headscale
headscale copied to clipboard
juanfont
Local DNS resolution doeesn't work on macOS with MagicDNS enabled
Bug description
When connected to a Headscale server where MagicDNS is enabled, local name resolution doesn't work anymore on macOS.
For example without Tailscale enabled my machine receives DNS configuration via DHCP from my home router. The home router runs its own DNS server and resolves <router_name> to its own IP address. Once connected to the Headscale Tailnet, <router_name> can no longer be resolved.
With the official Tailscale coordination server on the other hand there is an explicit option whether local DNS resolution should be overriden or not. If the toggle to override local DNS resolution is turned off, the router name can still be resolved.
So this seems like a bug in how Headscale configures the Tailscale client.
Context info
- Version of headscale 0.15.0
- Version of tailscale 1.16.1
- OS macOS 12.4
config.yaml
dns_config:
base_domain: 'example.com'
domains: []
magic_dns: true
nameservers:
- 1.1.1.1
Output of scutil --dns
The output of scutil --dns looks different when connected to Tailscale vs Headscale.
Tailscale
DNS configuration
resolver #1
search domain[0] : internal.example.com (note: probably because I configured scutil --set HostName to be <machine_name>.internal.example.com)
search domain[1] : <my-email-address>.beta.tailscale.net
search domain[2] : ts.net
search domain[3] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2 - #65
domain : <64-127>.100.in-addr.arpa.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103002 - 103065
resolver #66
domain : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103001
resolver #67
domain : <my email address>.beta.tailscale.net.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103000
resolver #68
domain : ts.net.
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103066
resolver #69
domain : internal.example.com (note: this resolver comes from corporate IPSec VPN that I am connected to as well. this corporate VPN does split-tunneling. it takes over DNS for this subdomain)
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 27 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101200
resolver #70
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #71
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #72
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #73
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #74
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #75
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 15 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #3
search domain[0] : internal.example.com
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 27 (utun4)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
resolver #4
search domain[0] : <my_email_address>.beta.tailscale.net
search domain[1] : 0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa
search domain[2] : 100.100.in-addr.arpa
search domain[3] : 101.100.in-addr.arpa
search domain[4] : 102.100.in-addr.arpa
search domain[5] : 103.100.in-addr.arpa
search domain[6] : 104.100.in-addr.arpa
search domain[7] : 105.100.in-addr.arpa
search domain[8] : 106.100.in-addr.arpa
search domain[9] : 107.100.in-addr.arpa
search domain[10] : 108.100.in-addr.arpa
search domain[11] : 109.100.in-addr.arpa
search domain[12] : 110.100.in-addr.arpa
search domain[13] : 111.100.in-addr.arpa
search domain[14] : 112.100.in-addr.arpa
search domain[15] : 113.100.in-addr.arpa
search domain[16] : 114.100.in-addr.arpa
search domain[17] : 115.100.in-addr.arpa
search domain[18] : 116.100.in-addr.arpa
search domain[19] : 117.100.in-addr.arpa
search domain[20] : 118.100.in-addr.arpa
search domain[21] : 119.100.in-addr.arpa
search domain[22] : 120.100.in-addr.arpa
search domain[23] : 121.100.in-addr.arpa
search domain[24] : 122.100.in-addr.arpa
search domain[25] : 123.100.in-addr.arpa
search domain[26] : 124.100.in-addr.arpa
search domain[27] : 125.100.in-addr.arpa
search domain[28] : 126.100.in-addr.arpa
search domain[29] : 127.100.in-addr.arpa
search domain[30] : 64.100.in-addr.arpa
search domain[31] : 65.100.in-addr.arpa
search domain[32] : 66.100.in-addr.arpa
search domain[33] : 67.100.in-addr.arpa
search domain[34] : 68.100.in-addr.arpa
search domain[35] : 69.100.in-addr.arpa
search domain[36] : 70.100.in-addr.arpa
search domain[37] : 71.100.in-addr.arpa
search domain[38] : 72.100.in-addr.arpa
search domain[39] : 73.100.in-addr.arpa
search domain[40] : 74.100.in-addr.arpa
search domain[41] : 75.100.in-addr.arpa
search domain[42] : 76.100.in-addr.arpa
search domain[43] : 77.100.in-addr.arpa
search domain[44] : 78.100.in-addr.arpa
search domain[45] : 79.100.in-addr.arpa
search domain[46] : 80.100.in-addr.arpa
search domain[47] : 81.100.in-addr.arpa
search domain[48] : 82.100.in-addr.arpa
search domain[49] : 83.100.in-addr.arpa
search domain[50] : 84.100.in-addr.arpa
search domain[51] : 85.100.in-addr.arpa
search domain[52] : 86.100.in-addr.arpa
search domain[53] : 87.100.in-addr.arpa
search domain[54] : 88.100.in-addr.arpa
search domain[55] : 89.100.in-addr.arpa
search domain[56] : 90.100.in-addr.arpa
search domain[57] : 91.100.in-addr.arpa
search domain[58] : 92.100.in-addr.arpa
search domain[59] : 93.100.in-addr.arpa
search domain[60] : 94.100.in-addr.arpa
search domain[61] : 95.100.in-addr.arpa
search domain[62] : 96.100.in-addr.arpa
search domain[63] : 97.100.in-addr.arpa
search domain[64] : 98.100.in-addr.arpa
search domain[65] : 99.100.in-addr.arpa
search domain[66] : ts.net
nameserver[0] : 100.100.100.100
if_index : 28 (utun3)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
Headscale
DNS configuration
resolver #1
search domain[0] : internal.example.com
search domain[1] : <headscale namespace>.example.com
search domain[2] : <router DHCP domain_name>
nameserver[0] : 100.100.100.100
if_index : 27 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103400
resolver #2
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
order : 200000
resolver #3
domain : <headscale namespace>.example.com.
nameserver[0] : 100.100.100.100
if_index : 27 (utun4)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 103401
resolver #4
domain : internal.example.com
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 28 (utun3)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101000
resolver #5
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #6
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #7
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #8
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #9
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #10
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 13 (en7)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
search domain[0] : <router DHCP domain_name>
nameserver[0] : <router ipv4>
nameserver[1] : <router ipv6>
if_index : 15 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #3
search domain[0] : internal.example.com
nameserver[0] : <corporate DNS 1>
nameserver[1] : <corporate DNS 2>
nameserver[2] : <corporate DNS 3>
if_index : 28 (utun3)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
resolver #4
search domain[0] : <headscale namespace>.example.com
nameserver[0] : 100.100.100.100
if_index : 27 (utun4)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
=> So it seems with Tailscale my resolver number 1 stays my router, even for the Tailscale namespaces, while with Headscale resolver number 1 is 100.100.100.100
I encountered some dns issue in Linux and OpenBSD machine, have not dive into these issues, but I think it may be same as yours.
After read some code, I think DefaultResolvers should be set to nil and a Route map item { '.' : '$resolver_set_in_config'} shoule be added into Routes.
I do not have a official tailscale account, maybe someone with official tailscale account could look into the log see how dns config looks like(keyword: dns: Set:)
If anyone confirm my guess is correct, I'm happy to implement the fix :)
Oh cool, that you have a hunch so quickly! @huskyii
I just checked on a different Linux machine, that should work as well, right?
In there I have the following line in the log:
tailscaled[32149]: router: dns: Set: {Nameservers:[100.100.100.100] Domains:[<email>.beta.tailscale.net] PerDomain:false Proxied:true
Is that what you are looking for?
Oh cool, that you have a hunch so quickly! @huskyii
I just checked on a different Linux machine, that should work as well, right?
In there I have the following line in the log:
tailscaled[32149]: router: dns: Set: {Nameservers:[100.100.100.100] Domains:[<email>.beta.tailscale.net] PerDomain:false Proxied:trueIs that what you are looking for?
Hi @felixscheinost which version of tailscale r u using? The log is different from mine. I'm using tailscale 1.26.1
Here's my log, note: no router: before dns: Set:
tailscaled[51443]: dns: Set: {DefaultResolvers:[] Routes:{} SearchDomains:[] Hosts:0}
Isn't this related to #280 ? My understanding is that an option for deciding if you want to override the DNS servers, or just use "split-dns" as in adding an extra DNS server to your current network configuration is missing on the headscale side vs tailscale.
In some cases you might want to force the DNS servers in the configuration to be the only ones (i.e if you are using another node as an exit node and the node has a DNS server configured and you don't want to leak DNS requests to the outside world), and in other cases you only want to add an extra DNS server to your configuration so that you can resolve the internal tailscale/headscale names.
I am not sure of which mode it is the default right now, for example in one of my Ubuntu systems I see:
# This file is managed by man:systemd-resolved(8). Do not edit.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs must not access this file directly, but only through the
# symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a different way,
# replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.
nameserver 100.100.100.100
nameserver 10.83.0.1
nameserver fd0c:989d:1024::1
search home.i.my-private.domain local
This system was joined with the following command:
tailscale up --exit-node=100.64.0.1 --exit-node-allow-lan-access --login-server=https://vpn.my-private.domain
I guess the parameters you use to join the overlay network do also effect the resulting DNS servers in your system, as someone new to tailscale/headscale it would be great to get more details on how this is supposed to work in the documentation.
I also have configured 100.64.0.1 as my default DNS server in the headscale config with:
dns_config:
# List of DNS servers to expose to clients.
nameservers:
- 100.64.0.1
And I am running my own DNS server on that system. systemd-resolve --status is showing 100.100.100.100 as the default DNS server for ~* , but the queries are still being forwarded to 100.64.0.1 (I see them in the log), and as you see it is still keeping 10.83.0.1 as my local dns server for ".local" for my lan.
@huskyii I think I was using 1.24.2 at the time.
@vquicksilver Yeah, its probably a duplicate of that issue.
I tried working around the issuee right now by using the Go tailscaled and not the version from the macOS AppStore. But then I need to configure 100.100.100.100 manually. I couldn't find a way to do this without also overriding the DHCP DNS servers.
Okay, I just ran tailscaled manually on Linux against official Tailscale server.
I turned override local DNS on, then off again and watched the log:
# Turn override local DNS ON
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {
# Difference, empty when override is OFF
DefaultResolvers:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001]
# Same
Routes:{beta.tailscale.net.:[] felix-scheinost.googlemail.com.beta.tailscale.net.:[] ts.net.:[]}+65arpa
# Same
SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.]
# Same
Hosts:7
}
dns: Resolvercfg: {
# Difference, when override local DNS is OFF these contains the DHCP resolvers
Routes:{.:[1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001]}
# Same
Hosts:7
# Same
LocalDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. beta.tailscale.net. ts.net.]+65arpa
}
dns: OScfg: {
# Same
Nameservers:[100.100.100.100]
# Same
SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.]
# Same
MatchDomains:[]
}
# Turn override local DNS OFF
wgengine: Reconfig: configuring router
wgengine: Reconfig: configuring DNS
dns: Set: {
DefaultResolvers:[]
Routes:{beta.tailscale.net.:[] felix-scheinost.googlemail.com.beta.tailscale.net.:[] ts.net.:[]}+65arpa
SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net.]
Hosts:7
}
dns: Resolvercfg: {
Routes:{.:[192.168.178.1 fd00::de39:6fff:fe31:7433]}
Hosts:7
LocalDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. beta.tailscale.net. ts.net.]+65arpa
}
dns: OScfg: {
Nameservers:[100.100.100.100]
SearchDomains:[felix-scheinost.googlemail.com.beta.tailscale.net. fritz.box.]
MatchDomains:[]
}
I don't think headscale has a override_local_DNS option now, maybe we should add one, what confused me is that offical Tailscale KB for maigic DNS stated that
Your network must have at least one DNS nameserver enabled in the admin console. These nameservers will receive all DNS queries not handled by MagicDNS. This restriction will be relaxed in the future.
I think it's basically says that to use magic DNS, you need override local DNS.
@felixscheinost does magic DNS work if you turn off override local DNS ?
And could you please also take a look at /etc/resolv.conf and /etc/resolv.pre-tailscale-backup.conf
Your network must have at least one DNS nameserver enabled in the admin console. These nameservers will receive all DNS queries not handled by MagicDNS. This restriction will be relaxed in the future.
I think it's basically says that to use magic DNS, you need override local DNS.
This is incorrect, at least when using resolved.
MagicDNS sets in-addr.arpa records for all the IP address space used by tailscale.
Override local DNS enabled sets +DefaultRoute for the tailscale interface (meaning this should be the default DNS unless a more specific is found) and the global DNS domain ~.
The two settings are independent - however I have no idea how this works in systems pre-resolved.
@mlincett @huskyii @felixscheinost
I think I have added support for this correctly in https://github.com/juanfont/headscale/pull/905, can you please help me test it?
Sorry, I just got around to try out the new version.
BTW: Awesome that you have a flake.nix!
@kradalby If I set dns_config.override_local_dns = false then I can again use local resolvers but I can no longer resolve MagicDNS names
My config looks like this
db_path: /var/lib/headscale/db.sqlite
db_type: sqlite3
derp:
auto_update_enable: false
paths: []
server:
enabled: 'true'
region_code: headscale
region_id: '999'
region_name: Headscale Embedded DERP
stun_listen_addr: 0.0.0.0:3478
update_frequency: 24h
urls: []
disable_check_updates: true
dns_config:
base_domain: example.com
domains: []
magic_dns: true
nameservers:
- 1.1.1.1
override_local_dns: false
ephemeral_node_inactivity_timeout: 30m
listen_addr: 0.0.0.0:443
log_level: info
noise:
private_key_path: /var/lib/headscale/noise_private.key
oidc:
client_id: ''
domain_map: {}
issuer: ''
private_key_path: /var/lib/headscale/private.key
server_url: https://headscale.example.com:443
tls_letsencrypt_cache_dir: /var/lib/headscale/.cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_hostname: headscale.example.com
tls_letsencrypt_listen: :http
unix_socket: /run/headscale/headscale.sock
Output of scutil --dns
DNS configuration
resolver #1
<my local router>
if_index : 10 (en6)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
<other VPN>
if_index : 34 (utun5)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100400
resolver #3
domain : local
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300000
resolver #4
domain : 254.169.in-addr.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300200
resolver #5
domain : 8.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300400
resolver #6
domain : 9.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300600
resolver #7
domain : a.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 300800
resolver #8
domain : b.e.f.ip6.arpa
options : mdns
timeout : 5
flags : Request A records, Request AAAA records
reach : 0x00000000 (Not Reachable)
order : 301000
DNS configuration (for scoped queries)
resolver #1
<my local router>
if_index : 10 (en6)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
<my local router>
if_index : 14 (en0)
flags : Scoped, Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
resolver #3
<internal other VPN>
if_index : 34 (utun5)
flags : Scoped, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
So now it seems as if the Tailscale client isn't configuring any DNS settings at all.
I'm trying out headscale this week and just ran into this problem myself. It seems like the only working options using the official macOS Tailscale client are:
- Run all DNS through Tailscale/Headscale
- Run no DNS through Tailscale/Headscale
I guess maybe most users are intentionally routing DNS through the overlay network for added security so this is an uncommon issue? My long-term plans for this do involve DNS so if there's not a workaround it's probably fine but was wondering if anyone had discovered anything new on this issue?
I am currently having the issue that MagicDNS breaks when override_local_dns is set to false (on Linux, Tailscale client v1.48.1). I am not sure if this is exactly the same issue, but at least it seems to be somehow related (and I did not want to open yet another issue for this).
MagicDNS only works with override_local_dns=true, but then all DNS queries are obviously sent through the resolvers configured in Headscale, which might not be what you want. When override_local_dns=false, all DNS queries are sent through the client's resolver (whichever that is), including queries designated for MagicDNS, making the resolution fail. I verified both observations using tcpdump.
A manual dig host1.magicdns.example.com @100.100.100.100 works.
Someone also seems to have the same issue since #905 (https://github.com/juanfont/headscale/pull/905#issuecomment-1377224539).
I am currently having the issue that MagicDNS breaks when override_local_dns is set to false (on Linux, Tailscale client v1.48.1). I am not sure if this is exactly the same issue, but at least it seems to be somehow related (and I did not want to open yet another issue for this).
MagicDNS only works with override_local_dns=true, but then all DNS queries are obviously sent through the resolvers configured in Headscale, which might not be what you want. When override_local_dns=false, all DNS queries are sent through the client's resolver (whichever that is), including queries designated for MagicDNS, making the resolution fail. I verified both observations using tcpdump.
A manual
dig host1.magicdns.example.com @100.100.100.100works.Someone also seems to have the same issue since #905 (#905 (comment)).
I am not currently using headscale but I guess it could be helpful if you could say something more about your DNS configuration. In case you are using systemd-resolved you may want to attach the output of resolvectl status.
This issue is stale because it has been open for 90 days with no activity.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue was closed because it has been inactive for 14 days since being marked as stale.
I'm trying out headscale this week and just ran into this problem myself. It seems like the only working options using the official macOS Tailscale client are:
* Run all DNS through Tailscale/Headscale * Run _no_ DNS through Tailscale/HeadscaleI guess maybe most users are intentionally routing DNS through the overlay network for added security so this is an uncommon issue? My long-term plans for this do involve DNS so if there's not a workaround it's probably fine but was wondering if anyone had discovered anything new on this issue?
Just tried this and I can also confirm that apparently you really have only two choices with MacOS official tailscale client + headscale currently:
You either run ALL your DNS through there or none of it. override_local_dns doesn't seem to be respected, resolver will always try to route through headscale first if you're connected.
