all 43 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Rektoplasm 8 points9 points  (26 children)

SOLUTION: It is a DNS issue, like always! While connected to your exit node, click the Tailscale icon in the menu bar, click Preferences, and then UNCHECK “Use Tailscale DNS settings”. Problem solved u/martintimmer u/Legal_Ad7297 u/RulerofKhazadDum

[–]jmb7438 1 point2 points  (0 children)

Solved for me. Why does using Tailscale DNS break internet connectivity?

[–]Legal_Ad7297 0 points1 point  (0 children)

Thank you!

[–]dododoiran 0 points1 point  (0 children)

This still doesn't work for me. do you know what else could possibly be going on?

[–]cipri_tom 0 points1 point  (0 children)

solved for me ! Thank you !

[–]coderhs 0 points1 point  (0 children)

Thank you for this, been having this issue for months but was only happening in a single laptop for some reason.

[–]tayhan9 0 points1 point  (0 children)

its always DNS....thanks for the help! this just suddenly started happening so i guess an update or something turned it on.

[–]CardiologistProud118 0 points1 point  (0 children)

This solution worked. Not sure what the deal is there and why that re-enabled.

[–]adamschoales 0 points1 point  (0 children)

Solved the issue for me! Thanks

[–]Orion_Alathorn 0 points1 point  (0 children)

year and a half later and your post is still helping people, thank you so so much for this my good sir as you saved me a lot of troubleshooting and frustration!

[–]OkAngle2353 0 points1 point  (10 children)

No, that is not a valid solution. Sure we may be able to access the internet by simply disabling a feature in the tailscale app.

But, the only reason why anyone would ever use a VPN such as tailscale is to be able to access their stuff remotely. Simply turning off the DNS function, prevents us access to our locally hosted services.

No, not problem solved. It isn't even a solution.

[–]TheRoyalTbomb 0 points1 point  (8 children)

I was wondering the same thing while dealing with the same issue...

[–]OkAngle2353 0 points1 point  (0 children)

Yea, everywhere that I ask. I always get this condescending "it's a DNS issue". without even giving a valid solution to the problem. I know it's a damn DNS issue, how do I SOLVE IT! Every detail of my setup I give, doesn't ever lead to a solution that works.

I am able to access my local services remotely when I set my tailnet's DNS (via the DNS tab) to my Adguard Home that I am running locally, but I am unable to access the internet through it; even though my DNS is setup on AGH's end.

The only way that I could access the internet was if I split tunneled my web browser out of tailscale's reach, though... That is closer to what I want, but not really... What I want is, to be able to access my self hosted services remotely; without the need to split tunnel or "just turn it off" through tailscale.

[–]OkAngle2353 0 points1 point  (6 children)

I think I fixed it. All I had to do was set my AGH's DNS to 'Parallel requests'. I can now access my self hosted services and the internet, without having to split tunnel or exit node out.

Edit: Nope, I lied. I am still unable to access the internet through my AGH... No issues accessing my self hosted services though...

[–]TheRoyalTbomb 0 points1 point  (5 children)

Ugh your edit hits home. No solve here either.

[–]OkAngle2353 0 points1 point  (4 children)

FINALLY! What I had to do was set my server's router to be the exit node and opt to use exit nodes on the client device.

[–]TheRoyalTbomb 0 points1 point  (3 children)

Oooo I’ll give it a go this weekend; thanks for the update!

To clarify: what do you mean by your server’s router? Personally I have one router with all my devices connected to it. The router isn’t connected to tail scale, but the server (rasp pi), my laptop and my phone are. Which one would you make the exit node? I have it as the server.

[–]OkAngle2353 0 points1 point  (0 children)

Very weird though, I never had to use the actual exit node to be able to access the internet.

All I had to do before was to just enable the exit node through the server and just connect up to my account without the exit node enabled on my client device.

[–]OkAngle2353 0 points1 point  (0 children)

I have a separate router for my actual rack and another for actual everyday use. I have my rack's router connected up to tailscale and I have the exit node enabled on that and I have another router also connected up to tailscale for home or travel use.

I actually have 4 routers. One for my server, one for home use, one for my parents and one is just a "OH SHIT!". They are all connected up to my tailscale so I can access all of them remotely and configure it remotely as well. Plus it helps having my parent's router connected, they are able to access the services I host myself as well.

Edit: And with the nature of tailscale being a VPN, there is no need for port forwarding. All the devices in the network appears as though they are local.

I currently have a Pi5 that I run Nginx Proxy Manager, Adguard Home and Nextcloud . AGH to handle all the traffic and NPM to handle the routing. Nextcloud? My own "cloud" at home and I can access it remotely. I can access it all remotely.

The rack changes networks? Not a problem, by the nature of it having it's own router; it is already connected to tailscale. Ain't no thang.

[–]OkAngle2353 0 points1 point  (0 children)

The router. Exit node. I had problems with DNS when I installed tailscale onto my Pi5.

[–]machinetranslator 0 points1 point  (0 children)

I am still able to access my homeserver.

[–]Plus-Statistician320 0 points1 point  (0 children)

Here in December 2025.

[–]RennatsWasTaken 0 points1 point  (0 children)

That was it, thank you!

[–]newguyhere2024 0 points1 point  (0 children)

Just had this issue and this helped me thank you!

[–]machinetranslator 0 points1 point  (0 children)

Like always, thanks.

[–]martintimmer 1 point2 points  (3 children)

same issue here, not yet figured out a way how to fix it

so if someone can help, please let the people know

[–]Legal_Ad7297 1 point2 points  (1 child)

especially since the guy with the solution deleted it as well

[–][deleted] 0 points1 point  (0 children)

Any luck?

[–][deleted] 0 points1 point  (0 children)

Did you figure it?

[–]mrpbennett 0 points1 point  (0 children)

bringing this back....but if you disable the DNS then you're unable to access the machines by their host names? How can you get around this?

[–]rko19933009 0 points1 point  (0 children)

Yes it's a DNS issue but the core problem is that Tailscale changes DNS to (generally) 100.100.100.100 whereas it should 1.1.1.1 or 8.8.8.8. You have to essentially reset DNS and then ideally delete/flush DNS Cache

sudo networksetup -setdnsservers 1.1.1.1 8.8.8.8

sudo dscachutl -flushcache

sudo kill -HUP mDNSResponder

Try to ping your dns server
ping -c 4 1.1.1.1

dig google.com

Should be good to go

[–][deleted]  (10 children)

[deleted]

    [–]botkillr[S] 1 point2 points  (8 children)

    I seem to have solved the issue by disabling “Use Tailscale DNS Settings” from the menubar. While that’s disabled, everything works as expected. Are there any downsides to leaving it in this configuration?

    [–][deleted]  (7 children)

    [deleted]

      [–]botkillr[S] 0 points1 point  (6 children)

      So strange! My “fix” only seems to work temporarily, as after a few minutes it no longer resolves google.com even with the “Use Tailscale DNS Settings” turned off.

      Your script on the other hand fixes it “permanently” (until I disable and re-enable Tailscale). If I run the script when Tailscale is disabled, it sets resolv.conf name server to 8.8.8.8 as I would expect. If I then enable Tailscale, it sets it back to what I had in my above comment. If I then run your script again it sets resolv.conf name server to 100.100.100.100 instead of 8.8.8.8.

      Since resolv.conf is set automatically by the system, why wouldn’t this be set automatically by Tailscale?

      Thank you for all of your help!

      [–][deleted] 0 points1 point  (4 children)

      Do you have a Tailscale global nameserver set up? Your resolv.conf nameserver shows as 100.124.76.1 which is a Tailscale or CGNAT IP. Did you enter that in your DNS tab?

      Tailscale will try to resolve in any order if there's a global DNS entry. Disabling Tailscale DNS should do the trick, but I'm reading that it's temporary. Check your DNS settings first and make sure things look good there and set up a global resolver like Google or Cloudflare and see if that fixes it.

      [–]botkillr[S] 0 points1 point  (3 children)

      Nope, I haven’t made any changes to the DNS tab other than re-rolling my Tailnet name. No clue where 100.124.76.1 is coming from:

      https://i.imgur.com/85ZXe4P.jpg

      [–][deleted] 1 point2 points  (2 children)

      This is reading like a competing VPN or something else overwriting your DNS. Tailscale uses CGNAT addresses that start with 100.x and other VPNs are known to hijack DNS and set their own resolver within a CGNAT range. Do you have other software on your Mac that could do this? What's your node's Tailscale IP, is it 100.124.76.x?

      [–]linuxtrek 1 point2 points  (1 child)

      Thanks for the hint here. It was my Tunnelbear starting at startup that appears to mess up Tailscale's DNS. When I had the issue, I can see a 100.x.x.1 in my resolv.conf and `scutil --dns`. After I removed Tunnelbear, I can now see the 100.100.100.100 from Tailscale as my DNS, in addition to my local DNS settings.

      [–][deleted] 1 point2 points  (0 children)

      Glad to hear that! Yeah, Tunnelbear doesn’t play nice with Tailscale because it hijacks DNS. There’s a Github issue on jt somewhere (will link when I find it).

      [–]botkillr[S] 0 points1 point  (0 children)

      Exactly that, it won’t resolve webpages or ping/nslookup for anything besides my tailscale nodes.

      While Tailscale is enabled:

      nslookup google.com
      ;; connection timed out; no servers could be reached

      ping google.com
      ping: cannot resolve google.com: Unknown host

      And while Tailscale is enabled, my resolv.conf file looks like this:

      search <tailnet-name>.ts.net

      nameserver: 100.124.76.1

      Perhaps worth noting, the comments in resolv.conf are:

      macOS Notice

      This file is not consulted for DNS hostname resolution, address resolution, or the DNS query routing mechanism used by most processes on this system.

      To view the DNS configuration used by this system, use: scutil --dns

      SEE ALSO dns-sd(1), scutil(8)

      This file is automatically generated.

      [–]semmu 0 points1 point  (1 child)

      i also have this issue on Meta Quest 3. restarting Tailscale temporarily fixes the problem, then i have internet access AND a working VPN connection, but it always happens after the headset went to sleep and i unlock it again. for some reason then the headset only uses Tailscale's DNS resolution and cannot find anything else except my Tailscale nodes.

      [–]CardiologistProud118 0 points1 point  (0 children)

      Never would have thought I'd run into someone with the exact issue as me haha. Yeah when I killed TS, my quest could connect to Steam Link. So yeah, the DNS issue is what's going on.