> I think you're incorrect in the default settings

What mac-attack is correct about is that by default, `tailscaled` sets itself as the only DNS resolver and proxies all DNS requests to your non-Tailscale nameservers. Citations:

- https://tailscale.com/kb/1381/what-is-quad100#dns-resolver

“`100.100.100.100` or Quad100 is a special Tailscale IP address […] that provides essential local services. It operates similarly to the localhost address (`127.0.0.1`) but serves only Tailscale-specific services. These services include a DNS resolver.”

“One of the services provided by Quad100 is a DNS resolver running on port 53 (1100.100.100.100:531). A DNS resolver is a service that translates IP addresses to hostnames like `google.com` or `macbook.tailnetname.ts.net`. Quad100 is a stub resolver, similar to systemd-resolved, except with extra features.”

- https://tailscale.com/blog/sisyphean-dns-client-linux

“The upcoming Tailscale 1.8 release implements all of the above [other DNS managers], which should hopefully make DNS on Linux just work, no matter how your machine is choosing to do it.”

- https://tailscale.com/kb/1235/resolv-conf

“Tailscale overwrites `/etc/resolv.conf` when MagicDNS is enabled in the tailnet”

“Tailscale tries to interoperate with a number of other DNS managers before resorting to overwriting `/etc/resolv.conf`.”

- https://tailscale.com/kb/1081/magicdns

“Tailnets created on or after October 20, 2022 have MagicDNS enabled by default.”

It does say “While Quad100's DNS resolver operates locally without logging, forwarded requests might be logged by configured nameservers.”, but the fact remains that the Tailscale software is very aggressive about taking over all DNS resolution on your system. Once that is done, the option of whether or not `tailscaled` overrides your default nameservers can be configured remotely without you knowing it's happening!

https://tailscale.com/kb/1054/dns#tailscale-dns-settings