Enabling Mullvad VPN on Tailscale causes Recursive DNS server to break [BUG-efb1066f2859626d18569f190e4941a8aab1d0689312dacab2bcd7f9c4863959-20250909011145Z-921e5bb7c61c8a0c]

[ljis120301]

What is the issue?

Enabling Mullvad VPN on Tailscale will cause a recursive DNS server running on the system to stop functioning and being able to receive an AA answer from root servers, as seen in issues here however in this case they are using a different recursive DNS server that also will stop working under Tailscale VPN. However in this example I am using this docker image for pi-hole and unbound bundled together as well as running Tailscale with Mullvad VPN. The same issue will occur.

Steps to reproduce

Steps to Reproduce

• Setup CasaOS on a Debian Host

• Setup This exact docker image (can be any other recursive DNS server)

• Setup Tailscale on that Debian host with Mullvad DNS functionality.

  • do sudo tailscale set --accept-dns=false
  • also local LAN access is enabled
  • accept routes = true
  • accept routes = true

• attempt to receive an answer from the root servers by querying pihole

• This will fail

• Only option now is to disable mullvad, which will in allow recursive DNS to happen.

BUG-efb1066f2859626d18569f190e4941a8aab1d0689312dacab2bcd7f9c4863959-20250909011145Z-921e5bb7c61c8a0c

I made a youtube video showing my issue

Are there any recent changes that introduced the issue?

https://www.youtube.com/watch?v=vZXeDPrTFMg

This occured after I was forced to reboot my machine due to an incoming power outage I was aware of. My UPS gave me time to power down properly but when I came back online this issue has persisted. This was working properly prior to the reboot. It is possible that software versions were upgraded with reboot however I did not take log of software versions before and after reboot, however I regularly run 'sudo apt update'

BUG-efb1066f2859626d18569f190e4941a8aab1d0689312dacab2bcd7f9c4863959-20250909011145Z-921e5bb7c61c8a0c

OS

Linux

OS version

Debian 12

Tailscale version

1.86.2

Other software

Pi-hole-Unbound-BigBear-CasaOS

CasaOS

Mullvad VPN (With Tailscale)

Bug report

BUG-efb1066f2859626d18569f190e4941a8aab1d0689312dacab2bcd7f9c4863959-20250909011145Z-921e5bb7c61c8a0c

[ljis120301]

I would like to follow up and note that I run this exact docker container on a Fedora host on another machine and it works without issue and after rebooting. As well in the issue I linked the final answer was that the ISP was to blame. In this case I work for my ISP and can ensure that is not the limiting factor here. However Tailscale may be acting as what was blamed as the ISP issue from the example