(
-					"dns_config.restricted_nameservers",
+			dnsConfig.Routes = make(map[string][]*dnstype.Resolver)
+			domains := []string{}
+			restrictedDNS := viper.GetStringMapStringSlice(
+				"dns_config.restricted_nameservers",
+			)
+			for domain, restrictedNameservers := range restrictedDNS {
+				restrictedResolvers := make(
+					[]*dnstype.Resolver,
+					len(restrictedNameservers),
 				)
-				for domain, restrictedNameservers := range restrictedDNS {
-					restrictedResolvers := make(
-						[]*dnstype.Resolver,
-						len(restrictedNameservers),
-					)
-					for index, nameserverStr := range restrictedNameservers {
-						nameserver, err := netip.ParseAddr(nameserverStr)
-						if err != nil {
-							log.Error().
-								Str("func", "getDNSConfig").
-								Err(err).
-								Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
-						}
-						restrictedResolvers[index] = &dnstype.Resolver{
-							Addr: nameserver.String(),
-						}
+				for index, nameserverStr := range restrictedNameservers {
+					nameserver, err := netip.ParseAddr(nameserverStr)
+					if err != nil {
+						log.Error().
+							Str("func", "getDNSConfig").
+							Err(err).
+							Msgf("Could not parse restricted nameserver IP: %s", nameserverStr)
+					}
+					restrictedResolvers[index] = &dnstype.Resolver{
+						Addr: nameserver.String(),
 					}
-					dnsConfig.Routes[domain] = restrictedResolvers
 				}
-			} else {
-				log.Warn().
-					Msg("Warning: dns_config.restricted_nameservers is set, but no nameservers are configured. Ignoring restricted_nameservers.")
+				dnsConfig.Routes[domain] = restrictedResolvers
+				domains = append(domains, domain)
 			}
+			dnsConfig.Domains = domains
 		}
 
 		if viper.IsSet("dns_config.domains") {