> What could they possibly want with the data of a group of people who are by construction not spending money on a VPN? They'd be storing it at a loss.
This is the exact point where our conclusions diverge.
Why are they sending themselves so much "useless" data-intensive logs by default, from their non-paying clients that accounts for roughly ~95% of the userbase and from a profitable business perspective, largely ineligible for troubleshooting support? For me, the only logical conclusion is that the data is valuable to them.
As someone who also cares about privacy, hear are a few things that IMO suggest that free customers' logs are a part of their business model:
* Their documentation has plenty of references to security, but no references to privacy outside of the privacy policy.
* They have all but eliminated any revenue stream from average user when they made an unsolicted announcement that they upgraded their free plan to allow 100 devices and 5 users.
* The content they sponsor for marketing/advertising seems targeted for consumers instead of networking professionals. I don't see Cisco and Palo Alto Networks sponsoring every Linux/self-hosting podcast or YouTube channels for example.
* Even the flag-name for turning off logging is mild deterrent based on what you will lose (`--no-support`) as opposed to being neutral '--no-logging' or truly descriptive like most FOSS companies that are not pushing an ulterior motive such as '--no-analytics'.
* logs cannot be disabled for phones
* In my experience, disabling logs was perhaps the only thing that was not configurable through the GUI
I'm into privacy and still relatively new on the networking scene thanks to setting up OpenWrt on my router. Am I correct that when tailscale updates/hijacked resolv.conf, subsequent DNS resolution is passed onto them on visited websites even when tailscale is not being used? No, they can't "read" your traffic, but if I understand things right, they know every website you visited and for how long, which is more than enough data for a rich marketing profile. That was my takeaway before I jumped ship for a self-hosted solution.
My understanding is that they have the holy grail of data because they are getting all of your LAN, WAN and mobile network traffic. I'm not aware of (m)any companies whose business model allows access to all three? It's like if your ISP and your Mobile Network had a baby on your local server, and that baby reports every website you visit.
> Am I correct that when tailscale updates/hijacked resolv.conf, subsequent DNS resolution is passed onto them on visited websites even when tailscale is not being used?
I think you're incorrect in the default settings, even when tailscale is active.
By default, your tailnet's devices use their local DNS settings for all queries. To force clients to always use the nameservers you define, you can enable the Override DNS servers toggle.
> I think you're incorrect in the default settings
What mac-attack is correct about is that by default, `tailscaled` sets itself as the only DNS resolver and proxies all DNS requests to your non-Tailscale nameservers. Citations:
“`100.100.100.100` or Quad100 is a special Tailscale IP address […] that provides essential local services. It operates similarly to the localhost address (`127.0.0.1`) but serves only Tailscale-specific services. These services include a DNS resolver.”
“One of the services provided by Quad100 is a DNS resolver running on port 53 (1100.100.100.100:531). A DNS resolver is a service that translates IP addresses to hostnames like `google.com` or `macbook.tailnetname.ts.net`. Quad100 is a stub resolver, similar to systemd-resolved, except with extra features.”
“The upcoming Tailscale 1.8 release implements all of the above [other DNS managers], which should hopefully make DNS on Linux just work, no matter how your machine is choosing to do it.”
“Tailnets created on or after October 20, 2022 have MagicDNS enabled by default.”
It does say “While Quad100's DNS resolver operates locally without logging, forwarded requests might be logged by configured nameservers.”, but the fact remains that the Tailscale software is very aggressive about taking over all DNS resolution on your system. Once that is done, the option of whether or not `tailscaled` overrides your default nameservers can be configured remotely without you knowing it's happening!
I'm split on this. According to your links, it tries to cooperate with the system resolver. If it can't find a way to do it, then yeah, it kinda has to replace it.
Of course, they could put this much more front and center in the docs, so that if you're running some funky setup and know what you're doing, you should be able to easily do it - which you probably can with the `--disable-dns thing`. But putting it in a prominent spot in the docs could help to not overlook this.
I've just checked the setup on a machine running systemd-networkd and resolved, and resolv.conf wasn't touched. It only added a specific dns setup for the tailscale0 interface, which only covers my tailnet name and ips. It doens't even show as a fallback or whatever in the global section.
> the option of whether or not `tailscaled` overrides your default nameservers can be configured remotely without you knowing it's happening!
I mean, there's two situations. Either we're talking about a "pro" environment, where corp vpns taking over your local network config, as much as I hate it, isn't exactly news. Then there's the personal plans users, in which case, if the DNS changes without you knowing, you probably have way bigger problems.
This is the exact point where our conclusions diverge.
Why are they sending themselves so much "useless" data-intensive logs by default, from their non-paying clients that accounts for roughly ~95% of the userbase and from a profitable business perspective, largely ineligible for troubleshooting support? For me, the only logical conclusion is that the data is valuable to them.
As someone who also cares about privacy, hear are a few things that IMO suggest that free customers' logs are a part of their business model:
* Their documentation has plenty of references to security, but no references to privacy outside of the privacy policy.
* They have all but eliminated any revenue stream from average user when they made an unsolicted announcement that they upgraded their free plan to allow 100 devices and 5 users.
* The content they sponsor for marketing/advertising seems targeted for consumers instead of networking professionals. I don't see Cisco and Palo Alto Networks sponsoring every Linux/self-hosting podcast or YouTube channels for example.
* Even the flag-name for turning off logging is mild deterrent based on what you will lose (`--no-support`) as opposed to being neutral '--no-logging' or truly descriptive like most FOSS companies that are not pushing an ulterior motive such as '--no-analytics'.
* logs cannot be disabled for phones
* In my experience, disabling logs was perhaps the only thing that was not configurable through the GUI
I'm into privacy and still relatively new on the networking scene thanks to setting up OpenWrt on my router. Am I correct that when tailscale updates/hijacked resolv.conf, subsequent DNS resolution is passed onto them on visited websites even when tailscale is not being used? No, they can't "read" your traffic, but if I understand things right, they know every website you visited and for how long, which is more than enough data for a rich marketing profile. That was my takeaway before I jumped ship for a self-hosted solution.
My understanding is that they have the holy grail of data because they are getting all of your LAN, WAN and mobile network traffic. I'm not aware of (m)any companies whose business model allows access to all three? It's like if your ISP and your Mobile Network had a baby on your local server, and that baby reports every website you visit.