{"id":30280121,"url":"https://github.com/rajsinghtech/tsdnsreflector","last_synced_at":"2026-04-16T03:32:38.125Z","repository":{"id":288700829,"uuid":"968944578","full_name":"rajsinghtech/tsdnsreflector","owner":"rajsinghtech","description":"DNS proxy for Tailscale networks","archived":false,"fork":false,"pushed_at":"2025-09-26T20:10:33.000Z","size":142,"stargazers_count":0,"open_issues_count":10,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-26T22:11:06.912Z","etag":null,"topics":["dns-server","kubernetes","tailscale"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rajsinghtech.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-04-19T03:29:45.000Z","updated_at":"2025-07-16T01:44:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"bc381050-47bb-4d76-b2e4-88cfd0af79d5","html_url":"https://github.com/rajsinghtech/tsdnsreflector","commit_stats":null,"previous_names":["rajsinghtech/tsdnsreflector"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/rajsinghtech/tsdnsreflector","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajsinghtech%2Ftsdnsreflector","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajsinghtech%2Ftsdnsreflector/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajsinghtech%2Ftsdnsreflector/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajsinghtech%2Ftsdnsreflector/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rajsinghtech","download_url":"https://codeload.github.com/rajsinghtech/tsdnsreflector/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rajsinghtech%2Ftsdnsreflector/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31870508,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-15T15:24:51.572Z","status":"online","status_checked_at":"2026-04-16T02:00:06.042Z","response_time":69,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dns-server","kubernetes","tailscale"],"created_at":"2025-08-16T15:01:01.912Z","updated_at":"2026-04-16T03:32:38.096Z","avatar_url":"https://github.com/rajsinghtech.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"assets/logo.svg\" alt=\"tsdnsreflector\" width=\"120\" height=\"120\"\u003e\n  \n  # tsdnsreflector\n\n  **DNS proxy for Tailscale networks that just works**\n\n  [![CI](https://github.com/rajsinghtech/tsdnsreflector/actions/workflows/ci.yml/badge.svg)](https://github.com/rajsinghtech/tsdnsreflector/actions/workflows/ci.yml)\n  [![Docker](https://github.com/rajsinghtech/tsdnsreflector/actions/workflows/docker.yml/badge.svg)](https://github.com/rajsinghtech/tsdnsreflector/actions/workflows/docker.yml)\n  [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\u003c/div\u003e\n\ntsdnsreflector is a DNS proxy that solves routing conflicts in Tailscale networks and enables external access to dns servers on the tailnet.\n\n## Problems it solves\n\n### Multiple Kubernetes Clusters with Overlapping IPs\nWhen you have multiple Kubernetes clusters using the same subnet ranges (e.g., both using `10.0.0.0/16`), Tailscale clients cannot distinguish between clusters when resolving service DNS records.\n\n**Example scenario**:\n- Cluster A: `api.default.svc.cluster.local` → `10.0.0.1`\n- Cluster B: `api.default.svc.cluster.local` → `10.0.0.1` (same IP!)\n\ntsdnsreflector solves this by mapping cluster-specific domains to 4via6 IPv6 addresses:\n- `api.default.svc.cluster1.local` → `fd7a:115c:a1e0:b1a:0:1:a00:1` (Cluster A)\n- `api.default.svc.cluster2.local` → `fd7a:115c:a1e0:b1a:0:2:a00:1` (Cluster B)\n\n### DNS Proxy for External Clients\nExternal clients need access to DNS servers or MagicDNS within your Tailscale network but cannot reach them directly.\n\n**Example scenario**:\n- Internal DNS server at `100.64.1.10:53` (Tailscale IP or Subnet Router Advertised IP)\n- External monitoring system needs to resolve internal domains\n- Direct access blocked by network boundaries\n\ntsdnsreflector bridges this gap by:\n- Connecting to internal DNS servers via Tailscale\n- Serving external clients from a public IP\n- Enabling secure DNS resolution without VPN access\n\n**Use cases**:\n- CI/CD systems resolving internal service names\n- External monitoring accessing private DNS records  \n- Third-party integrations needing internal domain resolution\n\n## Quick Start\n\n### 1. Create Configuration\nCreate `config.hujson` with your DNS zones:\n\n```json\n{\n  \"zones\": {\n    \"internal\": {\n      \"domains\": [\"*.internal.local\"],\n      \"backend\": {\"dnsServers\": [\"100.64.1.10:53\"]}, // Tailscale exposed DNS server\n      \"allowExternalClients\": true\n    },\n    \"cluster\": {\n      \"domains\": [\"*.cluster.local\"],\n      \"backend\": {\"dnsServers\": [\"10.1.0.10:53\"]}, // Subnet-routed DNS\n      \"reflectedDomain\": \"cluster.local\",\n      \"translateid\": 1\n    }\n  }\n}\n```\n\n### 2. Run with Docker\n```bash\n# Run with config file\ndocker run -d --name tsdnsreflector \\\n  -p 53:53/udp \\\n  -v ./config.hujson:/config.hujson \\\n  -e TS_AUTHKEY=tskey-auth-your-key \\\n  ghcr.io/rajsinghtech/tsdnsreflector:latest -config /config.hujson\n\n# Test IPv6 translation  \nnslookup -type=AAAA service.internal.local 100.x.x.x\n```\n\n## How it works\n\n```\n┌─────────────────┐    ┌──────────────────┐    ┌─────────────────┐\n│ Tailscale Client│    │  tsdnsreflector  │    │   Kubernetes    │\n│                 │────┤ DNS Query        │────┤ CoreDNS         │\n│ Query:          │ 1  │ *.cluster1.local │ 2  │ 10.0.0.10:53    │\n│ api.default.svc │    │                  │    │                 │\n│ .cluster1.local │    │ Translates:      │◄───┤ Returns:        │\n│                 │    │ 10.0.0.1 →       │ 3  │ 10.0.0.1        │\n│                 │◄───┤ fd7a:115c:a1e0:  │    │                 │\n│ Gets: IPv6      │ 4  │ b1a:0:1:a00:1    │    │                 │\n│ 4via6 address   │    │                  │    │                 │\n└─────────────────┘    └──────────────────┘    └─────────────────┘\n\nFlow:\n1. Client queries api.default.svc.cluster1.local\n2. tsdnsreflector forwards to CoreDNS as cluster.local  \n3. CoreDNS returns IPv4 address (10.0.0.1)\n4. tsdnsreflector converts to 4via6 IPv6 and returns to client\n```\n\nThis allows multiple Kubernetes clusters with overlapping IPs to be uniquely addressable via different IPv6 addresses.\n\n## Documentation\n\n- **[Configuration Guide](docs/CONFIGURATION.md)** - All config options and examples\n- **[Deployment Guide](docs/DEPLOYMENT.md)** - Docker, Kubernetes, systemd setups  \n- **[Tailscale Integration](docs/TAILSCALE.md)** - Authentication, networking, troubleshooting\n\n## Features\n\n- **Multi-Cluster DNS** - Resolve Kubernetes services across clusters with overlapping IPs\n- **DNS Proxy Bridge** - External clients access internal DNS servers via Tailscale\n- **4via6 Translation** - Automatic IPv4→IPv6 conversion for unique addressing\n- **TSNet Integration** - Connects to DNS servers on Tailscale IPs and subnet routes\n- **MagicDNS Proxy** - External clients can resolve `.ts.net` domains  \n- **Zone-Based Routing** - Map different domains to different DNS servers\n- **Hot Reload** - Update config without restarting (SIGHUP)\n- **Production Ready** - Health checks, metrics, security hardening\n- **Kubernetes Native** - StatefulSet, RBAC, OAuth support\n\n## Real-World Example\n\nHere's how we use it for Kubernetes access:\n\n### 1. Subnet Router Setup\n```yaml\n# Kubernetes Connector resource\napiVersion: tailscale.com/v1alpha1\nkind: Connector\nmetadata:\n  name: k8s-subnet-router\nspec:\n  hostname: k8s-subnet-router\n  subnetRouter:\n    advertiseRoutes:\n    - fd7a:115c:a1e0:b1a:0:1::/96  # 4via6 prefix for site ID 1\n  tags:\n  - tag:k8s\n```\n\n### 2. tsdnsreflector Config\n```json\n{\n  \"zones\": {\n    \"cluster1\": {\n      \"domains\": [\"*.cluster1.local\"], \n      \"backend\": {\"dnsServers\": [\"10.1.0.10:53\"]}, # CoreDNS IP\n      \"reflectedDomain\": \"cluster.local\",\n      \"translateid\": 1\n    },\n    \"cluster2\": {\n      \"domains\": [\"*.cluster2.local\"], \n      \"backend\": {\"dnsServers\": [\"10.2.0.10:53\"]}, # Same CoreDNS IP, different cluster\n      \"reflectedDomain\": \"cluster.local\",\n      \"translateid\": 2\n    }\n  }\n}\n```\n\n### 3. Split-DNS Setup\nConfigure in Tailscale admin console (https://login.tailscale.com/admin/dns):\n\n1. **Add Nameserver**: Custom → Enter tsdnsreflector IP (100.x.x.x)\n2. **Restrict Search Domain**: Enable and enter `cluster1.local`\n3. **Save Changes**\n\nThis routes all `*.cluster1.local` queries to tsdnsreflector while other domains use default DNS.\n\n### 4. Result\n```bash\n# Resolve Kubernetes services from Tailscale clients\ncurl api.default.svc.cluster1.local  # Cluster A \ncurl api.default.svc.cluster2.local  # Cluster B\n\n# Both work despite overlapping IPs via 4via6 translation\n```\n\n## License\n\nMIT License - see [LICENSE](LICENSE) file.\n\n---\n\nBuilt by the Tailscale community for solving real networking problems.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frajsinghtech%2Ftsdnsreflector","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frajsinghtech%2Ftsdnsreflector","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frajsinghtech%2Ftsdnsreflector/lists"}