Refactor MagicDNS support to properly handle appconnectors

[lmagyar]

Note: 2 users reported that it works.

Proposed Changes

• Move egress and ingress proxies to non-default ports (port 53 caused some real or false positive conflicts/error messages)
  • They are moved to port 51100 and 53127 and they made accessible on port 53 with iptables forwarding for HA's DNS, SU and tailscaled itself
  • If these ports are allocated, they search for free ports
• Always start up the internal proxy services if MagicDNS is active (userspace networking is disabled), and reconfigure them when the tailnet's DNS related configuration is changed (checked in each 30s)
  • during startup no limit on egress side, the ingress is blocked
  • when local accept_dns is off
    • no change, works as before
    • ingress: MagicDNS resolves only tailnet addresses
    • egress: tailscaled can freely call HA's DNS for anything else
  • when local accept_dns is on, global Override DNS servers is off
    • new situation
    • ingress: MagicDNS resolves only tailnet + SplitDNSRoutes addresses
    • egress: tailscaled can freely call HA's DNS for anything else
  • when both local accept_dns and global Override DNS servers is on
    • no change, works as before
    • ingress: MagicDNS can resolve nearly everything
    • egress: tailscaled can call HA's DNS for login server, letsencrypt, log-server, but normally eg. goes to the configured global DNS servers

The whole internal structure got much clearer and logical:

  user
  |  ˅
  |  magicdns-proxies-reconfigurator
  ˅  ˅
  magicdns-ingress-proxy
  |  ˅
  |  magicdns-proxies-configurator
  |  ˅
  |  post-tailscaled
  |  ˅
  |  tailscaled
  |  ˅
  |  magicdns-egress-proxy
  ˅  ˅
  init-magicdns-proxies

Related Issues

fixes #661 #666

Summary by CodeRabbit

• New Features

  • Dynamic UDP/TCP port allocation for DNS ingress and egress proxies
  • MAGICDNS modes (RESTRICTED / UNRESTRICTED) with updated forwarding behavior and NXDOMAIN handling
  • Added an automatic DNS proxy reconfigurator that detects changes and reapplies configuration
  • New forwarding management utility with optional suppression support

• Bug Fixes

  • Improved resolver handoff/startup readiness behavior and tightened forwarding cleanup/exit handling

• Chores

  • Updated service wiring and removed obsolete init steps; healthcheck now respects reconfigurator health state

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f8433bc0-7bd5-41aa-8093-43e7bdf6eb19

📥 Commits

Reviewing files that changed from the base of the PR and between 3efddfd and 85cefa0.

📒 Files selected for processing (3)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/finish

🚧 Files skipped from review as they are similar to previous changes (2)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/finish

---

Walkthrough

Dynamic port allocation replaces fixed port 53 for both egress and ingress DNS proxies; domain filtering switches from static accept_dns-driven policy to runtime-computed MAGICDNS_MODE (RESTRICTED or UNRESTRICTED). A new configurator script queries Tailscale DNS state and builds domain lists; a new longrunning reconfigurator watches for DNS changes and orchestrates proxy restarts with coordinated forwarding suppression and state validation.

Changes

MagicDNS Proxies & Orchestration Refactor

Layer / File(s)	Summary
Mode detection & list generation usr/bin/configure-magicdns-proxies	New script queries Tailscale DNS status and computes MAGICDNS_MODE (RESTRICTED when accept_dns=false, UNRESTRICTED when accept_dns=true and Resolvers present). Builds /run/dnsmasq_black_white_list containing whitelisted or blacklisted domains. Supports test mode for idempotent change detection via persisted prior status JSON.
Egress proxy dynamic port & mode filtering etc/.../magicdns-egress-proxy/run, .../finish	Egress dnsmasq probes for free port starting from DNSMASQ_EGRESS_DEFAULT_PORT, configures --bind-interfaces --port=${dnsmasq_egress_port}. Applies MAGICDNS_MODE filtering: in RESTRICTED mode forwards to hassio DNS with blacklist exclusions; in UNRESTRICTED mode returns NXDOMAIN for non-whitelisted domains. Writes /etc/resolv.for-tailscaled.conf only on first startup. Removes forwarding rules before shutdown.
Ingress proxy dynamic port & conditional forwarding etc/.../magicdns-ingress-proxy/run, .../finish	Ingress dnsmasq probes for free port from 51100 to +999, configures --bind-dynamic --port=${dnsmasq_ingress_port}. Applies MAGICDNS_MODE filtering: in RESTRICTED mode returns NXDOMAIN except for whitelisted domains; in UNRESTRICTED mode forwards all except blacklisted. Forwarding setup is conditional on absence of suppress marker file. Cleans up forwarding conditionally on shutdown based on marker presence.
Reconfigurator & orchestration etc/.../magicdns-proxies-reconfigurator/run, .../finish, etc/.../magicdns-proxies-configurator/run	New reconfigurator watches Tailscale IPN DNS state, runs configurator test, publishes health state (HEALTHY/UNHEALTHY), disables ingress forwarding before restarts, restarts egress proxy, creates suppress marker and restarts ingress proxy, validates ingress port file becomes non-empty, re-enables forwarding using stored port. Configurator applies changes and triggers egress restart.

Sequence Diagram(s)

sequenceDiagram
    participant IPN as Tailscale IPN
    participant Reconf as reconfigurator
    participant Config as configure test
    participant Egress as egress-proxy
    participant Ingress as ingress-proxy
    participant FWD as forwarding scripts

    loop watch DNS state
        IPN->>Reconf: DNS state change
        Reconf->>Config: run configure test
        alt test unchanged
            Reconf->>Reconf: write HEALTHY
        else test changed
            Reconf->>FWD: remove ingress forwarding
            Reconf->>Egress: s6-svc -ruwR
            Reconf->>Ingress: create suppress marker
            Reconf->>Ingress: s6-svc -ruwR
            Reconf->>Ingress: wait file_non_empty /run/dnsmasq_ingress_port
            Reconf->>FWD: re-add forwarding with persisted port
            Reconf->>FWD: remove drop state
            Reconf->>Reconf: delete stored port file
            Reconf->>Reconf: write HEALTHY
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• hassio-addons/app-tailscale#455: Earlier MagicDNS ingress/egress proxy framework; main PR extends with dynamic ports and mode-driven filtering.
• hassio-addons/app-tailscale#541: Modified MagicDNS proxy control-flow around accept_dns; main PR replaces accept_dns logic with MAGICDNS_MODE across ingress/egress.
• hassio-addons/app-tailscale#616: Adjusted MagicDNS defaults in s6 scripts; main PR refactors domain filtering into new configurator and reconfigurator services.

Suggested labels

refactor, magicdns

Suggested reviewers

• frenck

🐰 I hopped through ports both high and low,
swapped fifty-three for a wandering flow,
tuned the rules and spun modes neat—
now DNS finds its magic beat! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the primary objective: refactoring MagicDNS support to handle appconnectors by moving proxies to dynamic ports and implementing reconfiguration logic.
Linked Issues check	✅ Passed	The PR addresses issue #661's core objectives: DNS proxies now run on dynamic ports avoiding conflicts, proper forwarding rules manage port 53 access, and the reconfiguration system enables DNS to adapt as tailnet configuration changes, supporting app connector functionality restoration.
Out of Scope Changes check	✅ Passed	All changes directly support MagicDNS refactoring and DNS handling for appconnectors. File additions (new scripts, configurator, reconfigurator) and modifications (dynamic port selection, forwarding rules, iptables management) are tightly scoped to the stated objective with no unrelated alterations detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tailscale/rootfs/usr/bin/magicdns-egress-proxy-forwarding`:
- Around line 42-47: The loop that parses proto and port uses non-POSIX regex
tokens in the grep and sed patterns; update the grep -E pattern to replace \s
with [[:space:]] and \d with [0-9], and replace the non-greedy .*? with greedy
constructs that limit scope (e.g., use [^[:space:]]+ or [^:]+ where appropriate)
so the pattern reliably matches "-p <proto>" and the destination port; likewise
change the sed -nr pattern to capture the protocol and port with
POSIX-compatible groups like ([^[:space:]]+) and ([0-9]+) instead of \S and \d,
keeping the same capture order used by IFS='|' read -r proto to_port.

In `@tailscale/rootfs/usr/bin/magicdns-ingress-proxy-forwarding`:
- Around line 63-68: The grep -E and sed -r patterns in the for loop use PCRE
constructs (.*?, \s, \S, \d) which sed/grep POSIX ERE don't support; update the
grep pattern and the sed substitution to use POSIX ERE classes and greedy
matching (e.g. replace \s with [[:space:]], \S with [^[:space:]] or [[:graph:]]
and \d with [0-9]+, and change .*? to .*). Specifically modify the ${cmd} ... |
{ grep -E "..."; } ... | sed -r 's/^.*?-p\s(\S+).*?:(\d+)$/\1|\2/p' pipeline so
the grep uses [[:space:]] and [0-9]+ and the sed uses -r (or -E) with a pattern
like 's/^.*-p[[:space:]]+([^[:space:]]+).*:([0-9]+)$/\1|\2/p' so that the for
variables loop and the IFS='|' read -r proto to_port correctly extract proto and
to_port.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0c3c44cb-ea76-4e91-b514-8f55ebf7a674

📥 Commits

Reviewing files that changed from the base of the PR and between 02fbebc and 155244f.

📒 Files selected for processing (6)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/rootfs/usr/bin/magicdns-egress-proxy-forwarding
• tailscale/rootfs/usr/bin/magicdns-ingress-proxy-forwarding

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/run`:
- Around line 46-55: The loop that searches for a free egress port skips the
upper bound because it exits when ++dnsmasq_egress_port equals
DNSMASQ_EGRESS_DEFAULT_PORT + 1000, so that boundary port is never tested;
modify the exit check in the while loop to only abort after the candidate has
moved past the upper bound (e.g., change the equality check to a greater-than
comparison), keeping references to dnsmasq_egress_port and
DNSMASQ_EGRESS_DEFAULT_PORT inside the same while loop block so the final
boundary port is actually attempted before failing.
- Around line 78-105: Check MAGICDNS_MODE explicitly and fail fast: replace the
current if bashio::var.equals "${MAGICDNS_MODE}" "RESTRICTED" ... else ... fi
pattern with explicit checks for allowed values (e.g., bashio::var.equals
"${MAGICDNS_MODE}" "RESTRICTED" and bashio::var.equals "${MAGICDNS_MODE}"
"UNRESTRICTED"); keep the existing logic that reads
DNSMASQ_BLACK_WHITE_LIST_LOCATION into black_list/white_list (readarray -t) and
populates options+=(...) for servers or NXDOMAIN, but add a final else branch
that logs a clear error including the invalid MAGICDNS_MODE value via
bashio::log.error and terminates with a non-zero exit (e.g., exit 1) to avoid
silently falling back to the wrong behavior.

In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run`:
- Around line 25-34: The probe failure path for configure-magicdns-proxies
currently leaves magicdns_proxies_configuration unset/invalid so the later
change-detection branch can wrongly treat it as "changed" and trigger restarts;
modify the logic in the run loop (inspect the configure-magicdns-proxies call
and the magicdns_proxies_configuration variable usage) so that when
configure-magicdns-proxies test fails you either explicitly set
magicdns_proxies_configuration='unchanged' or skip the restart branch entirely
(only enter the "Restart dnsmasq proxies" block when the probe succeeded and
magicdns_proxies_configuration is a valid non-empty value and not 'unchanged').
Ensure health-state handling with MAGICDNS_PROXIES_RECONFIGURATOR_HEALTH_STATE
remains unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 802ab648-2ef7-4c57-b53d-3d12fadab999

📥 Commits

Reviewing files that changed from the base of the PR and between ae0ccd7 and f79be40.

📒 Files selected for processing (31)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/down
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies-upstream-list/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies-upstream-list/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/dependencies.d/base
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/down
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/type
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/dependencies.d/init-magicdns-proxies
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/dependencies.d/init-magicdns-proxies-upstream-list
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/dependencies.d/magicdns-proxies-configurator
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/dependencies.d/post-tailscaled
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-configurator/dependencies.d/post-tailscaled
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-configurator/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-configurator/type
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-configurator/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/dependencies.d/magicdns-ingress-proxy
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/finish
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/type
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/dependencies.d/init-magicdns-ingress-proxy
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/user/contents.d/magicdns-proxies-reconfigurator
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/usr/bin/configure-magicdns-proxies
• tailscale/rootfs/usr/bin/healthcheck

💤 Files with no reviewable changes (4)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/down
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies-upstream-list/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-ingress-proxy/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies-upstream-list/run

✅ Files skipped from review due to trivial changes (4)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-configurator/up
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/type
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/down
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-magicdns-proxies/up

🚧 Files skipped from review as they are similar to previous changes (2)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/run

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run (1)

37-50: 🏗️ Heavy lift

No error handling in the reconfiguration block leaves the system in an inconsistent state on partial failure.

Every command in the restart sequence (lines 38–50) runs unconditionally with no exit-code checks and no rollback:

• If magicdns-ingress-proxy-forwarding setup drop fails, the drop rule is absent but forwarding is subsequently removed (line 39) — there is a brief window where queries pass through unconstrained.
• If s6-svc -ruwR /run/service/magicdns-ingress-proxy were to return before the ingress proxy writes the port file (see the companion issue above), the forwarding setup call silently misfires.
• If magicdns-ingress-proxy-forwarding remove drop (line 48) fails after forwarding setup (line 47) also failed, the drop rule lingers but forwarding is absent — DNS is permanently blocked.

Because none of these failures update MAGICDNS_PROXIES_RECONFIGURATOR_HEALTH_STATE to UNHEALTHY, the healthcheck (context snippet 4) continues to update LAST_ONLINE_TIMESTAMP even while DNS is broken.

Consider wrapping the reconfiguration sequence in a helper function that tracks success end-to-end and sets UNHEALTHY if any critical step fails, keeping the SUPPRESS marker in place so that a subsequent loop iteration (after the next config change) can re-attempt cleanly:

function reconfigure_proxies() {
  ...
  magicdns-ingress-proxy-forwarding setup drop || return 1
  magicdns-ingress-proxy-forwarding remove forwarding || return 1
  s6-svc -ruwR /run/service/magicdns-egress-proxy || return 1
  s6-svc -ruwR /run/service/magicdns-ingress-proxy || return 1
  [[ -s "${DNSMASQ_INGRESS_PORT_LOCATION}" ]] || return 1
  magicdns-ingress-proxy-forwarding setup forwarding "$(<"${DNSMASQ_INGRESS_PORT_LOCATION}")" || return 1
  magicdns-ingress-proxy-forwarding remove drop || return 1
  rm -r -f "${MAGICDNS_INGRESS_PROXY_SUPPRESS_FORWARDING_CONFIGURATION_LOCATION}"
  rm -r -f "${DNSMASQ_INGRESS_PORT_LOCATION}"
}

if ! reconfigure_proxies; then
  printf "UNHEALTHY" > /var/run/s6/container_environment/MAGICDNS_PROXIES_RECONFIGURATOR_HEALTH_STATE
  healthy=false
fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run`
around lines 37 - 50, Wrap the reconfiguration sequence into a helper function
(e.g., reconfigure_proxies) that runs each step with exit-code checks and
returns non-zero on any failure: run magicdns-ingress-proxy-forwarding setup
drop, magicdns-ingress-proxy-forwarding remove forwarding, s6-svc -ruwR for both
/run/service/magicdns-egress-proxy and /run/service/magicdns-ingress-proxy,
verify DNSMASQ_INGRESS_PORT_LOCATION is present and non-empty before calling
magicdns-ingress-proxy-forwarding setup forwarding with its value, then call
magicdns-ingress-proxy-forwarding remove drop and only on full success remove
the SUPPRESS file and DNSMASQ_INGRESS_PORT_LOCATION; if the helper fails, write
"UNHEALTHY" to MAGICDNS_PROXIES_RECONFIGURATOR_HEALTH_STATE and avoid removing
the suppress marker so the next loop can retry, ensuring each command
(magicdns-ingress-proxy-forwarding, s6-svc) is checked and failure
short-circuits the rest.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run`:
- Around line 46-50: The restore sequence must guard against a missing/empty
DNSMASQ_INGRESS_PORT_LOCATION and must not remove the drop rule or cleanup the
SUPPRESS marker if forwarding setup cannot run; change the block around
magicdns-ingress-proxy-forwarding so it first tests that
DNSMASQ_INGRESS_PORT_LOCATION exists and is non-empty (e.g. [[ -s
"${DNSMASQ_INGRESS_PORT_LOCATION}" ]]) and only then calls
magicdns-ingress-proxy-forwarding setup forwarding
"$(<"${DNSMASQ_INGRESS_PORT_LOCATION}")"; if the file is missing/empty or the
setup command fails, log an error via bashio::log.error and exit non-zero (or
return) so the subsequent magicdns-ingress-proxy-forwarding remove drop and rm
of
MAGICDNS_INGRESS_PROXY_SUPPRESS_FORWARDING_CONFIGURATION_LOCATION/DNSMASQ_INGRESS_PORT_LOCATION
are not executed; ensure the magicdns-ingress-proxy-forwarding failure is
propagated (do not swallow its exit code).

---

Nitpick comments:
In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run`:
- Around line 37-50: Wrap the reconfiguration sequence into a helper function
(e.g., reconfigure_proxies) that runs each step with exit-code checks and
returns non-zero on any failure: run magicdns-ingress-proxy-forwarding setup
drop, magicdns-ingress-proxy-forwarding remove forwarding, s6-svc -ruwR for both
/run/service/magicdns-egress-proxy and /run/service/magicdns-ingress-proxy,
verify DNSMASQ_INGRESS_PORT_LOCATION is present and non-empty before calling
magicdns-ingress-proxy-forwarding setup forwarding with its value, then call
magicdns-ingress-proxy-forwarding remove drop and only on full success remove
the SUPPRESS file and DNSMASQ_INGRESS_PORT_LOCATION; if the helper fails, write
"UNHEALTHY" to MAGICDNS_PROXIES_RECONFIGURATOR_HEALTH_STATE and avoid removing
the suppress marker so the next loop can retry, ensuring each command
(magicdns-ingress-proxy-forwarding, s6-svc) is checked and failure
short-circuits the rest.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6dba5b25-d941-431b-912a-54ad8b3b4d42

📥 Commits

Reviewing files that changed from the base of the PR and between f79be40 and 96d786e.

📒 Files selected for processing (3)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run

✅ Files skipped from review due to trivial changes (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-egress-proxy/run

🚧 Files skipped from review as they are similar to previous changes (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-ingress-proxy/run

[lmagyar]

@coderabbitai resume

[coderabbitai]

✅ Actions performed

Reviews resumed.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run`:
- Around line 74-99: The current logic updates previous_ipn_dns_config before
attempting the probe, which suppresses retries on transient failures; change it
so previous_ipn_dns_config is only set after a successful probe by moving the
assignment into the successful-branch (i.e., inside the else of the
configure-magicdns-proxies test where magicdns_proxies_configuration is
available), keep the existing health-state updates and restart_proxies handling
as-is, and ensure you still compare current_ipn_dns_config vs
previous_ipn_dns_config at the top to gate the probe; referenced symbols:
previous_ipn_dns_config, current_ipn_dns_config, configure-magicdns-proxies,
magicdns_proxies_configuration, restart_proxies.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e5625df6-c623-4eb8-ae41-8542a25aa86d

📥 Commits

Reviewing files that changed from the base of the PR and between 96d786e and c240649.

📒 Files selected for processing (1)

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/magicdns-proxies-reconfigurator/run