/root

Tailscale + Mullvad + Firefox DoH: Solving the DNS Resolution Problem

If you’re using Tailscale with Mullvad VPN (either via the native Tailscale integration or standalone) and Firefox’s DNS over HTTPS (DoH), you might suddenly find yourself unable to access your Tailscale services via their *.ts.net hostnames—even though everything worked fine before.

The symptoms are frustrating: tailscale ping works, dig resolves the hostname correctly, but Firefox just refuses to connect.

Why This Happens

When you enable DNS over HTTPS in Firefox (especially with “Max Protection” mode), Firefox bypasses your system’s DNS resolver entirely and sends all DNS queries directly to your chosen DoH provider—in this case, Mullvad’s DNS server at https://base.dns.mullvad.net/dns-query.

The problem? Mullvad’s public DNS server has no idea what my-server.my-tailnet.ts.net is. That’s a private hostname that only Tailscale’s MagicDNS (running at 100.100.100.100) knows how to resolve.

So while your system can resolve the hostname just fine:

$ dig my-server.my-tailnet.ts.net
;; ANSWER SECTION:
my-server.my-tailnet.ts.net. 600 IN A 100.x.x.x
;; SERVER: 100.100.100.100#53(100.100.100.100) (UDP)

Firefox completely ignores this and asks Mullvad instead, which returns nothing.

The Solution

Firefox provides a way to exclude specific domains from DoH, forcing it to fall back to system DNS for those domains. Here’s how to set it up:

  1. Open Firefox and navigate to about:config
  2. Search for network.trr.excluded-domains
  3. Add ts.net to the list (comma-separated if there are existing entries)

For example:

ts.net

Or if you have other exclusions:

example.local, ts.net

This tells Firefox: “For any domain ending in .ts.net, use the system DNS resolver instead of DoH.” Since your system DNS is controlled by Tailscale’s MagicDNS, the hostname will resolve correctly.

The Gotcha: Old Tailnet Names

Here’s a subtle issue that can trip you up: if you previously had a different Tailscale account or renamed your tailnet, you might have an old, specific exclusion that no longer applies.

For example, you might have:

my-nas.old-tailnet.ts.net

But your current tailnet is new-tailnet.ts.net. The old exclusion does nothing for your new tailnet!

The fix is simple: instead of excluding specific tailnet hostnames, just exclude the entire ts.net domain. This covers all Tailscale hostnames, regardless of your tailnet name, now and in the future.

Verifying the Fix

After making the change, you can verify everything is working:

  1. Test Tailscale connectivity (should already work): tailscale ping your-machine-name
  2. Test DNS resolution from the command line: dig your-machine-name.your-tailnet.ts.net
  3. Test in Firefox: Navigate to your Tailscale hostname—it should now load.

Summary

If you’re combining Firefox DoH with Tailscale:

  • Firefox’s DoH bypasses Tailscale’s MagicDNS
  • Add ts.net to network.trr.excluded-domains in about:config
  • Use ts.net (not a specific tailnet name) to future-proof the setting

This gives you the best of both worlds: private DNS for general browsing via Mullvad, and working hostname resolution for your Tailscale network.

chrislongros

,
, , , , , ,

Leave a comment

Discover more from /root

Subscribe now to keep reading and get access to the full archive.

Continue reading