Our pinned nixpkgs (currently rev 4ba039d… / 26.05) ships tailscale 1.98.0, which has a known upstream regression: on boot, tailscaled rewrites systemd-resolved's config to point at Tailscale's public ts.net resolvers (199.247.155.53, 2620:111:8007::53) instead of the local MagicDNS resolver (100.100.100.100). Result: cross-tailnet hostname lookups return NXDOMAIN.
Hit downstream — a NixOS host couldn't resolve a tailnet peer despite both being active. Worked around per-host with a systemd one-shot calling resolvectl dns tailscale0 100.100.100.100, but the right fix is here.
Suggested fix: bump nixpkgs pin to any rev that ships tailscale ≥ 1.98.2. nixos-unstable / nixpkgs-unstable / master all do today; should also land in nixos-25.11 once backported.
Our pinned
nixpkgs(currently rev4ba039d…/ 26.05) shipstailscale 1.98.0, which has a known upstream regression: on boot, tailscaled rewrites systemd-resolved's config to point at Tailscale's public ts.net resolvers (199.247.155.53,2620:111:8007::53) instead of the local MagicDNS resolver (100.100.100.100). Result: cross-tailnet hostname lookups returnNXDOMAIN.Hit downstream — a NixOS host couldn't resolve a tailnet peer despite both being active. Worked around per-host with a systemd one-shot calling
resolvectl dns tailscale0 100.100.100.100, but the right fix is here.Suggested fix: bump nixpkgs pin to any rev that ships
tailscale ≥ 1.98.2.nixos-unstable/nixpkgs-unstable/masterall do today; should also land innixos-25.11once backported.