Tailscale in NixOS with networkmanager

I’m using nixos with networkmanager, and since activating tailscale’s magic DNS, I can see that it replaced nixos’s auto generated DNS with its own:

# Generated by resolvconf
search matrixai.org.github.beta.tailscale.net
nameserver 100.100.100.100
options edns0

This is actual /etc/resolve.conf.bak is my original DNS:

# Generated by resolvconf
options edns0
nameserver 1.1.1.1
nameserver 1.0.0.1
nameserver 8.8.8.8
nameserver 8.8.4.4
nameserver 2606:4700:4700::1111
nameserver 2606:4700:4700::1001
nameserver 2001:4860:4860::8888
nameserver 127.0.0.1

Is there a way I can get back my original DNS list? Is there a way to make tailscale not override my own DNS, I’m using the tailscale service, and I’m using the insertNameservers option.

networking = {
      networkmanager = {
        enable = true;
        dns = "dnsmasq";
        insertNameservers = import ./nameservers.nix;
      };
};

How would tailscale’s DNS service work with my existing nameservers?

For now I have to disable the DNS, since this silent override of my NixOS’s configuration of DNS is surprising. Especially since I was expecting that tailscale wouldn’t override my local DNS settings on Linux (the option on the GUI wasn’t even enabled!)

I can specify these DNS settings by hand. How do I tell tailscale to not override my /etc/resolv.conf?

I had the same problem and got this response from Tailscale support:

At startup tailscaled determines what Linux DNS resolution is in use, like systemd-resolved or NetworkManager or plain /etc/resolv.conf: The Sisyphean Task Of DNS Client Config on Linux · Tailscale

As described, it sounds like the system starts with a straightforward /etc/resolv.conf but swaps in a link to a systemd-resolved config file later. tailscaled has probably already decided that it should be overwriting /etc/resolv.conf by that point, and continues to do so.

A couple options:

  • after getting a network connection, stop tailscaled and then write to /etc/resolv.conf, then start tailscaled again. It should figure out that systemd-resolved is in use.
  • if you don’t want Tailscale DNS settings at all, “tailscale up --accept-dns=false” or turn off all settings in Tailscale

In “journalctl -u tailscaled” the following log message will likely be useful:
dns: [resolved-ping=yes rc=resolved nm=no ret=systemd-resolved]
which means: it found resolved mentioned in /etc/resolv.conf, was able to contact resolved via DBus, so it will send its DNS config to ret=systemd-resolved.

On the other hand, this:
dns: [resolved-ping=yes rc=resolved resolved=not-in-use ret=direct]
means it found resolved mentioned in /etc/resolv.conf but concluded that resolved isn’t running, so will fall back to its ret=direct mode of overwriting /etc/resolv.conf.