Tailscale and local dnsmasq


I have my personal tailscale and my office VPN running on my laptop. I have a local dnsmasq running to ensure only work related dns requests get sent to my work DNS server. The rest go through my pi-hole server.

When I add tailscale I want to replace my pi-hole with tailscale’s dns server (also backed by a pi-hole). However tailscale always re-writes my /etc/resolv.conf so I can’t use my local dns server. When I tell tailscale to not override my local dns then isn’t accessible for me (eg dig @ foo.bar returns a timeout)

Is there any way to have tailscale not override my /etc/resolv.conf but still make available?


You can tell tailscale to not overwrite your DNS, and then manually add
to your /etc/resolv.conf

This address is treated like a loopback, and only talks to the local tailscaled to resolve names based on the tailscale netmap.

Thanks @Jay

I did the following:

$ sudo tailscale up --accept-dns=false --accept-routes
$ dig @ foo.bar

; <<>> DiG 9.16.1-Ubuntu <<>> @ foo.bar
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Adding as a server in dnsmasq or as a nameserver in /etc/resolv.conf doesn’t resolve dns either (using dig or curl) unless I pass --accept-dns=true

You’re right. I misunderstood how that works.

How I would try to approach this: Enable magicDNS for the tailnet, and put your pi-hole address in the global nameservers in the tailscale admin panel, and select “override local dns”

As long as you have a public nameserver like or in there, your private one should work normally.

Hey @Jay

Thats the way its currently set up and it works great. However my work VPN uses a private DNS server so when I activate my work VPN I can’t resolve any of my work websites.

I had hoped taht my local dnsmasq could forward non-work-vpn requests to adn work vpn requests to our internal DNS server but if I accept tailscale dns then /etc/resolv.conf gets taken over by tailscale so I can’t use local dnsmasq and not accepting tailscale dns means I can’t access at all.

When your work vpn is enabled, does it only resolve to a single domain - like xxx.mycompany.com ?

If so, you can add the nameservers to the tailscale admin panel, and turn on split DNS for that server.

If not, you can add that VPN DNS server to the tailscale admin panel. Unless the VPN clobbers DNS when it comes up, that should work. If it does, then that might not be something we can work around.

Cool, how does the split domain work? Since is loopback like you said earlier I don’t have to put my work DNS onto tailscale?

There are a pile of subdomains of .mycompany.com, do I have to add 1 per subdomain or will the parent domain be enough?

Just tried it myself and it works great. Thanks a lot @Jay appreciate the help.

1 Like