tailscale: Tailscale breaks WSL2 DNS

On Windows login, Tailscale is started. When I open Ubuntu 18.04 on WSL2 no DNS is working.

$ dig google.com
; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached

When opening /etc/wsl.conf, I see Tailscale has added the following snippet:

# added by tailscale
[network]
generateResolvConf = false

When I remove this snippet from /etc/wsl.conf and then terminate and start WSL again, the DNS works again.

C:\WINDOWS\system32> wsl --terminate Ubuntu-18.04
C:\WINDOWS\system32> wsl --distribution Ubuntu-18.04

$ dig google.com
; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54109
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             0       IN      A       142.250.179.206

;; Query time: 21 msec
;; SERVER: 172.29.64.1#53(172.29.64.1)
;; WHEN: Wed Sep 08 09:16:49 CEST 2021
;; MSG SIZE  rcvd: 54

On every restart of Windows the snippet is added to /etc/wsl.conf again.

About this issue

Original URL
State: closed
Created 3 years ago
Reactions: 13
Comments: 30 (5 by maintainers)

Commits related to this issue

net/dns: make WSL network configuration opt-in for now Tailscale seems to be breaking WSL configurations lately. Until we understand what changed, turn off Tailscale's involvement by default and mak... — committed to tailscale/tailscale by bradfitz 2 years ago
net/dns: make WSL network configuration opt-in for now Tailscale seems to be breaking WSL configurations lately. Until we understand what changed, turn off Tailscale's involvement by default and mak... — committed to tailscale/tailscale by bradfitz 2 years ago
net/dns: make WSL network configuration opt-in for now Tailscale seems to be breaking WSL configurations lately. Until we understand what changed, turn off Tailscale's involvement by default and mak... — committed to tailscale/tailscale by bradfitz 2 years ago

Most upvoted comments

Also, don’t change files that aren’t yours without asking me first.

voltagex on Dec 26, 2021

sudo chattr +i /etc/resolv.conf is pretty good workaround for now.

This is a pretty annoying bug - it happens every restart. While Tailscale the company figures out solution, could you at least provide us an escape hatch to disable this behaviour? I don’t see this behaviour documented anywhere other than here so that was surprising.

wbkang on Oct 30, 2021

Hmm, I wonder if the problem is because in wsl2 /etc/resolv.conf is typically a symlink to ../run/resolvconf/resolv.conf? It being a symlink is why I had to modify my original workaround from:

[ -e /etc/resolv.conf ] || sudo bash -c "echo 'nameserver $(ip route show default | awk '{print $3}')' > /etc/resolv.conf"

to:

[ -h /etc/resolv.conf -a ! -e /etc/resolv.conf ] && sudo bash -c "rm /etc/resolv.conf; echo 'nameserver $(ip route show default | awk '{print $3}')' > /etc/resolv.conf"

But once I did that, /etc/resolv.conf was no longer a symlink. I bet then the tailscale logic was able to work.

lorengordon on Dec 16, 2021

In the 1.20.x release https://github.com/tailscale/tailscale/commit/a14d445fc7220c7c827a93a8a8c4970b45cf449c means that resolv.conf will only be written if a TS_DEBUG_CONFIGURE_WSL environment variable exists.

DentonGentry on Jan 23, 2022

Same problem here. MagicDNS enabled, 1.1.1.1 as global nameserver

rdbisme on Sep 23, 2021

I’m seeing the same thing in my setup.

lorengordon on Sep 17, 2021

Fixed in 1.20 by https://github.com/tailscale/tailscale/pull/3687

We may make another attempt to better support WSL in the future. I do not believe this bug will be useful in that, we won’t do so until we have something better. Closing this bug.

DentonGentry on Mar 27, 2022

When I’m on my home WiFi, using nslookup on 100.100.100.100 works for looking up tailnet devices AND internet hostnames like google.com.

For the cafe WiFi I’m using right now, the DNS lookups on 100.100.100.100 for tailnet machines still work, but google.com does not. Instead, it just hangs until it times out.

I had to add timeout:1 and a fallback nameserver 1.1.1.1 to my resolv.conf to work around it.

Perhaps this is because the new WiFi network in my Windows network preferences doesn’t have an overridden DNS server, and the tailscale service is using the wrong API(s) to deduce what the local DNS settings should be? (just guessing)

On https://login.tailscale.com/admin/dns, I have “Override Local DNS” disabled, but I do have 1.0.0.1 and 1.1.1.1 listed after Local DNS settings.

It’s worth noting that the WSL2 default gateway is the DNS server that gets auto-generated in a default WSL2 resolv.conf You can also use that as a fallback server for the Window’s hosts Local DNS settings. Calculate the address like so:

ip route | grep default | awk '{print $3}'

stealthybox on Dec 13, 2021

As a temporary workaround, I ran the command sudo chattr +i /etc/resolv.conf to prevent it from being modified. This is less than ideal. I do understand what they are trying to do, but it does not work, unfortunately. 😕

svercl on Oct 23, 2021