Nameserver with restrict to search domain enabled affects ping command

Tailscale version 1.20.2
Your operating system & version: MacOS Big Sur

In Tailscale, after setting a company nameserver (e.g. 172.1.1.1) to be used for a specific domain (e.g. internal corporate website HRRocks.abc), when I ping a random bunch of characters (e.g. $ ping qwerty), ping tries to ping qwerty.HRRocks.abc instead of failing (failing is the desired behavior). This problem is resolved after disabling “Restrict to Search Domain”.

Does anyone know why this happens?

if you have a search domain, it will assume that any string that it doesn’t know more about is part of that domain.

So this is expected behaviour, unrelated to tailscale.

Hmm I could have misunderstood what “Restrict to Search Domain” meant. My intention when I listed the domain under Restrict to Search Domain is for IP address lookups to use that nameserver when my machine requests for that particular domain to avoid conflicting with domains on the public internet.

How do people avoid domain conflicts on subnets and public internet e.g. if there’s a example.com on the public internet and an example.com on a subnet, how do tailscale users set the subnet one to have priority over the public one?

That is correct.

But if you have a search domain in your local DNS config, a hostname will have that appended on if it doesn’t resolve without it.

So if I am on tailscale.com and I ping asdf my OS will try asdf, get no response, then try asdf.tailscale.com