MagicDNS fails to resolve tailnet hostnames on macOS — both standalone app and Homebrew tailscaled

[jnzn]

MagicDNS fails to resolve tailnet hostnames on macOS — both standalone app and Homebrew tailscaled

What is the issue?

MagicDNS does not resolve tailnet hostnames on macOS. Querying 100.100.100.100 directly returns ANSWER: 0 for valid, connected tailnet devices. This affects both the standalone GUI app (io.tailscale.ipn.macsys) and Homebrew-installed tailscaled.

tailscale ping <hostname> works, confirming the tailnet is healthy and devices are reachable. The coordination server assigns the correct DNSName. However, no DNS resolution path — dig, ping, ssh, dscacheutil — can resolve the hostname.

Environment

• macOS version: 26 (latest)
• Tailscale version: 1.96.2 (Mac Studio, Homebrew tailscaled), 1.96.3 (MacBook Air, standalone app)
• MagicDNS: enabled
• Override DNS servers: enabled
• Global nameservers: Cloudflare (1.1.1.1 + 3 more)
• HTTPS Certificates: enabled

Tailnet DNS config (from tailscale debug netmap | jq '.DNS')

{
  "Resolvers": [
    { "Addr": "1.1.1.1" },
    { "Addr": "1.0.0.1" },
    { "Addr": "2606:4700:4700::1111" },
    { "Addr": "2606:4700:4700::1001" }
  ],
  "Routes": {
    "ts.net.": [
      { "Addr": "199.247.155.53" },
      { "Addr": "2620:111:8007::53" }
    ],
    "REDACTED.ts.net.": null
  },
  "Domains": ["REDACTED.ts.net"],
  "Proxied": true,
  "CertDomains": ["REDACTED-host.REDACTED.ts.net"]
}

Note: REDACTED.ts.net.: null — no resolver is assigned for the tailnet domain. ts.net. routes to public nameservers that don't serve private tailnet records.

Steps to reproduce

1. Set up two macOS devices on the same tailnet with MagicDNS enabled
2. One device runs Homebrew tailscaled (via brew install tailscale + sudo brew services start tailscale)
3. The other runs the standalone macOS app from tailscale.com/download
4. From either device, attempt to resolve the other:

$ tailscale ping REDACTED-host
pong from REDACTED-host (100.x.y.z) via 10.x.x.x:58691 in 10ms

$ dig @100.100.100.100 REDACTED-host.REDACTED.ts.net
;; ANSWER: 0

$ ping REDACTED-host.REDACTED.ts.net
ping: cannot resolve REDACTED-host.REDACTED.ts.net: Unknown host

$ ssh REDACTED-host.REDACTED.ts.net
ssh: Could not resolve hostname REDACTED-host.REDACTED.ts.net: nodename nor servname provided, or not known

5. SSH via Tailscale IP works fine:

$ ssh REDACTED-USER@100.x.y.z
Last login: Thu Mar 26 11:34:33 2026

What I've tried

• Restarting Tailscale on both devices (tailscale down && tailscale up)
• tailscale up --hostname=REDACTED-host --reset
• Toggling tailscale set --accept-dns=false && tailscale set --accept-dns=true
• Creating /etc/resolver/ts.net, /etc/resolver/REDACTED.ts.net, /etc/resolver/search.tailscale all pointing to 100.100.100.100
• Flushing macOS DNS cache (sudo dscacheutil -flushcache && sudo killall -HUP mDNSResponder)
• Toggling MagicDNS off and on in the admin console
• Verifying scutil --dns shows 100.100.100.100 as Reachable
• Switching from App Store → standalone app → Homebrew tailscaled

None of these resolved the issue. 100.100.100.100 consistently returns ANSWER: 0 regardless of which Tailscale client variant is running.

Expected behavior

dig @100.100.100.100 REDACTED-host.REDACTED.ts.net should return 100.x.y.z, and macOS system DNS should resolve the hostname for ssh, ping, etc.

Suspected root cause

The "Proxied": true flag in the DNS config indicates the local Tailscale client should intercept and answer queries for tailnet hostnames from its netmap. The "REDACTED.ts.net.": null route means there is no upstream resolver for the tailnet domain — the client is solely responsible. Neither the standalone app's system extension nor the Homebrew tailscaled daemon appears to be fulfilling this role on macOS.

[CodeMonkeyKevin]

I have the same issue on MacOS 26.4. Using AppStore Tailscale app.