Local DNS resolution doeesn't work on macOS with MagicDNS enabled #284

New Issue

Closed

opened 2025-12-29 01:26:02 +01:00 by adam · 21 comments

adam commented 2025-12-29 01:26:02 +01:00

Owner

Copy Link

Originally created by @felixscheinost on GitHub (Jun 23, 2022).

Bug description

When connected to a Headscale server where MagicDNS is enabled, local name resolution doesn't work anymore on macOS.

For example without Tailscale enabled my machine receives DNS configuration via DHCP from my home router.
The home router runs its own DNS server and resolves <router_name> to its own IP address.
Once connected to the Headscale Tailnet, <router_name> can no longer be resolved.

With the official Tailscale coordination server on the other hand there is an explicit option whether local DNS resolution should be overriden or not. If the toggle to override local DNS resolution is turned off, the router name can still be resolved.

So this seems like a bug in how Headscale configures the Tailscale client.

Context info

• Version of headscale 0.15.0
• Version of tailscale 1.16.1
• OS macOS 12.4
• config.yaml

dns_config:
  base_domain: 'example.com'
  domains: []
  magic_dns: true
  nameservers:
  - 1.1.1.1

Output of scutil --dns

The output of scutil --dns looks different when connected to Tailscale vs Headscale.

Tailscale

DNS configuration

resolver #1 
  search domain[0] : internal.example.com (note: probably because I configured scutil --set HostName to be <machine_name>.internal.example.com)
  search domain[1] : <my-email-address>.beta.tailscale.net
  search domain[2] : ts.net
  search domain[3] : <router DHCP domain_name>
  nameserver[0] : <router ipv4>
  nameserver[1] : <router ipv6>
  if_index : 13 (en7)
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2 - #65
  domain   : <64-127>.100.in-addr.arpa.
  nameserver[0] : 100.100.100.100
  if_index : 28 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 103002 - 103065

resolver #66
  domain   : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.
  nameserver[0] : 100.100.100.100
  if_index : 28 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 103001

resolver #67
  domain   : <my email address>.beta.tailscale.net.
  nameserver[0] : 100.100.100.100
  if_index : 28 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 103000

resolver #68
  domain   : ts.net.
  nameserver[0] : 100.100.100.100
  if_index : 28 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 103066

resolver #69
  domain   : internal.example.com (note: this resolver comes from corporate IPSec VPN that I am connected to as well. this corporate VPN does split-tunneling. it takes over DNS for this subdomain)
  nameserver[0] : <corporate DNS 1>
  nameserver[1] : <corporate DNS 2>
  nameserver[2] : <corporate DNS 3>
  if_index : 27 (utun4)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 101200

resolver #70
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #71
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #72
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #73
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #74
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #75
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000


DNS configuration (for scoped queries)

resolver #1
  search domain[0] : <router DHCP domain_name>
  nameserver[0] : <router ipv4>
  nameserver[1] : <router ipv6>
  if_index : 13 (en7)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : <router DHCP domain_name>
  nameserver[0] : <router ipv4>
  nameserver[1] : <router ipv6>
  if_index : 15 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #3
  search domain[0] : internal.example.com
  nameserver[0] : <corporate DNS 1>
  nameserver[1] : <corporate DNS 2>
  nameserver[2] : <corporate DNS 3>
  if_index : 27 (utun4)
  flags    : Scoped, Request A records
  reach    : 0x00000003 (Reachable,Transient Connection)

resolver #4
  search domain[0] : <my_email_address>.beta.tailscale.net
  search domain[1] : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa
  search domain[2] : 100.100.in-addr.arpa
  search domain[3] : 101.100.in-addr.arpa
  search domain[4] : 102.100.in-addr.arpa
  search domain[5] : 103.100.in-addr.arpa
  search domain[6] : 104.100.in-addr.arpa
  search domain[7] : 105.100.in-addr.arpa
  search domain[8] : 106.100.in-addr.arpa
  search domain[9] : 107.100.in-addr.arpa
  search domain[10] : 108.100.in-addr.arpa
  search domain[11] : 109.100.in-addr.arpa
  search domain[12] : 110.100.in-addr.arpa
  search domain[13] : 111.100.in-addr.arpa
  search domain[14] : 112.100.in-addr.arpa
  search domain[15] : 113.100.in-addr.arpa
  search domain[16] : 114.100.in-addr.arpa
  search domain[17] : 115.100.in-addr.arpa
  search domain[18] : 116.100.in-addr.arpa
  search domain[19] : 117.100.in-addr.arpa
  search domain[20] : 118.100.in-addr.arpa
  search domain[21] : 119.100.in-addr.arpa
  search domain[22] : 120.100.in-addr.arpa
  search domain[23] : 121.100.in-addr.arpa
  search domain[24] : 122.100.in-addr.arpa
  search domain[25] : 123.100.in-addr.arpa
  search domain[26] : 124.100.in-addr.arpa
  search domain[27] : 125.100.in-addr.arpa
  search domain[28] : 126.100.in-addr.arpa
  search domain[29] : 127.100.in-addr.arpa
  search domain[30] : 64.100.in-addr.arpa
  search domain[31] : 65.100.in-addr.arpa
  search domain[32] : 66.100.in-addr.arpa
  search domain[33] : 67.100.in-addr.arpa
  search domain[34] : 68.100.in-addr.arpa
  search domain[35] : 69.100.in-addr.arpa
  search domain[36] : 70.100.in-addr.arpa
  search domain[37] : 71.100.in-addr.arpa
  search domain[38] : 72.100.in-addr.arpa
  search domain[39] : 73.100.in-addr.arpa
  search domain[40] : 74.100.in-addr.arpa
  search domain[41] : 75.100.in-addr.arpa
  search domain[42] : 76.100.in-addr.arpa
  search domain[43] : 77.100.in-addr.arpa
  search domain[44] : 78.100.in-addr.arpa
  search domain[45] : 79.100.in-addr.arpa
  search domain[46] : 80.100.in-addr.arpa
  search domain[47] : 81.100.in-addr.arpa
  search domain[48] : 82.100.in-addr.arpa
  search domain[49] : 83.100.in-addr.arpa
  search domain[50] : 84.100.in-addr.arpa
  search domain[51] : 85.100.in-addr.arpa
  search domain[52] : 86.100.in-addr.arpa
  search domain[53] : 87.100.in-addr.arpa
  search domain[54] : 88.100.in-addr.arpa
  search domain[55] : 89.100.in-addr.arpa
  search domain[56] : 90.100.in-addr.arpa
  search domain[57] : 91.100.in-addr.arpa
  search domain[58] : 92.100.in-addr.arpa
  search domain[59] : 93.100.in-addr.arpa
  search domain[60] : 94.100.in-addr.arpa
  search domain[61] : 95.100.in-addr.arpa
  search domain[62] : 96.100.in-addr.arpa
  search domain[63] : 97.100.in-addr.arpa
  search domain[64] : 98.100.in-addr.arpa
  search domain[65] : 99.100.in-addr.arpa
  search domain[66] : ts.net
  nameserver[0] : 100.100.100.100
  if_index : 28 (utun3)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

Headscale

DNS configuration

resolver #1
  search domain[0] : internal.example.com
  search domain[1] : <headscale namespace>.example.com
  search domain[2] : <router DHCP domain_name>
  nameserver[0] : 100.100.100.100
  if_index : 27 (utun4)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 103400

resolver #2
  nameserver[0] : <router ipv4>
  nameserver[1] : <router ipv6>
  if_index : 13 (en7)
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  order    : 200000

resolver #3
  domain   : <headscale namespace>.example.com.
  nameserver[0] : 100.100.100.100
  if_index : 27 (utun4)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 103401

resolver #4
  domain   : internal.example.com
  nameserver[0] : <corporate DNS 1>
  nameserver[1] : <corporate DNS 2>
  nameserver[2] : <corporate DNS 3>
  if_index : 28 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 101000

resolver #5
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #6
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #7
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #8
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #9
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #10
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : <router DHCP domain_name>
  nameserver[0] : <router ipv4>
  nameserver[1] : <router ipv6>
  if_index : 13 (en7)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  search domain[0] : <router DHCP domain_name>
  nameserver[0] : <router ipv4>
  nameserver[1] : <router ipv6>
  if_index : 15 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #3
  search domain[0] : internal.example.com
  nameserver[0] : <corporate DNS 1>
  nameserver[1] : <corporate DNS 2>
  nameserver[2] : <corporate DNS 3>
  if_index : 28 (utun3)
  flags    : Scoped, Request A records
  reach    : 0x00000003 (Reachable,Transient Connection)

resolver #4
  search domain[0] : <headscale namespace>.example.com
  nameserver[0] : 100.100.100.100
  if_index : 27 (utun4)
  flags    : Scoped, Request A records
  reach    : 0x00000003 (Reachable,Transient Connection)

=> So it seems with Tailscale my resolver number 1 stays my router, even for the Tailscale namespaces, while with Headscale resolver number 1 is 100.100.100.100

Originally created by @felixscheinost on GitHub (Jun 23, 2022). <!-- Headscale is a multinational community across the globe. Our common language is English. Please consider raising the bug report in this language. --> **Bug description** When connected to a Headscale server where MagicDNS is enabled, local name resolution doesn't work anymore on macOS. For example without Tailscale enabled my machine receives DNS configuration via DHCP from my home router. The home router runs its own DNS server and resolves <router_name> to its own IP address. Once connected to the Headscale Tailnet, <router_name> can no longer be resolved. With the official Tailscale coordination server on the other hand there is an explicit option whether local DNS resolution should be overriden or not. If the toggle to override local DNS resolution is turned off, the router name can still be resolved. So this seems like a bug in how Headscale configures the Tailscale client. **Context info** - Version of headscale 0.15.0 - Version of tailscale 1.16.1 - OS macOS 12.4 - `config.yaml` ``` dns_config: base_domain: 'example.com' domains: [] magic_dns: true nameservers: - 1.1.1.1 ``` ## Output of `scutil --dns` The output of `scutil --dns` looks different when connected to Tailscale vs Headscale. ### Tailscale ``` DNS configuration resolver #1 search domain[0] : internal.example.com (note: probably because I configured scutil --set HostName to be <machine_name>.internal.example.com) search domain[1] : <my-email-address>.beta.tailscale.net search domain[2] : ts.net search domain[3] : <router DHCP domain_name> nameserver[0] : <router ipv4> nameserver[1] : <router ipv6> if_index : 13 (en7) flags : Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 - #65 domain : <64-127>.100.in-addr.arpa. nameserver[0] : 100.100.100.100 if_index : 28 (utun3) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 103002 - 103065 resolver #66 domain : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa. nameserver[0] : 100.100.100.100 if_index : 28 (utun3) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 103001 resolver #67 domain : <my email address>.beta.tailscale.net. nameserver[0] : 100.100.100.100 if_index : 28 (utun3) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 103000 resolver #68 domain : ts.net. nameserver[0] : 100.100.100.100 if_index : 28 (utun3) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 103066 resolver #69 domain : internal.example.com (note: this resolver comes from corporate IPSec VPN that I am connected to as well. this corporate VPN does split-tunneling. it takes over DNS for this subdomain) nameserver[0] : <corporate DNS 1> nameserver[1] : <corporate DNS 2> nameserver[2] : <corporate DNS 3> if_index : 27 (utun4) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 101200 resolver #70 domain : local options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300000 resolver #71 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300200 resolver #72 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300400 resolver #73 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300600 resolver #74 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300800 resolver #75 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 301000 DNS configuration (for scoped queries) resolver #1 search domain[0] : <router DHCP domain_name> nameserver[0] : <router ipv4> nameserver[1] : <router ipv6> if_index : 13 (en7) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 search domain[0] : <router DHCP domain_name> nameserver[0] : <router ipv4> nameserver[1] : <router ipv6> if_index : 15 (en0) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #3 search domain[0] : internal.example.com nameserver[0] : <corporate DNS 1> nameserver[1] : <corporate DNS 2> nameserver[2] : <corporate DNS 3> if_index : 27 (utun4) flags : Scoped, Request A records reach : 0x00000003 (Reachable,Transient Connection) resolver #4 search domain[0] : <my_email_address>.beta.tailscale.net search domain[1] : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa search domain[2] : 100.100.in-addr.arpa search domain[3] : 101.100.in-addr.arpa search domain[4] : 102.100.in-addr.arpa search domain[5] : 103.100.in-addr.arpa search domain[6] : 104.100.in-addr.arpa search domain[7] : 105.100.in-addr.arpa search domain[8] : 106.100.in-addr.arpa search domain[9] : 107.100.in-addr.arpa search domain[10] : 108.100.in-addr.arpa search domain[11] : 109.100.in-addr.arpa search domain[12] : 110.100.in-addr.arpa search domain[13] : 111.100.in-addr.arpa search domain[14] : 112.100.in-addr.arpa search domain[15] : 113.100.in-addr.arpa search domain[16] : 114.100.in-addr.arpa search domain[17] : 115.100.in-addr.arpa search domain[18] : 116.100.in-addr.arpa search domain[19] : 117.100.in-addr.arpa search domain[20] : 118.100.in-addr.arpa search domain[21] : 119.100.in-addr.arpa search domain[22] : 120.100.in-addr.arpa search domain[23] : 121.100.in-addr.arpa search domain[24] : 122.100.in-addr.arpa search domain[25] : 123.100.in-addr.arpa search domain[26] : 124.100.in-addr.arpa search domain[27] : 125.100.in-addr.arpa search domain[28] : 126.100.in-addr.arpa search domain[29] : 127.100.in-addr.arpa search domain[30] : 64.100.in-addr.arpa search domain[31] : 65.100.in-addr.arpa search domain[32] : 66.100.in-addr.arpa search domain[33] : 67.100.in-addr.arpa search domain[34] : 68.100.in-addr.arpa search domain[35] : 69.100.in-addr.arpa search domain[36] : 70.100.in-addr.arpa search domain[37] : 71.100.in-addr.arpa search domain[38] : 72.100.in-addr.arpa search domain[39] : 73.100.in-addr.arpa search domain[40] : 74.100.in-addr.arpa search domain[41] : 75.100.in-addr.arpa search domain[42] : 76.100.in-addr.arpa search domain[43] : 77.100.in-addr.arpa search domain[44] : 78.100.in-addr.arpa search domain[45] : 79.100.in-addr.arpa search domain[46] : 80.100.in-addr.arpa search domain[47] : 81.100.in-addr.arpa search domain[48] : 82.100.in-addr.arpa search domain[49] : 83.100.in-addr.arpa search domain[50] : 84.100.in-addr.arpa search domain[51] : 85.100.in-addr.arpa search domain[52] : 86.100.in-addr.arpa search domain[53] : 87.100.in-addr.arpa search domain[54] : 88.100.in-addr.arpa search domain[55] : 89.100.in-addr.arpa search domain[56] : 90.100.in-addr.arpa search domain[57] : 91.100.in-addr.arpa search domain[58] : 92.100.in-addr.arpa search domain[59] : 93.100.in-addr.arpa search domain[60] : 94.100.in-addr.arpa search domain[61] : 95.100.in-addr.arpa search domain[62] : 96.100.in-addr.arpa search domain[63] : 97.100.in-addr.arpa search domain[64] : 98.100.in-addr.arpa search domain[65] : 99.100.in-addr.arpa search domain[66] : ts.net nameserver[0] : 100.100.100.100 if_index : 28 (utun3) flags : Scoped, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) ``` ### Headscale ``` DNS configuration resolver #1 search domain[0] : internal.example.com search domain[1] : <headscale namespace>.example.com search domain[2] : <router DHCP domain_name> nameserver[0] : 100.100.100.100 if_index : 27 (utun4) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 103400 resolver #2 nameserver[0] : <router ipv4> nameserver[1] : <router ipv6> if_index : 13 (en7) flags : Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) order : 200000 resolver #3 domain : <headscale namespace>.example.com. nameserver[0] : 100.100.100.100 if_index : 27 (utun4) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 103401 resolver #4 domain : internal.example.com nameserver[0] : <corporate DNS 1> nameserver[1] : <corporate DNS 2> nameserver[2] : <corporate DNS 3> if_index : 28 (utun3) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 101000 resolver #5 domain : local options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300000 resolver #6 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300200 resolver #7 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300400 resolver #8 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300600 resolver #9 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300800 resolver #10 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 301000 DNS configuration (for scoped queries) resolver #1 search domain[0] : <router DHCP domain_name> nameserver[0] : <router ipv4> nameserver[1] : <router ipv6> if_index : 13 (en7) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 search domain[0] : <router DHCP domain_name> nameserver[0] : <router ipv4> nameserver[1] : <router ipv6> if_index : 15 (en0) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #3 search domain[0] : internal.example.com nameserver[0] : <corporate DNS 1> nameserver[1] : <corporate DNS 2> nameserver[2] : <corporate DNS 3> if_index : 28 (utun3) flags : Scoped, Request A records reach : 0x00000003 (Reachable,Transient Connection) resolver #4 search domain[0] : <headscale namespace>.example.com nameserver[0] : 100.100.100.100 if_index : 27 (utun4) flags : Scoped, Request A records reach : 0x00000003 (Reachable,Transient Connection) ``` => So it seems with Tailscale my resolver number 1 stays my router, even for the Tailscale namespaces, while with Headscale resolver number 1 is `100.100.100.100`

adam added the stalebug labels 2025-12-29 01:26:02 +01:00

adam closed this issue 2025-12-29 01:26:02 +01:00

adam commented 2025-12-29 01:26:03 +01:00

Author

Owner

Copy Link

@huskyii commented on GitHub (Jun 26, 2022):

I encountered some dns issue in Linux and OpenBSD machine, have not dive into these issues, but I think it may be same as yours.

@huskyii commented on GitHub (Jun 26, 2022): I encountered some dns issue in Linux and OpenBSD machine, have not dive into these issues, but I think it may be same as yours.

adam commented 2025-12-29 01:26:03 +01:00

Author

Owner

Copy Link

@huskyii commented on GitHub (Jun 26, 2022):

After read some code, I think DefaultResolvers should be set to nil and a Route map item { '.' : '$resolver_set_in_config'} shoule be added into Routes.

I do not have a official tailscale account, maybe someone with official tailscale account could look into the log see how dns config looks like(keyword: dns: Set:)

If anyone confirm my guess is correct, I'm happy to implement the fix :)

@huskyii commented on GitHub (Jun 26, 2022): After read some code, I think `DefaultResolvers` should be set to nil and a Route map item `{ '.' : '$resolver_set_in_config'}` shoule be added into Routes. I do not have a official tailscale account, maybe someone with official tailscale account could look into the log see how dns config looks like(keyword: `dns: Set:`) If anyone confirm my guess is correct, I'm happy to implement the fix :)

adam commented 2025-12-29 01:26:04 +01:00

Author

Owner

Copy Link

@felixscheinost commented on GitHub (Jun 26, 2022):

Oh cool, that you have a hunch so quickly! @huskyii

I just checked on a different Linux machine, that should work as well, right?

In there I have the following line in the log:

tailscaled[32149]: router: dns: Set: {Nameservers:[100.100.100.100] Domains:[<email>.beta.tailscale.net] PerDomain:false Proxied:true

Is that what you are looking for?

@felixscheinost commented on GitHub (Jun 26, 2022): Oh cool, that you have a hunch so quickly! @huskyii I just checked on a different Linux machine, that should work as well, right? In there I have the following line in the log: ``` tailscaled[32149]: router: dns: Set: {Nameservers:[100.100.100.100] Domains:[<email>.beta.tailscale.net] PerDomain:false Proxied:true ``` Is that what you are looking for?

adam commented 2025-12-29 01:26:04 +01:00

Author

Owner

Copy Link

@huskyii commented on GitHub (Jun 27, 2022):

Oh cool, that you have a hunch so quickly! @huskyii

I just checked on a different Linux machine, that should work as well, right?

In there I have the following line in the log:

tailscaled[32149]: router: dns: Set: {Nameservers:[100.100.100.100] Domains:[<email>.beta.tailscale.net] PerDomain:false Proxied:true

Is that what you are looking for?

Hi @felixscheinost which version of tailscale r u using?
The log is different from mine. I'm using tailscale 1.26.1

Here's my log, note: no router: before dns: Set:

tailscaled[51443]: dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}

@huskyii commented on GitHub (Jun 27, 2022): > Oh cool, that you have a hunch so quickly! @huskyii > > I just checked on a different Linux machine, that should work as well, right? > > In there I have the following line in the log: > > ``` > tailscaled[32149]: router: dns: Set: {Nameservers:[100.100.100.100] Domains:[<email>.beta.tailscale.net] PerDomain:false Proxied:true > ``` > > Is that what you are looking for? Hi @felixscheinost which version of tailscale r u using? The log is different from mine. I'm using tailscale 1.26.1 Here's my log, note: no `router:` before `dns: Set:` ``` tailscaled[51443]: dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0} ```

adam commented 2025-12-29 01:26:07 +01:00

Author

Owner

Copy Link

@vquicksilver commented on GitHub (Jul 9, 2022):

Isn't this related to #280 ? My understanding is that an option for deciding if you want to override the DNS servers, or just use "split-dns" as in adding an extra DNS server to your current network configuration is missing on the headscale side vs tailscale.

In some cases you might want to force the DNS servers in the configuration to be the only ones (i.e if you are using another node as an exit node and the node has a DNS server configured and you don't want to leak DNS requests to the outside world), and in other cases you only want to add an extra DNS server to your configuration so that you can resolve the internal tailscale/headscale names.

I am not sure of which mode it is the default right now, for example in one of my Ubuntu systems I see:

# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 100.100.100.100
nameserver 10.83.0.1
nameserver fd0c:989d:1024::1
search home.i.my-private.domain local

This system was joined with the following command:

tailscale up --exit-node=100.64.0.1 --exit-node-allow-lan-access --login-server=https://vpn.my-private.domain

I guess the parameters you use to join the overlay network do also effect the resulting DNS servers in your system, as someone new to tailscale/headscale it would be great to get more details on how this is supposed to work in the documentation.

I also have configured 100.64.0.1 as my default DNS server in the headscale config with:

dns_config:
  # List of DNS servers to expose to clients.
  nameservers:
    - 100.64.0.1

And I am running my own DNS server on that system. systemd-resolve --status is showing 100.100.100.100 as the default DNS server for ~* , but the queries are still being forwarded to 100.64.0.1 (I see them in the log), and as you see it is still keeping 10.83.0.1 as my local dns server for ".local" for my lan.

@vquicksilver commented on GitHub (Jul 9, 2022): Isn't this related to #280 ? My understanding is that an option for deciding if you want to override the DNS servers, or just use "split-dns" as in adding an extra DNS server to your current network configuration is missing on the headscale side vs tailscale. In some cases you might want to force the DNS servers in the configuration to be the only ones (i.e if you are using another node as an exit node and the node has a DNS server configured and you don't want to leak DNS requests to the outside world), and in other cases you only want to add an extra DNS server to your configuration so that you can resolve the internal tailscale/headscale names. I am not sure of which mode it is the default right now, for example in one of my Ubuntu systems I see: ``` # This file is managed by man:systemd-resolved(8). Do not edit. # # This is a dynamic resolv.conf file for connecting local clients directly to # all known uplink DNS servers. This file lists all configured search domains. # # Third party programs must not access this file directly, but only through the # symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way, # replace this symlink by a static file or a different symlink. # # See man:systemd-resolved.service(8) for details about the supported modes of # operation for /etc/resolv.conf. nameserver 100.100.100.100 nameserver 10.83.0.1 nameserver fd0c:989d:1024::1 search home.i.my-private.domain local ``` This system was joined with the following command: tailscale up --exit-node=100.64.0.1 --exit-node-allow-lan-access --login-server=https://vpn.my-private.domain I guess the parameters you use to join the overlay network do also effect the resulting DNS servers in your system, as someone new to tailscale/headscale it would be great to get more details on how this is supposed to work in the documentation. I also have configured 100.64.0.1 as my default DNS server in the headscale config with: ``` dns_config: # List of DNS servers to expose to clients. nameservers: - 100.64.0.1 ``` And I am running my own DNS server on that system. systemd-resolve --status is showing 100.100.100.100 as the default DNS server for ~* , but the queries are still being forwarded to 100.64.0.1 (I see them in the log), and as you see it is still keeping 10.83.0.1 as my local dns server for ".local" for my lan.

adam commented 2025-12-29 01:26:08 +01:00

Author

Owner

Copy Link

@felixscheinost commented on GitHub (Jul 31, 2022):

@huskyii I think I was using 1.24.2 at the time.

@vquicksilver Yeah, its probably a duplicate of that issue.

I tried working around the issuee right now by using the Go tailscaled and not the version from the macOS AppStore. But then I need to configure 100.100.100.100 manually. I couldn't find a way to do this without also overriding the DHCP DNS servers.

@felixscheinost commented on GitHub (Jul 31, 2022): @huskyii I think I was using `1.24.2` at the time. @vquicksilver Yeah, its probably a duplicate of that issue. I tried working around the issuee right now by using the Go `tailscaled` and not the version from the macOS AppStore. But then I need to configure `100.100.100.100` manually. I couldn't find a way to do this without also overriding the DHCP DNS servers.

adam commented 2025-12-29 01:26:08 +01:00

Author

Owner

Copy Link

@felixscheinost commented on GitHub (Jul 31, 2022):

Okay, I just ran tailscaled manually on Linux against official Tailscale server.

I turned override local DNS on, then off again and watched the log:

# Turn override local DNS ON
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {
  # Difference, empty when override is OFF 
  DefaultResolvers:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001] 
  # Same
  Routes:{beta.tailscale.net.:[] felix-scheinost.googlemail.com.beta.tailscale.net.:[] ts.net.:[]}+65arpa 
  # Same
  SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.] 
  # Same
  Hosts:7
}
dns: Resolvercfg: {
  # Difference, when override local DNS is OFF these contains the DHCP resolvers
  Routes:{.:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001]} 
  # Same
  Hosts:7 
  # Same
  LocalDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. beta.tailscale.net. ts.net.]+65arpa
}
dns: OScfg: {
  # Same
  Nameservers:[100.100.100.100] 
  # Same
  SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.] 
  # Same
  MatchDomains:[]
}


# Turn override local DNS OFF
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {
  DefaultResolvers:[] 
  Routes:{beta.tailscale.net.:[] felix-scheinost.googlemail.com.beta.tailscale.net.:[] ts.net.:[]}+65arpa 
  SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.] 
  Hosts:7
}
dns: Resolvercfg: {
  Routes:{.:[192.168.178.1 fd00::de39:6fff:fe31:7433]} 
  Hosts:7 
  LocalDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. beta.tailscale.net. ts.net.]+65arpa
}
dns: OScfg: {
  Nameservers:[100.100.100.100]
  SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. fritz.box.] 
  MatchDomains:[]
}

@felixscheinost commented on GitHub (Jul 31, 2022): Okay, I just ran `tailscaled` manually on Linux against official Tailscale server. I turned override local DNS on, then off again and watched the log: ``` # Turn override local DNS ON wgengine: Reconfig: configuring router wgengine: Reconfig: configuring DNS dns: Set: { # Difference, empty when override is OFF DefaultResolvers:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001] # Same Routes:{beta.tailscale.net.:[] felix-scheinost.googlemail.com.beta.tailscale.net.:[] ts.net.:[]}+65arpa # Same SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.] # Same Hosts:7 } dns: Resolvercfg: { # Difference, when override local DNS is OFF these contains the DHCP resolvers Routes:{.:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001]} # Same Hosts:7 # Same LocalDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. beta.tailscale.net. ts.net.]+65arpa } dns: OScfg: { # Same Nameservers:[100.100.100.100] # Same SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.] # Same MatchDomains:[] } # Turn override local DNS OFF wgengine: Reconfig: configuring router wgengine: Reconfig: configuring DNS dns: Set: { DefaultResolvers:[] Routes:{beta.tailscale.net.:[] felix-scheinost.googlemail.com.beta.tailscale.net.:[] ts.net.:[]}+65arpa SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.] Hosts:7 } dns: Resolvercfg: { Routes:{.:[192.168.178.1 fd00::de39:6fff:fe31:7433]} Hosts:7 LocalDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. beta.tailscale.net. ts.net.]+65arpa } dns: OScfg: { Nameservers:[100.100.100.100] SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. fritz.box.] MatchDomains:[] } ```

adam commented 2025-12-29 01:26:08 +01:00

Author

Owner

Copy Link

@huskyii commented on GitHub (Aug 16, 2022):

I don't think headscale has a override_local_DNS option now, maybe we should add one, what confused me is that offical Tailscale KB for maigic DNS stated that

Your network must have at least one DNS nameserver enabled in the admin console. These nameservers will receive all DNS queries not handled by MagicDNS. This restriction will be relaxed in the future.

I think it's basically says that to use magic DNS, you need override local DNS.

@felixscheinost does magic DNS work if you turn off override local DNS ?

And could you please also take a look at /etc/resolv.conf and /etc/resolv.pre-tailscale-backup.conf

@huskyii commented on GitHub (Aug 16, 2022): I don't think headscale has a override_local_DNS option now, maybe we should add one, what confused me is that offical Tailscale KB for maigic DNS stated that > Your network must have [at least one DNS nameserver](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console) enabled in the [admin console](https://login.tailscale.com/admin/dns). These nameservers will receive all DNS queries not handled by MagicDNS. This restriction will be relaxed in the future. I think it's basically says that to use magic DNS, you need override local DNS. @felixscheinost does magic DNS work if you turn off `override local DNS` ? And could you please also take a look at `/etc/resolv.conf` and `/etc/resolv.pre-tailscale-backup.conf`

adam commented 2025-12-29 01:26:09 +01:00

Author

Owner

Copy Link

@mlincett commented on GitHub (Sep 15, 2022):

Your network must have at least one DNS nameserver enabled in the admin console. These nameservers will receive all DNS queries not handled by MagicDNS. This restriction will be relaxed in the future.

I think it's basically says that to use magic DNS, you need override local DNS.

This is incorrect, at least when using resolved.

MagicDNS sets in-addr.arpa records for all the IP address space used by tailscale.

Override local DNS enabled sets +DefaultRoute for the tailscale interface (meaning this should be the default DNS unless a more specific is found) and the global DNS domain ~.

The two settings are independent - however I have no idea how this works in systems pre-resolved.

@mlincett commented on GitHub (Sep 15, 2022): > > Your network must have [at least one DNS nameserver](https://tailscale.com/kb/1054/dns/#using-dns-settings-in-the-admin-console) enabled in the [admin console](https://login.tailscale.com/admin/dns). These nameservers will receive all DNS queries not handled by MagicDNS. This restriction will be relaxed in the future. > > I think it's basically says that to use magic DNS, you need override local DNS. This is incorrect, at least when using `resolved`. MagicDNS sets `in-addr.arpa` records for all the IP address space used by tailscale. Override local DNS enabled sets `+DefaultRoute` for the tailscale interface (meaning this should be the default DNS unless a more specific is found) and the global DNS domain `~.` The two settings are independent - however I have no idea how this works in systems pre-resolved.

adam commented 2025-12-29 01:26:09 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Oct 31, 2022):

@mlincett @huskyii @felixscheinost

I think I have added support for this correctly in https://github.com/juanfont/headscale/pull/905, can you please help me test it?

@kradalby commented on GitHub (Oct 31, 2022): @mlincett @huskyii @felixscheinost I think I have added support for this correctly in https://github.com/juanfont/headscale/pull/905, can you please help me test it?

adam commented 2025-12-29 01:26:09 +01:00

Author

Owner

Copy Link

@felixscheinost commented on GitHub (Nov 10, 2022):

Sorry, I just got around to try out the new version.

BTW: Awesome that you have a flake.nix!

@kradalby If I set dns_config.override_local_dns = false then I can again use local resolvers but I can no longer resolve MagicDNS names

@felixscheinost commented on GitHub (Nov 10, 2022): Sorry, I just got around to try out the new version. BTW: Awesome that you have a `flake.nix`! @kradalby If I set `dns_config.override_local_dns = false` then I can again use local resolvers but I can no longer resolve MagicDNS names

adam commented 2025-12-29 01:26:09 +01:00

Author

Owner

Copy Link

@felixscheinost commented on GitHub (Nov 10, 2022):

My config looks like this

db_path: /var/lib/headscale/db.sqlite
db_type: sqlite3
derp:
  auto_update_enable: false
  paths: []
  server:
    enabled: 'true'
    region_code: headscale
    region_id: '999'
    region_name: Headscale Embedded DERP
    stun_listen_addr: 0.0.0.0:3478
  update_frequency: 24h
  urls: []
disable_check_updates: true
dns_config:
  base_domain: example.com
  domains: []
  magic_dns: true
  nameservers:
  - 1.1.1.1
  override_local_dns: false
ephemeral_node_inactivity_timeout: 30m
listen_addr: 0.0.0.0:443
log_level: info
noise:
  private_key_path: /var/lib/headscale/noise_private.key
oidc:
  client_id: ''
  domain_map: {}
  issuer: ''
private_key_path: /var/lib/headscale/private.key
server_url: https://headscale.example.com:443
tls_letsencrypt_cache_dir: /var/lib/headscale/.cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_hostname: headscale.example.com
tls_letsencrypt_listen: :http
unix_socket: /run/headscale/headscale.sock

@felixscheinost commented on GitHub (Nov 10, 2022): My config looks like this ``` db_path: /var/lib/headscale/db.sqlite db_type: sqlite3 derp: auto_update_enable: false paths: [] server: enabled: 'true' region_code: headscale region_id: '999' region_name: Headscale Embedded DERP stun_listen_addr: 0.0.0.0:3478 update_frequency: 24h urls: [] disable_check_updates: true dns_config: base_domain: example.com domains: [] magic_dns: true nameservers: - 1.1.1.1 override_local_dns: false ephemeral_node_inactivity_timeout: 30m listen_addr: 0.0.0.0:443 log_level: info noise: private_key_path: /var/lib/headscale/noise_private.key oidc: client_id: '' domain_map: {} issuer: '' private_key_path: /var/lib/headscale/private.key server_url: https://headscale.example.com:443 tls_letsencrypt_cache_dir: /var/lib/headscale/.cache tls_letsencrypt_challenge_type: HTTP-01 tls_letsencrypt_hostname: headscale.example.com tls_letsencrypt_listen: :http unix_socket: /run/headscale/headscale.sock ```

adam commented 2025-12-29 01:26:09 +01:00

Author

Owner

Copy Link

@felixscheinost commented on GitHub (Nov 10, 2022):

Output of scutil --dns

DNS configuration

resolver #1
  <my local router>
  if_index : 10 (en6)
  flags    : Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  <other VPN>
  if_index : 34 (utun5)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 100400

resolver #3
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #4
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #5
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #6
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #7
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #8
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  <my local router>
  if_index : 10 (en6)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  <my local router>
  if_index : 14 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #3
  <internal other VPN>
  if_index : 34 (utun5)
  flags    : Scoped, Request A records
  reach    : 0x00000003 (Reachable,Transient Connection)

So now it seems as if the Tailscale client isn't configuring any DNS settings at all.

@felixscheinost commented on GitHub (Nov 10, 2022): Output of `scutil --dns` ``` DNS configuration resolver #1 <my local router> if_index : 10 (en6) flags : Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 <other VPN> if_index : 34 (utun5) flags : Supplemental, Request A records, Request AAAA records reach : 0x00000003 (Reachable,Transient Connection) order : 100400 resolver #3 domain : local options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300000 resolver #4 domain : 254.169.in-addr.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300200 resolver #5 domain : 8.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300400 resolver #6 domain : 9.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300600 resolver #7 domain : a.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 300800 resolver #8 domain : b.e.f.ip6.arpa options : mdns timeout : 5 flags : Request A records, Request AAAA records reach : 0x00000000 (Not Reachable) order : 301000 DNS configuration (for scoped queries) resolver #1 <my local router> if_index : 10 (en6) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #2 <my local router> if_index : 14 (en0) flags : Scoped, Request A records, Request AAAA records reach : 0x00020002 (Reachable,Directly Reachable Address) resolver #3 <internal other VPN> if_index : 34 (utun5) flags : Scoped, Request A records reach : 0x00000003 (Reachable,Transient Connection) ``` So now it seems as if the Tailscale client isn't configuring any DNS settings at all.

adam commented 2025-12-29 01:26:10 +01:00

Author

Owner

Copy Link

@CNLHC commented on GitHub (Nov 15, 2022):

same problem here

@CNLHC commented on GitHub (Nov 15, 2022): same problem here

adam commented 2025-12-29 01:26:10 +01:00

Author

Owner

Copy Link

@brian-maloney commented on GitHub (Mar 29, 2023):

I'm trying out headscale this week and just ran into this problem myself. It seems like the only working options using the official macOS Tailscale client are:

• Run all DNS through Tailscale/Headscale
• Run no DNS through Tailscale/Headscale

I guess maybe most users are intentionally routing DNS through the overlay network for added security so this is an uncommon issue? My long-term plans for this do involve DNS so if there's not a workaround it's probably fine but was wondering if anyone had discovered anything new on this issue?

@brian-maloney commented on GitHub (Mar 29, 2023): I'm trying out headscale this week and just ran into this problem myself. It seems like the only working options using the official macOS Tailscale client are: - Run all DNS through Tailscale/Headscale - Run _no_ DNS through Tailscale/Headscale I guess maybe most users are intentionally routing DNS through the overlay network for added security so this is an uncommon issue? My long-term plans for this do involve DNS so if there's not a workaround it's probably fine but was wondering if anyone had discovered anything new on this issue?

adam commented 2025-12-29 01:26:10 +01:00

Author

Owner

Copy Link

@hrtkpf commented on GitHub (Sep 10, 2023):

I am currently having the issue that MagicDNS breaks when override_local_dns is set to false (on Linux, Tailscale client v1.48.1). I am not sure if this is exactly the same issue, but at least it seems to be somehow related (and I did not want to open yet another issue for this).

MagicDNS only works with override_local_dns=true, but then all DNS queries are obviously sent through the resolvers configured in Headscale, which might not be what you want.
When override_local_dns=false, all DNS queries are sent through the client's resolver (whichever that is), including queries designated for MagicDNS, making the resolution fail. I verified both observations using tcpdump.

A manual dig host1.magicdns.example.com @100.100.100.100 works.

Someone also seems to have the same issue since #905 (https://github.com/juanfont/headscale/pull/905#issuecomment-1377224539).

@hrtkpf commented on GitHub (Sep 10, 2023): I am currently having the issue that MagicDNS breaks when override_local_dns is set to false (on Linux, Tailscale client v1.48.1). I am not sure if this is exactly the same issue, but at least it seems to be somehow related (and I did not want to open yet another issue for this). MagicDNS only works with override_local_dns=true, but then all DNS queries are obviously sent through the resolvers configured in Headscale, which might not be what you want. When override_local_dns=false, all DNS queries are sent through the client's resolver (whichever that is), including queries designated for MagicDNS, making the resolution fail. I verified both observations using tcpdump. A manual `dig host1.magicdns.example.com @100.100.100.100` works. Someone also seems to have the same issue since #905 (https://github.com/juanfont/headscale/pull/905#issuecomment-1377224539).

adam commented 2025-12-29 01:26:10 +01:00

Author

Owner

Copy Link

@letitfly commented on GitHub (Sep 26, 2023):

Same here. Might have to stop using MagicDNS.

@letitfly commented on GitHub (Sep 26, 2023): Same here. Might have to stop using MagicDNS.

adam commented 2025-12-29 01:26:11 +01:00

Author

Owner

Copy Link

@mlincett commented on GitHub (Sep 26, 2023):

I am currently having the issue that MagicDNS breaks when override_local_dns is set to false (on Linux, Tailscale client v1.48.1). I am not sure if this is exactly the same issue, but at least it seems to be somehow related (and I did not want to open yet another issue for this).

MagicDNS only works with override_local_dns=true, but then all DNS queries are obviously sent through the resolvers configured in Headscale, which might not be what you want. When override_local_dns=false, all DNS queries are sent through the client's resolver (whichever that is), including queries designated for MagicDNS, making the resolution fail. I verified both observations using tcpdump.

A manual dig host1.magicdns.example.com @100.100.100.100 works.

Someone also seems to have the same issue since #905 (#905 (comment)).

I am not currently using headscale but I guess it could be helpful if you could say something more about your DNS configuration. In case you are using systemd-resolved you may want to attach the output of resolvectl status.

@mlincett commented on GitHub (Sep 26, 2023): > I am currently having the issue that MagicDNS breaks when override_local_dns is set to false (on Linux, Tailscale client v1.48.1). I am not sure if this is exactly the same issue, but at least it seems to be somehow related (and I did not want to open yet another issue for this). > > MagicDNS only works with override_local_dns=true, but then all DNS queries are obviously sent through the resolvers configured in Headscale, which might not be what you want. When override_local_dns=false, all DNS queries are sent through the client's resolver (whichever that is), including queries designated for MagicDNS, making the resolution fail. I verified both observations using tcpdump. > > A manual `dig host1.magicdns.example.com @100.100.100.100` works. > > Someone also seems to have the same issue since #905 ([#905 (comment)](https://github.com/juanfont/headscale/pull/905#issuecomment-1377224539)). I am not currently using `headscale` but I guess it could be helpful if you could say something more about your DNS configuration. In case you are using `systemd-resolved` you may want to attach the output of `resolvectl status`.

adam commented 2025-12-29 01:26:11 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Dec 26, 2023):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Dec 26, 2023): This issue is stale because it has been open for 90 days with no activity.

adam commented 2025-12-29 01:26:11 +01:00

Author

Owner

Copy Link

@github-actions[bot] commented on GitHub (Jan 2, 2024):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Jan 2, 2024): This issue was closed because it has been inactive for 14 days since being marked as stale.

adam commented 2025-12-29 01:26:11 +01:00

Author

Owner

Copy Link

@c-p-b commented on GitHub (Jan 27, 2024):

I'm trying out headscale this week and just ran into this problem myself. It seems like the only working options using the official macOS Tailscale client are:

* Run all DNS through Tailscale/Headscale

* Run _no_ DNS through Tailscale/Headscale

I guess maybe most users are intentionally routing DNS through the overlay network for added security so this is an uncommon issue? My long-term plans for this do involve DNS so if there's not a workaround it's probably fine but was wondering if anyone had discovered anything new on this issue?

Just tried this and I can also confirm that apparently you really have only two choices with MacOS official tailscale client + headscale currently:

You either run ALL your DNS through there or none of it. override_local_dns doesn't seem to be respected, resolver will always try to route through headscale first if you're connected.

@c-p-b commented on GitHub (Jan 27, 2024): > I'm trying out headscale this week and just ran into this problem myself. It seems like the only working options using the official macOS Tailscale client are: > > * Run all DNS through Tailscale/Headscale > > * Run _no_ DNS through Tailscale/Headscale > > > I guess maybe most users are intentionally routing DNS through the overlay network for added security so this is an uncommon issue? My long-term plans for this do involve DNS so if there's not a workaround it's probably fine but was wondering if anyone had discovered anything new on this issue? Just tried this and I can also confirm that apparently you really have only two choices with MacOS official tailscale client + headscale currently: You either run ALL your DNS through there or none of it. override_local_dns doesn't seem to be respected, resolver will always try to route through headscale first if you're connected.

adam referenced this issue 2025-12-29 02:29:50 +01:00

[PR #292] [MERGED] Make Unix socket permissions configurable #1366

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label bug stale

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#284