DNS over tailscale subnet routing fails

Client TS: 1.24.2 tailscale commit: dce2409b15837f30885405b8b1d27e7b7fd6bf7a
Server(Router) TS: 1.24.2-dev

Client OS: Arch Linux kernel 5.18.1-arch1-1
Server(Router) OS: OpenWrt 22.03.0-rc3

The router was set up with tailscale up --advertise-routes --accept-dns=false. The client laptop was set up with tailscale up --accept-routes=true. Besides accepting the routes, no other tailscale setup is done - magicDNS and DNS override are off. This is confirmed with the resolve.conf file:

nameserver fd0c:e2b6:401a::1

The only configuration on the router was following the instructions here - adding the tailscale0 device to the same firewall zone as the br-lan device.

When issuing a DNS query with nslookup google.com, it takes ~30 seconds to complete the query. A packet capture on the both the client and server tailnet0 devices shows the DNS queries being sent from the tailnet 100.X.X.X IP to the router at They don’t get a response. Then when a DNS query is made over the IPv6 address, the client gets a response.

However, other than DNS, routing works fine. The router and other IPs on the forwarded subnet are reachable, both when connected to this router and when using a device on another network with tailscale enabled. Ping and netcat with UDP and TCP have no issues.

My intuition is that my dnsmasq or firewall settings on OpenWRT are disallowing DNS requests from the tailnet0 device, but I’m not sure how to allow then. However, maybe I messed up my tailscale settings somewhere along the line. Does anyone have advice?

Here’s my (similar) thread. Will read through the link you posted and update you in case I figure anything out. I’m also having issues figuring out the DNS part, although I’d like to also route all traffic through taislcale.