alt Hacker News> I think you're incorrect in the default settings
What mac-attack is correct about is that by default, `tailscaled` sets itself as the only DNS resolver and proxies all DNS requests to your non-Tailscale nameservers. Citations:
- https://tailscale.com/kb/1381/what-is-quad100#dns-resolver
“`100.100.100.100` or Quad100 is a special Tailscale IP address […] that provides essential local services. It operates similarly to the localhost address (`127.0.0.1`) but serves only Tailscale-specific services. These services include a DNS resolver.”
“One of the services provided by Quad100 is a DNS resolver running on port 53 (1100.100.100.100:531). A DNS resolver is a service that translates IP addresses to hostnames like `google.com` or `macbook.tailnetname.ts.net`. Quad100 is a stub resolver, similar to systemd-resolved, except with extra features.”
- https://tailscale.com/blog/sisyphean-dns-client-linux
“The upcoming Tailscale 1.8 release implements all of the above [other DNS managers], which should hopefully make DNS on Linux just work, no matter how your machine is choosing to do it.”
- https://tailscale.com/kb/1235/resolv-conf
“Tailscale overwrites `/etc/resolv.conf` when MagicDNS is enabled in the tailnet”
“Tailscale tries to interoperate with a number of other DNS managers before resorting to overwriting `/etc/resolv.conf`.”
- https://tailscale.com/kb/1081/magicdns
“Tailnets created on or after October 20, 2022 have MagicDNS enabled by default.”
It does say “While Quad100's DNS resolver operates locally without logging, forwarded requests might be logged by configured nameservers.”, but the fact remains that the Tailscale software is very aggressive about taking over all DNS resolution on your system. Once that is done, the option of whether or not `tailscaled` overrides your default nameservers can be configured remotely without you knowing it's happening!
I'm split on this. According to your links, it tries to cooperate with the system resolver. If it can't find a way to do it, then yeah, it kinda has to replace it.
Of course, they could put this much more front and center in the docs, so that if you're running some funky setup and know what you're doing, you should be able to easily do it - which you probably can with the `--disable-dns thing`. But putting it in a prominent spot in the docs could help to not overlook this.
I've just checked the setup on a machine running systemd-networkd and resolved, and resolv.conf wasn't touched. It only added a specific dns setup for the tailscale0 interface, which only covers my tailnet name and ips. It doens't even show as a fallback or whatever in the global section.
> the option of whether or not `tailscaled` overrides your default nameservers can be configured remotely without you knowing it's happening!
I mean, there's two situations. Either we're talking about a "pro" environment, where corp vpns taking over your local network config, as much as I hate it, isn't exactly news. Then there's the personal plans users, in which case, if the DNS changes without you knowing, you probably have way bigger problems.