mDNS over Tailscale network

Is .local service discovery supported when connected to the tailscale network?

I have a macOS system and a NAS connected but I am unable to browse my smb or afp shares via .local addresses when connected. These work when I am not connected over the tailscale network.


We don’t support mDNS over Tailscale yet but it’s on our list.

Tailscale shouldn’t break your existing mDNS resolution, though (between two machines on the same LAN). Are you saying it does? That would be a bit surprising. But a .local address between two machines on different LANs won’t work yet.


Understood. It is not breaking my local setup. So the issue is just over the tailscale network connecting between two LANs. will wait for the feature

1 Like

Hello, he explained how I get to my .local machines from outside the network, pointed my DNS server in tailscale and with a Linux machine that allows routing to my lan network, with it and acl rules I can even Add machines outside the network to my domain, in case it helps.

Any progress on this? We are running WebRTC over tailscale and the latest iOS update broke our application. Basically iOS stopped disclosing the tailscale ip in the ice candidates and are now only showing .local-addresses.

You have a WebRTC app which uses mDNS/DNS-SD over Tailscale?
I don’t understand what “ice candidates” means.

Could you email some information about the app to
Is this something developed in-house, or elsewhere?

There was a change in Tailscale 1.18 that it does not wake the radio to send DNS-SD packets over the wireguard link. We believed that these packets were being sent by iOS by happenstance, that it was treating Tailscale as a LAN instead of more akin to a WAN.

Can you say what the WebRTC app is? Is it a privately developed in-house app, or something in the App Store?

It is a web application for streaming video from a linux application to the browser using the WebRTC protocol (because of low latency). Ours is developed in-house.

Wonder if it is related to this since we are not seeing the STUN requests come thru over tailscale when looking at Wireshark.

That seems plausible, I guess iOS 15.3 release will be the definitive test.

I just installed 15.3 beta and the issue is still there, no STUN messages going through tailscale.

Do we have some way to test this application here?

So i’m running up against this as well. I’m using an open source project called RTSPtoWeb which takes a RTSP stream and converts them into various web formats, including WebRTC ( its a very cool project!). But this problem should affect any WebRTC application trying to use the tailscale network when outside the local network.

While i’m not new to WebRTC, i was a little confused with the odd mdns addresses that IOS is returning during ICE negotiating , took me forever to google that and find the answer if people are interested.

You can see what your IOS device is returning during a ICE candidate lookup, which is how the device creates a list of local addresses and any external (NAT) addresses and ports needed to get media through firewalls.

  1. Point your IOS web browser to Trickle ICE
  2. enter in the box that says “STUN or TURN URI:” and click “add server”
  3. click “Gather Candidates” . It will return a long UUID address with a .local domain along with the external IP of your network. An example of this looks like 13a68a1b-3554-4541-9d07-2010be557413.local

The address is generated the same when on or off tailscale, and the uuid address is resolvable on the local network using mdns… but not if you are on tailscale outside the network. It looks like apple implemented this a while ago for privacy issues, so 3rd parties can’t sneak your private ip’s from code in a webpage, see draft-mdns-ice-candidates-00. They used to have a way to disable this in the Safari settings, but that option has been removed.

Let me know if i can help!