Split DNS with corporate server

I’ve got a personal tailscale network that includes my work machine which is behind a Cisco VPN. I need to be able to resolve corporate internal machines when on my tailscale network. When I’m on the corporate VPN and I do an nslookup of myserver.div.corp.internal I get

nslookup myserver.div.corp.internal

Name:	myserver.div.corp.internal

So in the admin panel I added as a DNS server with split DNS for corp.internal, with as my global DNS

However when I’m off the corporate vpn and on my tailscale network and I try nslookup of myserver.div.corp.internal again I get

nslookup myserver.div.corp.internal

** server can't find myserver.div.corp.internal: NXDOMAIN

Why isn’t the request going to the corporate DNS? I’ve also tried using the more specific search domain of div.corp.internal with no luck either.

Is this by chance a macOS device? nslookup on macOS doesn’t use the macOS framework to resolve DNS names, which means it doesn’t understand Split DNS resolvers for specific domains. It would work on the corporate network where you’re likely directed to the corporate DNS for all name resolution, but on the tailnet it will only go to the Global nameservers not any of the Split DNS nameservers.

On macOS you can use:

  • a browser or similar application which does use the macOS framework
  • dscacheutil -q host -a name myserver.div.corp.internal

Thanks, that helps. It does find the machine with dscacheutil, but now I can’t seem to connect to it. ping and ssh can’t connect.

$ dscacheutil -q host -a name myserver.div.corp.internal
name: myserver.div.corp.internal
$ ping -c3
PING ( 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1

--- ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

I get similar results when trying to connect to other servers on the corporate network. I also tried while using my work server as an exit node with “Allow local network access” checked, but no success. Any ideas?

Figured it out. Had to advertise those routes on my work exit node. I started it with
sudo tailscale up --advertise-exit-node --advertise-routes and now I can access work resources.