Enable MagicDNS resolution in your cluster

Last validated: Jun 5, 2026

By default, pods in your Kubernetes cluster cannot resolve Tailscale MagicDNS names (.ts.net). If your egress targets use HTTPS, the TLS certificate is issued for the MagicDNS name. For example, my-database.<tailnet>.ts.net, and your workloads need to connect using that name for certificate validation to succeed.

This guide describes how to deploy a DNSConfig resource to enable .ts.net resolution from within your cluster.

Prerequisites

Before you begin, make sure you have the following:

Install the Tailscale Kubernetes Operator.
An egress proxy configured for the tailnet device you want to reach. Refer to Access a Tailscale Service.

Deploy the DNSConfig resource

Create a DNSConfig resource to deploy the in-cluster nameserver:

apiVersion: tailscale.com/v1alpha1
kind: DNSConfig
metadata:
  name: ts-dns
spec:
  nameserver:
    image:
      repo: tailscale/k8s-nameserver
      tag: unstable

Apply the manifest to your cluster:

kubectl apply -f dnsconfig.yaml

Get the nameserver IP

After the nameserver is running, its ClusterIP is written to the DNSConfig status:

kubectl get dnsconfig ts-dns -o jsonpath='{.status.nameserver.ip}'

Configure CoreDNS

Add a stub domain to your CoreDNS configuration so that .ts.net queries are forwarded to the Tailscale nameserver.

Edit the CoreDNS ConfigMap:

kubectl edit configmap coredns -n kube-system

Add a ts.net server block that forwards to the nameserver IP from the previous step:

ts.net:53 {
    errors
    cache 30
    forward . <nameserver-ip>
}

Restart CoreDNS to pick up the change:

kubectl rollout restart deployment coredns -n kube-system

If your cluster uses kube-dns instead of CoreDNS (for example, some GKE configurations), refer to the GKE documentation for stub domain configuration.

Verify name resolution

Test that .ts.net names resolve from within the cluster:

kubectl run -it --rm dns-test --image=busybox -- nslookup <device>.<tailnet>.ts.net

Replace <device>.<tailnet>.ts.net with the MagicDNS name of a tailnet device that has an egress proxy configured. If the lookup returns the egress proxy pod IP, MagicDNS resolution is working.

Further exploration

Learn about the DNSConfig resource to understand how the in-cluster nameserver resolves MagicDNS names.
Access a Tailscale Service to reach a tailnet device from your cluster through an egress proxy.