FR: ability to override DNS for some client

[Grogdunn]

What are you trying to do?

I want to override client DNS only for some clients (with an optin like choose to use an exit node). I want to override DNS on my laptop and mobile phone when I'm at "insecure" hotspot. But not on my workstation.

Thanks

How should we solve this?

No response

What is the impact of not solving this?

No response

Anything else?

No response

[DentonGentry]

On desktop clients, you can choose whether to use or not use the Tailscale DNS settings.

• for Linux: tailscale up --accept-dns=false
• for macOS: click the Tailscale icon in the menubar and choose Preferences > Use Tailscale DNS Settings
• for Windows: click the Tailscale icon in the taskbar and choose Preferences > Use Tailscale DNS settings

[Grogdunn]

Ok thanks, with this solution I've disable the DNS resolution of tailnet names. That is not a big problem, I've IPs but is handy to keep that

[mayakacz]

Is your ask the same as in https://github.com/tailscale/tailscale/issues/3302? If you're on an untrusted network, automatically use an exit node (and the DNS for that exit node)? Or do you want to use a different DNS but have traffic not routed through an exit node?

[Grogdunn]

Nope, I will decide by myself to use or not an exit node. This is fine for me.

"Simply" I will have an option in the cli and mobile option to "force" the usage of a set of DNS. Or a sort of.

The workaround to enable in admin console the DNS override and in each client do accept-dns=false a good workaround. But with this option i cannot use anymore the tailscale node name.

I want to "optin" by client to a "force DNS" so my DNS query doesn't go to an untrusted DNS server in an untrusted network.

[devksingh4]

I am also interested in this - is there any new ways to get this working?

[DentonGentry]

On desktop clients you can disable the DNS features and handle DNS configuration locally. Mobile clients do not currently have a way to disable DNS features.

[DentonGentry]

Ok thanks, with this solution I've disable the DNS resolution of tailnet names. That is not a big problem, I've IPs but is handy to keep that

One note if you're configuring your own DNS: the tiny DNS server in the local Tailscale process at 100.100.100.100 will answer queries sent deliberately to it, even if --accept-dns=false. Queries won't be sent to it since we don't point /etc/resolv.conf to it, but if YOU were to send ts.net queries to 100.100.100.100 the daemon would do its best to answer.

[alphamike-1612]

Adding interest to this issue.

My request is a small modification of the original

Override local DNS remains as a global option, while I can choose to accept or deny the custom nameserver on each machine (specifically linux). This allows me access to magicDNS but not the DNS nameserver.

Current option (accept-dns) either uses both the nameserver and the magicDNS or none.

My use case - A server, a pihole,a target device and android phone on the same tailnet. With pihole configured as nameserver on tailscale and overridelocal DNS option enabled. I do not want my server to use the pihole DNS, but I want to be able to use magicDNS to access my target device. In the current setup, this is not possible, unless I specify the IP of the target device, which I would prefer not to(since the device is interchangeably used between LAN and WAN). The override local DNS is for my android phone to access the pihole when outside the local network.

I understand this is an extreme use case. But hope this becomes a feature.

Thank you.

[svenstaro]

@alphamike-1612 Thanks for the description of your use case. I was having this exact issue and was wondering why my DNS stops working entirely but of course that's because my DNS server that I want to set is also inside my Tailnet and so it will effectively just route into itself after overriding the local DNS for all devices.

[kmwoley]

I share the need to have this option. I want to force a subset devices use my private DNS server.

In my case, I have a server on my tailnet that does not have access the private DNS server. It is not allowed to access the subnet route for the DNS server. However, I want that server to have MagicDNS so it can reach other clients.

For all other devices I want to force them to use the private DNS when connected to the tailnet (prevent them from disabling the use of the private DNS).

[TreehouseFalcon]

I have a team of people using Tailscale to access Tailnet nodes and the only option right now is to completely disable MagicDNS for the nodes on our private subnet. This seems overkill, could we get an option to set a secondary DNS server (for local domain resolution) via the tailscale up command?

[hashworks]

I'm in the same situation, it doesn't seem reasonable to set --accept-dns=false on hundreds of devices if one only wants to use it on a dozen of them.

[bartoszhernas]

Can the DNS setting be moved to ACL, so I can assign tags etc which devices should use Tailscale forced DNS? My use case is: I want to use my pi-hole, but only for devices from my account and not others.

[gabriel-vanca]

Any news on this?