Hi, I actually just resolved this issue, but wanted to post in here in case anyone else encounters it.
My goal was to create an internal service accessible at internal.example.org, which directed users to a web service. That web service was running on a device connected the VPN called server with a Tailscale IP of 100.99.99.99.
I started by setting up split DNS for that subdomain, and redirected those queries to NextDNS. Then, within NextDNS, I set it to rewrite queries to internal.example.org to go to server.example-tailnet.ts.net. This worked perfectly fine for all my Linux and MacOS clients! But, for some reason, it failed on my Windows clients.
It turns out that, for some reason, Windows clients don’t like looking back at Tailscale’s DNS after Tailscale just referred them to NextDNS. The solution was to instead set NextDNS to rewrite queries to go to 100.99.99.99 instead of server.example-tailnet.ts.net. Now, the internal service’s URL resolved on all clients.