[Bug] Tailscale Exit Node DNS Doesnt Provide DNS #757

New Issue

adam · 2025-12-29T02:23:29+01:00

adam commented

2025-12-29 02:23:29 +01:00

Originally created by @W1BTR on GitHub (Aug 9, 2024).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

When connected to an exit node that is routing all traffic through said node, I cannot access the public internet as DNS does not work.

I can run nslookups with 1.1.1.1 and google.com and they succeed
I cannot ping 1.1.1.1 as it responds with a dns lookup error
I can access local devices and internet-connected servers via their ip address

If I disable Tailscale DNS

DNS works as expected, but is not under the control of headscale.

Note I am only able to test this with the exit node on windows and the client running android.

Expected Behavior

Using the tailscale dns, my headscale server should route traffic to 1.1.1.1 as is in the config.

Steps To Reproduce

Set up basic headscale server
set the dns servers in the config
Run an exit node
Connect a device to the exit node with tailscale dns enabled
DNS no worky.

Environment

- OS: Windows 10 & Android
- Headscale version: 0.23.0-beta
- Tailscale version: 1.70.0

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Anything else?

No response

Originally created by @W1BTR on GitHub (Aug 9, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior When connected to an exit node that is routing all traffic through said node, I cannot access the public internet as DNS does not work. - I can run nslookups with 1.1.1.1 and google.com and they succeed - I cannot ping 1.1.1.1 as it responds with a dns lookup error - I can access local devices and internet-connected servers via their ip address If I disable Tailscale DNS - DNS works as expected, but is not under the control of headscale. Note I am only able to test this with the exit node on windows and the client running android. ### Expected Behavior Using the tailscale dns, my headscale server should route traffic to 1.1.1.1 as is in the config. ### Steps To Reproduce 1. Set up basic headscale server 2. set the dns servers in the config 3. Run an exit node 4. Connect a device to the exit node with tailscale dns enabled 5. DNS no worky. ### Environment ```markdown - OS: Windows 10 & Android - Headscale version: 0.23.0-beta - Tailscale version: 1.70.0 ``` ### Runtime environment - [X] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_

adam added the bug label 2025-12-29 02:23:29 +01:00

adam closed this issue

2025-12-29 02:23:29 +01:00

adam commented

2025-12-29 02:23:29 +01:00

@kradalby commented on GitHub (Aug 11, 2024):

Does this happen with the alpha, if it does not, I would think this is the same issue as https://github.com/juanfont/headscale/issues/2026

@kradalby commented on GitHub (Aug 11, 2024): Does this happen with the alpha, if it does not, I would think this is the same issue as https://github.com/juanfont/headscale/issues/2026

adam commented

2025-12-29 02:23:30 +01:00

@W1BTR commented on GitHub (Aug 12, 2024):

I'm not using the custom nameservers mentioned in that issue (setting a custom ip for a domain in the headscale config), but it might be related.

Ill try in the alpha and report back this week.

@W1BTR commented on GitHub (Aug 12, 2024): I'm not using the custom nameservers mentioned in that issue (setting a custom ip for a domain in the headscale config), but it might be related. Ill try in the alpha and report back this week.

adam commented

2025-12-29 02:23:30 +01:00

@W1BTR commented on GitHub (Aug 12, 2024):

Can confirm, alpha-12 does not have this issue.

@W1BTR commented on GitHub (Aug 12, 2024): Can confirm, alpha-12 does not have this issue.

adam referenced this issue

2025-12-29 02:30:59 +01:00

[PR #757] [MERGED] Updated changelog for 0.16.4 #1625

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#757