Undocumented Exit Node "Feature"? (DNS Resolution)

Tailscale 1.36.2
Mix of Linux, android, and windows.

So, I was tearing my hair out trying to figure this out. It seems that when you are using an exit node, your “global dns settings” are overriden, and the tailscale client on the exit node simply uses the OS default resolver to resolve DNS names. The fact that the exit node acts as a resolver is mentioned in the docs, but the fact that it overrides all other DNS settings is not.

My use case is that I want my tailscale clients to use a pihole in my network (Routable via subnet routing), but I do not want my servers running as subnet routers to be beholden to the pihole.

So the servers hosting my tailscale exit nodes use their default DNS resolvers with no DNS blocking. I set the “Global Nameservers” to a pihole, and made sure my client is set to use tailscale DNS settings. (and I’ve been testing by doing nslookups against 100.100.100.100 from the client).

I can understand why automatically configuring this would be ideal for basic use, but I also feel like ‘global nameservers’ should override this ‘automatic nameserver’ feature. Doubly annoying is the fact that the queries come from the exit node itself, rather than seeming to come from the tailscale network, so I can’t even point my exit node at the pihole but then exclude it from pihole blocking - because that would get me right back to the same behavior.

So, my request would be to change this somehow - either make the behavior of using your exit node as a DNS resolver agent something you can disable per-client… or make global nameservers override that behavior, or both…

As it is, this makes tailscale half useless for my use case. I had previously been using native wireguard to provide myself a private VPN which would provide always-on ad blocking for my phone, using my internal pihole for DNS resolution. I was hoping to move to tailscale primarily for DERP support for those pesky public wifi networks with restrictive firewalls. The basic routing features work great, but since it disables my preferred DNS resolver, with no way to configure a specific resolver when using an exit node, I can’t get the ad blocking benefit if I use it.

1 Like