Enhance DNS server configuration with customizable listen addresses

- Update README to reflect new configurable listen addresses for tsdnsproxy
- Modify main.go to introduce a flag for specifying listen addresses
- Implement logic in server.go to handle multiple listen addresses, including Tailscale and LAN options
- Update Kubernetes deployment to support new listen address configuration

Author: rajsinghtech

README.md

@@ -13,7 +13,7 @@ A DNS proxy server for Tailscale networks that enables per-identity DNS routing,
 
 ## How It Works
 
-tsdnsproxy runs as a tsnet application on your tailnet, listening on UDP port 53. When it receives DNS requests:
+tsdnsproxy runs as a tsnet application on your tailnet, listening on configurable addresses (default: Tailscale IP port 53). When it receives DNS requests:
 
 1. Identifies the requesting node using LocalAPI whois
 2. Retrieves DNS grants from the node's capabilities
@@ -66,6 +66,7 @@ docker run -d \
   --name tsdnsproxy \
   -e TS_AUTHKEY=tskey-auth-YOUR-KEY \
   -e TSDNSPROXY_HOSTNAME=tsdnsproxy \
+  -e TSDNSPROXY_LISTEN_ADDRS=tailscale,0.0.0.0:53 \
   -p 53:53/udp \
   ghcr.io/rajsinghtech/tsdnsproxy:latest
 ```
@@ -102,6 +103,7 @@ tsdnsproxy -authkey tskey-auth-YOUR-KEY
 - `TSDNSPROXY_STATE_DIR`: State directory (default: `/var/lib/tsdnsproxy`)
 - `TSDNSPROXY_STATE`: State storage backend (e.g., `kube:secret-name`)
 - `TSDNSPROXY_DEFAULT_DNS`: Default DNS servers (comma-separated)
+- `TSDNSPROXY_LISTEN_ADDRS`: Listen addresses (default: `tailscale`) - see Network Configuration
 - `TSDNSPROXY_HEALTH_ADDR`: Health check endpoint address (default: `:8080`)
 - `TSDNSPROXY_VERBOSE`: Enable verbose logging (default: `false`)
 
@@ -111,6 +113,7 @@ tsdnsproxy -authkey tskey-auth-YOUR-KEY
 tsdnsproxy \
   -authkey tskey-auth-YOUR-KEY \
   -hostname tsdnsproxy \
+  -listen-addrs tailscale,0.0.0.0:53 \
   -statedir /var/lib/tsdnsproxy \
   -state kube:tsdnsproxy-state \
   -default-dns 8.8.8.8:53,8.8.4.4:53 \

cmd/tsdnsproxy/main.go

@@ -76,6 +76,7 @@ func main() {
 		defaultDNS  = flag.String("default-dns", envOr("TSDNSPROXY_DEFAULT_DNS", ""), "default DNS servers (comma-separated)")
 		cacheExpiry = flag.Duration("cache-expiry", constants.DefaultCacheExpiry, "whois cache expiry duration")
 		healthAddr  = flag.String("health-addr", envOr("TSDNSPROXY_HEALTH_ADDR", ":8080"), "health check endpoint address")
+		listenAddrs = flag.String("listen-addrs", envOr("TSDNSPROXY_LISTEN_ADDRS", "tailscale"), "listen addresses (comma-separated: tailscale,0.0.0.0:53,127.0.0.1:5353)")
 		verbose     = flag.Bool("verbose", envOr("TSDNSPROXY_VERBOSE", "false") == "true", "enable verbose logging")
 	)
 	flag.Parse()
@@ -193,7 +194,7 @@ func main() {
 
 	// Start DNS server (handles both UDP and TCP)
 	log.Printf("starting DNS server")
-	if err := dnsServer.Run(ctx); err != nil {
+	if err := dnsServer.RunWithAddrs(ctx, *listenAddrs, status); err != nil {
 		log.Printf("DNS server error: %v", err)
 	}
 

internal/dns/server.go

@@ -52,14 +52,18 @@ type Server struct {
 	serverGrants []grants.GrantConfig
 }
 
-// Run starts both UDP and TCP DNS servers
+// Run starts both UDP and TCP DNS servers on the default Tailscale address
 func (s *Server) Run(ctx context.Context) error {
-	s.workerPool = make(chan struct{}, 100)
-
 	status, err := s.LocalClient.Status(ctx)
 	if err != nil {
 		return fmt.Errorf("get status: %w", err)
 	}
+	return s.RunWithAddrs(ctx, "tailscale", status)
+}
+
+// RunWithAddrs starts DNS servers on specified addresses
+func (s *Server) RunWithAddrs(ctx context.Context, listenAddrsStr string, status *ipnstate.Status) error {
+	s.workerPool = make(chan struct{}, 100)
 
 	// Load server's own grants
 	if err := s.loadServerGrants(ctx, status); err != nil {
@@ -69,34 +73,32 @@ func (s *Server) Run(ctx context.Context) error {
 		s.grantsMu.Unlock()
 	}
 
-	var listenAddr string
-	if status.Self != nil && len(status.Self.TailscaleIPs) > 0 {
-		// Use the first tailscale IP
-		listenAddr = fmt.Sprintf("%s:53", status.Self.TailscaleIPs[0])
-	} else {
-		listenAddr = ":53"
-	}
+	// Parse listen addresses
+	listenAddrs := s.parseListenAddresses(listenAddrsStr, status)
 
-	// Create error channel for goroutines
-	errCh := make(chan error, 2)
+	// Create error channel for goroutines (2 per address)
+	errCh := make(chan error, len(listenAddrs)*2)
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 
-	// Start UDP server
-	go func() {
-		if err := s.runUDP(ctx, listenAddr); err != nil {
-			errCh <- fmt.Errorf("UDP server: %w", err)
-		}
-	}()
+	// Start UDP and TCP servers for each listen address
+	for _, addr := range listenAddrs {
+		// Start UDP server
+		go func(listenAddr string) {
+			if err := s.runUDP(ctx, listenAddr); err != nil {
+				errCh <- fmt.Errorf("UDP server on %s: %w", listenAddr, err)
+			}
+		}(addr)
 
-	// Start TCP server
-	go func() {
-		if err := s.runTCP(ctx, listenAddr); err != nil {
-			errCh <- fmt.Errorf("TCP server: %w", err)
-		}
-	}()
+		// Start TCP server
+		go func(listenAddr string) {
+			if err := s.runTCP(ctx, listenAddr); err != nil {
+				errCh <- fmt.Errorf("TCP server on %s: %w", listenAddr, err)
+			}
+		}(addr)
+	}
 
-	// Wait for either server to fail or context to be done
+	// Wait for any server to fail or context to be done
 	select {
 	case err := <-errCh:
 		cancel()
@@ -106,9 +108,52 @@ func (s *Server) Run(ctx context.Context) error {
 	}
 }
 
+// parseListenAddresses converts the listen addresses string into concrete addresses
+func (s *Server) parseListenAddresses(listenAddrsStr string, status *ipnstate.Status) []string {
+	addrs := strings.Split(listenAddrsStr, ",")
+	var result []string
+	
+	for _, addr := range addrs {
+		addr = strings.TrimSpace(addr)
+		switch addr {
+		case "tailscale":
+			// Use the first tailscale IP
+			if status.Self != nil && len(status.Self.TailscaleIPs) > 0 {
+				result = append(result, fmt.Sprintf("%s:53", status.Self.TailscaleIPs[0]))
+			} else {
+				s.Logf("warning: tailscale address requested but no Tailscale IPs available, using :53")
+				result = append(result, ":53")
+			}
+		case "0.0.0.0:53", "0.0.0.0", "all":
+			result = append(result, "0.0.0.0:53")
+		case "127.0.0.1:53", "127.0.0.1", "localhost":
+			result = append(result, "127.0.0.1:53")
+		case "[::]:53", "[::]", "ipv6":
+			result = append(result, "[::]:53")
+		default:
+			// Custom address - validate it has a port
+			if !strings.Contains(addr, ":") {
+				addr += ":53"
+			}
+			result = append(result, addr)
+		}
+	}
+	
+	s.Logf("parsed listen addresses: %v", result)
+	return result
+}
+
 // runUDP handles UDP DNS queries
 func (s *Server) runUDP(ctx context.Context, listenAddr string) error {
-	pc, err := s.TSServer.ListenPacket("udp", listenAddr)
+	var pc net.PacketConn
+	var err error
+	
+	// Determine if we should use tsnet or standard networking
+	if s.shouldUseTSNet(listenAddr) {
+		pc, err = s.TSServer.ListenPacket("udp", listenAddr)
+	} else {
+		pc, err = net.ListenPacket("udp", listenAddr)
+	}
 	if err != nil {
 		return fmt.Errorf("listen UDP: %w", err)
 	}
@@ -176,9 +221,36 @@ func (s *Server) runUDP(ctx context.Context, listenAddr string) error {
 	}
 }
 
+// shouldUseTSNet determines if we should use tsnet for the given address
+func (s *Server) shouldUseTSNet(listenAddr string) bool {
+	// Extract host from address
+	host, _, err := net.SplitHostPort(listenAddr)
+	if err != nil {
+		// If we can't parse, assume it's a tsnet address
+		return true
+	}
+	
+	// Use standard networking for common non-tailscale addresses
+	switch host {
+	case "0.0.0.0", "127.0.0.1", "localhost", "", "[::]":
+		return false
+	default:
+		// If it looks like a tailscale IP or custom address, use tsnet
+		return true
+	}
+}
+
 // runTCP handles TCP DNS queries
 func (s *Server) runTCP(ctx context.Context, listenAddr string) error {
-	listener, err := s.TSServer.Listen("tcp", listenAddr)
+	var listener net.Listener
+	var err error
+	
+	// Determine if we should use tsnet or standard networking
+	if s.shouldUseTSNet(listenAddr) {
+		listener, err = s.TSServer.Listen("tcp", listenAddr)
+	} else {
+		listener, err = net.Listen("tcp", listenAddr)
+	}
 	if err != nil {
 		return fmt.Errorf("listen TCP: %w", err)
 	}

k8s/deployment.yaml

@@ -77,6 +77,8 @@ spec:
           value: "true"
         - name: TSDNSPROXY_DEFAULT_DNS
           value: "8.8.8.8:53,8.8.4.4:53"  # Configure your default DNS
+        - name: TSDNSPROXY_LISTEN_ADDRS
+          value: "tailscale,0.0.0.0:53"  # Listen on both Tailscale and LAN
         - name: TS_AUTHKEY
           valueFrom:
             secretKeyRef:
@@ -121,7 +123,7 @@ metadata:
   labels:
     app: tsdnsproxy
 spec:
-  type: ClusterIP
+  type: LoadBalancer  # Expose DNS service to LAN
   selector:
     app: tsdnsproxy
   ports: