DNS behavior when both Magic DNS and "Overriding local DNS" are enabled

Hello,

I have found that devices are unable to resolve any names when I enable Magic DNS, and also specify a device’s Tailscale IP address as the only global name server and override local DNS. (The device added as a name server is configured to listen to all addresses on port 53.) Is this result expected? The documentation doesn’t seem to disallow this combination.

macOS 11.4 with Tailscale 1.8.5
iOS/iPadOS 14.6 with Tailscale 1.8.7

What’s one of your Tailscale IPs so we can look up your account to see what’s going on?

(only you can access your Tailscale IPs, so they’re safe to share in public)

The Mac designated as a name server is 100.111.247.70.
One other device is 100.120.187.4.

Right now 100.111.247.70 is the only name server and it overrides local DNS settings. Magic DNS is currently disabled.

Can confirm this behaviour too on MacOS 11.4 with Tailscale 1.8.7.

Steps to replicate:

1. Add global nameservers using Tailscale IP (in my case 100.85.27.22)
2. Turn on Magic DNS
3. Ping local device name successfully e.g. ping yourdevice, resolves to Tailscale IP so uses Magic DNS
4. Ping FQDN local device name successfully e.g. ping yourdevice.yourdomain, resolves to internal IP based on local DNS
5. Turn on Override local DNS in Tailscale settings
6. Ping local device name continues to work fine, resolves to Tailscale IP so uses Magic DNS
7. Ping FQDN local device times out, presumably can’t resolve domain, so it’s not using either Magic DNS or local DNS? If it’s overriding local DNS with global DNS then this should work exactly the same, as my global DNS is my local DNS?
8. Turn off Override local DNS
9. Ping local device name, ping FQDN local device, both work fine. Ping local device resolves to Tailscale IP, ping FQDN resolves to internal IP.

I’ve just confirmed the same with split DNS configured with override local DNS.

Enable split dns for any zone and enable override local, no DNS resolution works. Remove split dns zones and leave override local DNS and resolution works.

MacOS 11.4
Tailscale 1.8.7

This issue is reported and logged on GitHub; We will keep you posted with updates on this.

Also, can you please disable the “override DNS” option in the admin console and check to see if that helps here? If it does please email us scutil --dns before and after disabling the option on support@tailscale.com.

Do you have the link to the GitHub issue? I’d like to subscribe to it but I can’t seem to find it.

The issue is in a private issue repository because we’re pasting in information from the DNS config needed to debug including domain names and IP addresses. We don’t make that public.

We also have Split DNS and Override local DNS enabled but have NOT yet enabled Magic DNS and we also seem to be able to break DNS resolution on MacOS 11.3 and 11.4. When connected via Tailscale on a problem Mac, no DNS resolution works. Pinging any server (public or private) works fine so Tailscale is sending traffic. We can Wireshark the interface and see DNS queries ONLY being sent to 100.100.100.100 (but not our private DNS servers) and no responses. On a working Mac, we see DNS queries sent to 100.100.100.100 AND both of the internal DNS servers we are applying via the admin console. We were able to reproduce this issue on a fresh out of the box Mac upgraded to 11.3.1 with basically only Tailscale installed. We have other Macs on 11.2 and 11.4 that seem to be working fine though.

Any updates?

Can you please upgrade to 1.10 Tailscale release and test the usecase?

Please share your observations.

According to Mac App Store’s version history, 1.10 “fixes the use of DNS servers with Tailscale IP addresses.” I’m guessing it’s referring to this issue? I have found that after I installed 1.10 all devices (iOS) except for the one (macOS) running the name server are able to resolve names.

Glad to hear that your Tailscale DNS issue is resolved.

It’s only partially resolved. The macOS machine is running Tailscale 1.10.0 and a name server. iOS devices are running Tailscale 1.10.0. Magic DNS is enabled. In Tailscale, the macOS machine’s Tailscale IP address is the only global name server and it is configured to override local DNS. iOS devices can now resolve names. But the macOS machine itself cannot.

So:

• the MacOS system is running a DNS server, BIND or something similar
• the Tailscale DNS configuration contains an entry for 100.x.y.z, the Tailscale address of the MacOS system, and perhaps has “override local” selected?
• without Tailscale’s DNS config, would the MacOS DNS config be for 127.0.0.1:53 to consult its own local DNS server?

The Tailscale config will push 100.x.y.z, the MacOS system’s Tailscale IP address, to the MacOS system. Just given the way it is implemented, I suspect the MacOS system ends up trying to send its DNS packets to the utun# interface where they are dropped because they are local addresses not reachable through the tunnel.

A way to handle this for now could be on the MacOS system, to uncheck Tailscale Menubar icon > Preferences > Use Tailscale DNS settings. This will make it continue to use 127.0.0.1:53 (or whatever) as its local DNS config.

That’s a good workaround. Thank you!

My experience has been very mixed on different platforms.

On Windows 10, if Override DNS Servers is not checked, Windows almost never uses my supplied DNS servers it seems. But then it has on random occasions during testing. I dont know what changed. If I enable Magic DNS, I cannot resolve any local domain names via supplied DNS servers in Tailscale. In Windows 10, its all DHCP and no custom DNS settings or anything.

On Android, its very hit and miss. Disconnecting and reconnecting fixes it sometimes. Override DNS seems to help alot to make things more consistent. Again though, Magic DNS breaks all local DNS lookup.

I will say I haven’t been very methodical at testing this, but I’d say its on par with the average user experience. Main point though, MagicDNS usually causes more issues than its worth, but should evolve into a useful feature once platform specific quirks are over come. And Override Local DNS is necessary to make local lookups work 95% of the time.

All machines on 1.10 by the way.

And finally, Tailscale has done a lot of great work overall. I know each supporting something like DNS is extremely difficult across a ton of platforms.