Tailscale and local dnsmasq

Hi,

I have my personal tailscale and my office VPN running on my laptop. I have a local dnsmasq running to ensure only work related dns requests get sent to my work DNS server. The rest go through my pi-hole server.

When I add tailscale I want to replace my pi-hole with tailscale’s dns server (also backed by a pi-hole). However tailscale always re-writes my /etc/resolv.conf so I can’t use my local dns server. When I tell tailscale to not override my local dns then 100.100.100.100 isn’t accessible for me (eg dig @100.100.100.100 foo.bar returns a timeout)

Is there any way to have tailscale not override my /etc/resolv.conf but still make 100.100.100.100 available?

Hello.

You can tell tailscale to not overwrite your DNS, and then manually add
nameserver 100.100.100.100
to your /etc/resolv.conf

This address is treated like a loopback, and only talks to the local tailscaled to resolve names based on the tailscale netmap.

Thanks @Jay

I did the following:

$ sudo tailscale up --accept-dns=false --accept-routes
$ dig @100.100.100.100 foo.bar

; <<>> DiG 9.16.1-Ubuntu <<>> @100.100.100.100 foo.bar
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Adding 100.100.100.100 as a server in dnsmasq or as a nameserver in /etc/resolv.conf doesn’t resolve dns either (using dig or curl) unless I pass --accept-dns=true

You’re right. I misunderstood how that works.

How I would try to approach this: Enable magicDNS for the tailnet, and put your pi-hole address in the global nameservers in the tailscale admin panel, and select “override local dns”

As long as you have a public nameserver like 1.1.1.1 or 8.8.8.8 in there, your private one should work normally.

Hey @Jay

Thats the way its currently set up and it works great. However my work VPN uses a private DNS server so when I activate my work VPN I can’t resolve any of my work websites.

I had hoped taht my local dnsmasq could forward non-work-vpn requests to 100.100.100.100 adn work vpn requests to our internal DNS server but if I accept tailscale dns then /etc/resolv.conf gets taken over by tailscale so I can’t use local dnsmasq and not accepting tailscale dns means I can’t access 100.100.100.100 at all.

When your work vpn is enabled, does it only resolve to a single domain - like xxx.mycompany.com ?

If so, you can add the nameservers to the tailscale admin panel, and turn on split DNS for that server.

If not, you can add that VPN DNS server to the tailscale admin panel. Unless the VPN clobbers DNS when it comes up, that should work. If it does, then that might not be something we can work around.

Cool, how does the split domain work? Since 100.100.100.100 is loopback like you said earlier I don’t have to put my work DNS onto tailscale?

There are a pile of subdomains of .mycompany.com, do I have to add 1 per subdomain or will the parent domain be enough?

Just tried it myself and it works great. Thanks a lot @Jay appreciate the help.

1 Like