tailscale does not respond on pure IPv6 DNS. #15404
Description
What is the issue?
Tailscale magicDNS only provides an IPv6 or an IPv4 resolver at any one time:
This causes DNS over IPv6 to fail unexpectedly when Tailscale is enabled. Note, this is not about failure to receive AAAA records as those work over quad100 IPv4 requests. This is about lookups over IPv6 UDP port 53.
Now in reality the AAAA records are resolved via the IPv4 Quad100, but this could cause confusion for some users or error with some tooling that uses IPv6 only.
Both resolvers should be registered with the OS when Tailscale is enabled.
Additional note:
Setting disableIPv4 in ACL does correctly register an IPv6 resolver:
scutil --dns
DNS configuration
resolver #1
search domain[0] : tail4183ed.ts.net
search domain[1] : unusedbytes.ca
nameserver[0] : fd7a:115c:a1e0::53
if_index : 30 (utun6)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100200
Steps to reproduce
With Tailscale disabled
With Tailscale disabled a DNS lookup over IPv6 UDP works successfully using the DNS server link-local fe80::/64 address provided by the networks RA.
$ dig -6 aaaa google.com
; <<>> DiG 9.10.6 <<>> -6 aaaa google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26552
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN AAAA
;; ANSWER SECTION:
google.com. 19 IN AAAA 2607:f8b0:400b:804::200e
;; Query time: 54 msec
;; SERVER: fe80::f690:eaff:fe00:ae20%16#53(fe80::f690:eaff:fe00:ae20%16)
;; WHEN: Mon Mar 24 10:16:50 EDT 2025
;; MSG SIZE rcvd: 67
With Tailscale Enabled
A IPv6 UDP DNS lookup results in a timeout on macOS:
dig -6 aaaa google.com
; <<>> DiG 9.10.6 <<>> -6 aaaa google.com
;; global options: +cmd
;; connection timed out; no servers could be reached
On Ubuntu and NixOS this results in at connection refused against localhost ::1#53:
dig -6 aaaa google.com
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
; <<>> DiG 9.18.33 <<>> -6 aaaa google.com
;; global options: +cmd
;; no servers could be reached
Resolvers
macOS (and Linux) don't have a registered v6 resolver:
scutil --dns
DNS configuration
resolver #1
search domain[0] : corp.ts.net
search domain[1] : ts.tailscale.com
search domain[2] : ts-dns.test
search domain[3] : unusedbytes.ca
nameserver[0] : 100.100.100.100
if_index : 30 (utun6)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100200
resolver #2
nameserver[0] : fe80::f690:eaff:fe00:ae20%en7
nameserver[1] : 172.21.0.1
if_index : 16 (en7)
flags : Request A records, Request AAAA records
reach : 0x00020002 (Reachable,Directly Reachable Address)
order : 200000
resolver #3
domain : ts.tailscale.com.
nameserver[0] : 100.100.100.100
if_index : 30 (utun6)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100202
resolver #4
domain : corp.ts.net.
nameserver[0] : 100.100.100.100
if_index : 30 (utun6)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100201
resolver #5
domain : ts-dns.test.
nameserver[0] : 100.100.100.100
if_index : 30 (utun6)
flags : Supplemental, Request A records, Request AAAA records
reach : 0x00000003 (Reachable,Transient Connection)
order : 100203
<snip>
Are there any recent changes that introduced the issue?
No response
OS
Linux, macOS
OS version
Ubuntu 22.04, macOS Sequoia 15.3.2, NixOS 24.11pre-git (Vicuna)
Tailscale version
1.80.2/1.80.3
Other software
No response
Bug report
No response