Mullvad: default to the Mullvad DNS resolver when no override is configured

[raggi]

If there is no global nameserver configured in the admin panel with "Override local DNS" enabled, and "Allow Local Network Access" is disabled, and the user has a LAN DNS server address configured, then DNS resolutions will fail. In some sense this is good: we explicitly have not leaked DNS, which is why it is failing, but in another it is very bad: the user effectively lost internet access.

In this configuration we should default to the in-network 10.64.0.1 address, or one of the DOH addresses (https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/). This behavior would be directly equivalent to the regular exit node behavior that resolves via the peer API of the selected Tailscale exit node.

The current recommended workaround for this issue is documented here: https://tailscale.com/kb/1258/mullvad-exit-nodes/#important-dns-considerations

[alexl4321]

important indeed. in a mixed server/desktop environment simply starting to force a DNS as in the workaround descr might create a lot of troubles - especially as you cannot set / force a DNS per single tailscale client (urgently needed). guess you could set individual problematic nodes e.g. servers to accept-dns false but still kinda of not a solution.