Tailscale and local dnsmasq

rymurr · December 16, 2021, 3:10pm

Hi,

I have my personal tailscale and my office VPN running on my laptop. I have a local dnsmasq running to ensure only work related dns requests get sent to my work DNS server. The rest go through my pi-hole server.

When I add tailscale I want to replace my pi-hole with tailscale’s dns server (also backed by a pi-hole). However tailscale always re-writes my /etc/resolv.conf so I can’t use my local dns server. When I tell tailscale to not override my local dns then 100.100.100.100 isn’t accessible for me (eg dig @100.100.100.100 foo.bar returns a timeout)

Is there any way to have tailscale not override my /etc/resolv.conf but still make 100.100.100.100 available?

Jay · December 16, 2021, 3:36pm

Hello.

You can tell tailscale to not overwrite your DNS, and then manually add
nameserver 100.100.100.100
to your /etc/resolv.conf

This address is treated like a loopback, and only talks to the local tailscaled to resolve names based on the tailscale netmap.

rymurr · December 16, 2021, 4:38pm

Thanks @Jay

I did the following:

$ sudo tailscale up --accept-dns=false --accept-routes
$ dig @100.100.100.100 foo.bar

; <<>> DiG 9.16.1-Ubuntu <<>> @100.100.100.100 foo.bar
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Adding 100.100.100.100 as a server in dnsmasq or as a nameserver in /etc/resolv.conf doesn’t resolve dns either (using dig or curl) unless I pass --accept-dns=true

Jay · December 17, 2021, 5:18pm

You’re right. I misunderstood how that works.

How I would try to approach this: Enable magicDNS for the tailnet, and put your pi-hole address in the global nameservers in the tailscale admin panel, and select “override local dns”

As long as you have a public nameserver like 1.1.1.1 or 8.8.8.8 in there, your private one should work normally.

rymurr · December 17, 2021, 6:14pm

Hey @Jay

Thats the way its currently set up and it works great. However my work VPN uses a private DNS server so when I activate my work VPN I can’t resolve any of my work websites.

I had hoped taht my local dnsmasq could forward non-work-vpn requests to 100.100.100.100 adn work vpn requests to our internal DNS server but if I accept tailscale dns then /etc/resolv.conf gets taken over by tailscale so I can’t use local dnsmasq and not accepting tailscale dns means I can’t access 100.100.100.100 at all.

Jay · December 17, 2021, 6:43pm

When your work vpn is enabled, does it only resolve to a single domain - like xxx.mycompany.com ?

If so, you can add the nameservers to the tailscale admin panel, and turn on split DNS for that server.

If not, you can add that VPN DNS server to the tailscale admin panel. Unless the VPN clobbers DNS when it comes up, that should work. If it does, then that might not be something we can work around.

rymurr · December 17, 2021, 6:56pm

Cool, how does the split domain work? Since 100.100.100.100 is loopback like you said earlier I don’t have to put my work DNS onto tailscale?

There are a pile of subdomains of .mycompany.com, do I have to add 1 per subdomain or will the parent domain be enough?

rymurr · December 17, 2021, 7:00pm

Just tried it myself and it works great. Thanks a lot @Jay appreciate the help.

Topic		Replies	Views
Tailscale overrides local DNS on one host only and the nameserver does not respond Raspberry Pi	1	2702	May 7, 2022
Using local DNS server and an exit node SUPPORT QUESTIONS	0	305	July 11, 2023
Trying to use dnsmasq on linux with tailscale	2	914	September 21, 2022
Tailscale in NixOS with networkmanager	3	1969	December 5, 2022
Any official documentation on what the tailscale client changes on linux	6	2025	March 13, 2022

Tailscale and local dnsmasq

Related Topics