App Connector domains not resolved via MagicDNS on Linux (systemd-resolved split DNS not configured)

[iwata]

Problem

When using the tailscale/github-action with App Connectors, DNS queries for App Connector domains are not automatically routed through MagicDNS (100.100.100.100) on Ubuntu GHA runners. This means the App Connector never intercepts DNS, never injects subnet routes, and connections to internal resources (e.g., AWS RDS via App Connector) fail silently.

Root Cause

On Linux with systemd-resolved, Tailscale needs to configure split DNS so that App Connector domain queries go through the tailscale0 interface (MagicDNS). Currently this doesn't happen automatically.

The only way to force DNS through MagicDNS is resolvectl domain tailscale0 '~.', but this routes all DNS through MagicDNS, breaking external resolution (github.com, AWS APIs, OIDC endpoints, etc.) — which is not viable in CI.

On macOS/Windows, Tailscale integrates with the OS DNS stack more tightly and this works transparently.

Expected Behavior

After tailscale-action connects, App Connector domains should be resolvable without manual intervention. Ideally:

1. The action reads App Connector domain config from the node's netmap
2. Configures resolvectl to route only those domains through tailscale0
   • e.g., resolvectl domain tailscale0 '~rds.amazonaws.com' for RDS endpoints
3. Waits for subnet route injection before completing

Current Workaround

We had to implement a manual workaround in our composite action:

- name: Verify DB connectivity via Tailscale App Connector
  shell: bash
  run: |
    # 1. Query MagicDNS directly (bypass systemd-resolved)
    RDS_IP=$(dig +short @100.100.100.100 "$RDS_HOST" | tail -1)
    
    # 2. Wait for Tailscale to inject subnet route
    for i in $(seq 1 5); do
      if ip route show table 52 | grep -q "$RDS_IP"; then break; fi
      sleep 2
    done
    
    # 3. Verify TCP connectivity
    for i in $(seq 1 5); do
      if bash -c "echo > /dev/tcp/$RDS_IP/3306" 2>/dev/null; then break; fi
      sleep 2
    done
    
    # 4. Add to /etc/hosts so tools can connect by hostname
    echo "$RDS_IP $RDS_HOST" | sudo tee -a /etc/hosts

This is fragile, requires knowledge of Tailscale internals (table 52, MagicDNS IP), and defeats the purpose of App Connector's transparent DNS interception.

Environment

• Runner: Ubuntu 24.04 (both standard GHA and Blacksmith runners)
• tailscale/github-action: v4
• Use case: Connecting to AWS RDS (Aurora MySQL) via App Connector from GHA for database migrations
• ACL: App Connector domains configured in nodeAttrs with tailscale.com/app-connectors

Related Issues

• DNS not working #129 — DNS not working (same symptom, different workaround)
• Unreliable DNS during Container Builds #101 — Unreliable DNS during container builds (overlapping root cause with resolv.conf ordering)
• DNS issue when using tailscale #51 — General DNS issues with Tailscale on GHA
• Exit node does not respect App Connector DNS tailscale#16384 — Exit node doesn't respect App Connector DNS