Any official documentation on what the tailscale client changes on linux

I was surprised to see it overwrite the /etc/resolv.conf and obliterate all our production DNS settings.

# cat /etc/resolv.conf
# resolv.conf(5) file generated by tailscale
# DO NOT EDIT THIS FILE BY HAND -- CHANGES WILL BE OVERWRITTEN

nameserver 100.100.100.100
search [redacted].com.beta.tailscale.net

I also noticed it requires a restart when our iptables firewall script restarts because it relies on iptables rules it makes.

My questions are
A.
Is there any official documentation on what the tailscale client changes on linux?

B.
Is there any way to prevent it from overwriting /etc/resolv.conf → this was very surprising.

The tailscale client creates a number of network resources:

• a routing table
• an iptables table
• a /dev/net/tun interface

The Linux client writes to /etc/resolv.conf if the Tailnet has any settings in Tailscale

The Linux client can be told to ignore DNS settings from the tailnet using:
tailscale up --accept-dns=false
It will not write to /etc/resolv.conf if there are no DNS settings to apply.

Thank you for your reply

Regarding “The Linux client writes to /etc/resolv.conf if the Tailnet has any settings in Tailscale”
Even if we have “Override local DNS” will this overwrite resolv.conf?
I would have guessed we would have to turn that option on for it to overwrite resolv.conf.
Is that not the case?

If our servers use a private DNS
but our client computers use a different DNS
Is there anyway to split the Tailscale settings for server and client?

Thank you.

It you enable Magic DNS or set any Split DNS servers, tailscaled has to add 100.100.100.100 in /etc/resolv.conf to be able to implement those settings. “Override local DNS” means whether to use the global DNS servers received from DHCP on the local device, or Override the DHCP DNS servers with ones specified in the admin panel.

There is not currently a notion of multiple DNS profiles for different types of devices. The product may provide this in the future, but not yet.

In general for cloud nodes like EC2 instances, it is often best to use --accept-dns=false. Some AWS features require use of the AWS DNS servers.

If we have “Override local DNS” off, and the server has no DHCP DNS servers, what is the expected behavior?

Those two factors alone aren’t enough to say what it will do, it also matters whether MagicDNS is turned on. There is a more full description in: The Sisyphean Task Of DNS Client Config on Linux · Tailscale

Any of the following mean that tailscaled needs to be able to answer DNS queries:

1. MagicDNS is enabled
2. there are any Split DNS domains added
3. “Override local DNS” is enabled

If tailscaled needs to be able to answer DNS queries:

1. if systemd-resolved is active on the machine (and tailscaled properly detects that it is active), /etc/resolvd.conf should be left with nameserver 127.0.0.53 and tailscaled will configure systemd-resolved instead.
2. In most other cases, tailscaled will read in the current contents of /etc/resolv.conf to try to figure out the currently configured DNS servers, then write a new /etc/resolv.conf which contains nameserver 100.100.100.100. Linux /etc/resolv.conf has no way to express the notion that some domains should use different DNS servers, like MagicDNS or SplitDNS need, so tailscale adds itself as a recursive resolver.

Is it expected behaviour that Tailscale doesn’t revert the changes to /etc/resolv.conf?

I can see that Tailscale modifies /etc/resolv.conf with MagicDNS enabled, which is necessary for the feature to work. But after going tailscale down it doesn’t revert the changes, and nameserver is still 100.100.100.100.