starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] Correct way to disable override local DNS in new configuration? #859

New Issue
Closed
opened 2025-12-29 02:24:57 +01:00 by adam · 6 comments
adam commented 2025-12-29 02:24:57 +01:00
Owner
Copy Link

Originally created by @AlynxZhou on GitHub (Nov 23, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

In the latest version it seems that override_local_dns is removed from configuration and tailscale will always set itself to default route in systemd-resolved:

Link 8 (tailscale0)
    Current Scopes: DNS
         Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: 100.100.100.100
       DNS Servers: 100.100.100.100
        DNS Domain: azvpn.alynx.one ~.

(The ~. makes all DNS query goes to tailscale first.)

This leads a significant problem that many DNS queries that should not go to tailscale port first goes to it, and resolves some domains to IP that far away from my home, makes many websites using CDN that slow to me, especially some video websites. Those should not use tailscale to query DNS by default, they should use my router's DNS, which can resolve to CDN that quick to me.

Expected Behavior

Previously I use override_local_dns: false to prevent tailscale add ~. for itself to systemd-resolved. So it won't be the default DNS route and systemd-resolved will also try my router's DNS and get the quickest response.

Steps To Reproduce

  1. Run headscale and tailscale on Linux
  2. Enable MagicDNS and use systemd-resolved
  3. Try resolvectl query SOME_DOMAIN, all query goes to tailscale first

Environment

- OS: Arch Linux 6.11.7-arch1-1
- Headscale version: 0.23.0
- Tailscale version: 1.76.6

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @AlynxZhou on GitHub (Nov 23, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior In the latest version it seems that `override_local_dns` is removed from configuration and tailscale will always set itself to default route in systemd-resolved: ``` Link 8 (tailscale0) Current Scopes: DNS Protocols: +DefaultRoute -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 100.100.100.100 DNS Servers: 100.100.100.100 DNS Domain: azvpn.alynx.one ~. ``` (The `~.` makes all DNS query goes to tailscale first.) This leads a significant problem that many DNS queries that should not go to tailscale port first goes to it, and resolves some domains to IP that far away from my home, makes many websites using CDN that slow to me, especially some video websites. Those should not use tailscale to query DNS by default, they should use my router's DNS, which can resolve to CDN that quick to me. ### Expected Behavior Previously I use `override_local_dns: false` to prevent tailscale add `~.` for itself to systemd-resolved. So it won't be the default DNS route and systemd-resolved will also try my router's DNS and get the quickest response. ### Steps To Reproduce 1. Run headscale and tailscale on Linux 2. Enable MagicDNS and use systemd-resolved 3. Try `resolvectl query SOME_DOMAIN`, all query goes to tailscale first ### Environment ```markdown - OS: Arch Linux 6.11.7-arch1-1 - Headscale version: 0.23.0 - Tailscale version: 1.76.6 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Anything else? _No response_
adam added the bug label 2025-12-29 02:24:57 +01:00
adam closed this issue 2025-12-29 02:24:57 +01:00
adam commented 2025-12-29 02:24:57 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Nov 25, 2024):

Hi

This is documented in the config example and the relevant Tailscale KBs are linked.

The correct way to not use dns is to pass --accept-dns=false to the client.

@kradalby commented on GitHub (Nov 25, 2024): Hi This is documented in the [config example](https://github.com/juanfont/headscale/blob/main/config-example.yaml#L245-L265) and the relevant Tailscale KBs are linked. The correct way to not use dns is to pass `--accept-dns=false` to the client.
adam commented 2025-12-29 02:24:57 +01:00
Author
Owner
Copy Link

@AlynxZhou commented on GitHub (Nov 25, 2024):

The correct way to not use dns is to pass --accept-dns=false to the client.

No, what I need is not disabling tailscale DNS totally, what I need is not to use it by default. Using --accept-dns=false just disable the whole MagicDNS, but previously override_local_dns: false makes normal DNS query goes to my router and MagicDNS specific domains goes to tailscale. Can we still achieve this with new version? Thanks.

@AlynxZhou commented on GitHub (Nov 25, 2024): > The correct way to not use dns is to pass `--accept-dns=false` to the client. No, what I need is not disabling tailscale DNS totally, what I need is not to use it __by default__. Using `--accept-dns=false` just disable the whole MagicDNS, but previously `override_local_dns: false` makes normal DNS query goes to my router and MagicDNS specific domains goes to tailscale. Can we still achieve this with new version? Thanks.
adam commented 2025-12-29 02:24:58 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Nov 25, 2024):

It is documented in the link with the config example, you leave the section empty.

@kradalby commented on GitHub (Nov 25, 2024): It is documented in the link with the config example, you leave the section empty.
adam commented 2025-12-29 02:24:58 +01:00
Author
Owner
Copy Link

@AlynxZhou commented on GitHub (Nov 25, 2024):

It is documented in the link with the config example, you leave the section empty.

Sorry to take more time for you, but I've read the comment again, and it still doesn't solve my question.

The actual thing I need is to stop tailscale adding ~. to it's DNS search domain, this makes systemd-resolved query all domains via tailscale. I still need MagicDNS to query tailscale related domains.

Leave this section empty is not what I want. And this is my current config, as you see, I still want to resolve domains like camelot.azvpn.alynx.one to tailscale IPs like 100.64.233.3.

dns:
  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  # Only works if there is at least a nameserver defined.
  magic_dns: true

  # Defines the base domain to create the hostnames for MagicDNS.
  # This domain _must_ be different from the server_url domain.
  # `base_domain` must be a FQDN, without the trailing dot.
  # The FQDN of the hosts will be
  # `hostname.base_domain` (e.g., _myhost.example.com_).
  base_domain: azvpn.alynx.one

  # List of DNS servers to expose to clients.
  nameservers:
    global:
      - 1.1.1.1
      - 1.0.0.1
      - 2606:4700:4700::1111
      - 2606:4700:4700::1001

      # NextDNS (see https://tailscale.com/kb/1218/nextdns/).
      # "abc123" is example NextDNS ID, replace with yours.
      # - https://dns.nextdns.io/abc123

    # Split DNS (see https://tailscale.com/kb/1054/dns/),
    # a map of domains and which DNS server to use for each.
    split:
      {}
      # foo.bar.com:
      #   - 1.1.1.1
      # darp.headscale.net:
      #   - 1.1.1.1
      #   - 8.8.8.8

  # Set custom DNS search domains. With MagicDNS enabled,
  # your tailnet base_domain is always the first search domain.
  search_domains: ["azvpn.alynx.one"]

  # Extra DNS records
  # so far only A-records are supported (on the tailscale side)
  # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations
  extra_records: []
  #   - name: "grafana.myvpn.example.com"
  #     type: "A"
  #     value: "100.64.0.3"
  #
  #   # you can also put it in one line
  #   - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" }

  # DEPRECATED
  # Use the username as part of the DNS name for nodes, with this option enabled:
  # node1.username.example.com
  # while when this is disabled:
  # node1.example.com
  # This is a legacy option as Headscale has have this wrongly implemented
  # while in upstream Tailscale, the username is not included.
  use_username_in_magic_dns: false
@AlynxZhou commented on GitHub (Nov 25, 2024): > It is documented in the link with the config example, you leave the section empty. Sorry to take more time for you, but I've read the comment again, and it still doesn't solve my question. The actual thing I need is to stop tailscale adding `~.` to it's DNS search domain, this makes `systemd-resolved` query all domains via tailscale. I still need MagicDNS to query tailscale related domains. Leave this section empty is not what I want. And this is my current config, as you see, I still want to resolve domains like `camelot.azvpn.alynx.one` to tailscale IPs like `100.64.233.3`. ``` dns: # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/). # Only works if there is at least a nameserver defined. magic_dns: true # Defines the base domain to create the hostnames for MagicDNS. # This domain _must_ be different from the server_url domain. # `base_domain` must be a FQDN, without the trailing dot. # The FQDN of the hosts will be # `hostname.base_domain` (e.g., _myhost.example.com_). base_domain: azvpn.alynx.one # List of DNS servers to expose to clients. nameservers: global: - 1.1.1.1 - 1.0.0.1 - 2606:4700:4700::1111 - 2606:4700:4700::1001 # NextDNS (see https://tailscale.com/kb/1218/nextdns/). # "abc123" is example NextDNS ID, replace with yours. # - https://dns.nextdns.io/abc123 # Split DNS (see https://tailscale.com/kb/1054/dns/), # a map of domains and which DNS server to use for each. split: {} # foo.bar.com: # - 1.1.1.1 # darp.headscale.net: # - 1.1.1.1 # - 8.8.8.8 # Set custom DNS search domains. With MagicDNS enabled, # your tailnet base_domain is always the first search domain. search_domains: ["azvpn.alynx.one"] # Extra DNS records # so far only A-records are supported (on the tailscale side) # See https://github.com/juanfont/headscale/blob/main/docs/dns-records.md#Limitations extra_records: [] # - name: "grafana.myvpn.example.com" # type: "A" # value: "100.64.0.3" # # # you can also put it in one line # - { name: "prometheus.myvpn.example.com", type: "A", value: "100.64.0.3" } # DEPRECATED # Use the username as part of the DNS name for nodes, with this option enabled: # node1.username.example.com # while when this is disabled: # node1.example.com # This is a legacy option as Headscale has have this wrongly implemented # while in upstream Tailscale, the username is not included. use_username_in_magic_dns: false ```
adam commented 2025-12-29 02:24:58 +01:00
Author
Owner
Copy Link

@AlynxZhou commented on GitHub (Nov 25, 2024):

I could use --accept-dns=false and manually add 100.100.100.100 to systemd-resolved with only azvpn.alynx.one search domain to achieve what I need, but previously override_local_dns: false can achieve this automatically for every clients, that's why I open this issue.

@AlynxZhou commented on GitHub (Nov 25, 2024): I could use `--accept-dns=false` and manually add `100.100.100.100` to systemd-resolved with only `azvpn.alynx.one` search domain to achieve what I need, but previously `override_local_dns: false` can achieve this automatically for every clients, that's why I open this issue.
adam commented 2025-12-29 02:24:58 +01:00
Author
Owner
Copy Link

@AlynxZhou commented on GitHub (Nov 25, 2024):

After reading more code and PRs, I think what I want is not related with override_local_dns, let me open a new feature request issue for don't adding ~. to make thing clear, thank you for your reply!

@AlynxZhou commented on GitHub (Nov 25, 2024): After reading more code and PRs, I think what I want is not related with `override_local_dns`, let me open a new feature request issue for don't adding `~.` to make thing clear, thank you for your reply!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#859
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?