Magic DNS
Magic DNS automatically registers DNS names for devices in your network.
If you add a new webserver called my-server to your network, you no longer
need to use its Tailscale IP: using the name my-server in your
browser’s address bar or on the command line will work.
Prerequisites
Magic DNS requires Tailscale v1.1.173 or greater. We recommend using Tailscale v1.4 or greater to take advantage of Magic DNS with sharing. Enabling Magic DNS has no effect on older versions.
Your network must also have at least one DNS nameserver enabled in the admin console. The nameservers will receive all DNS queries not handled by Magic DNS. This restriction will be relaxed in the future.
Enabling Magic DNS
Magic DNS can be enabled for your whole network in the DNS tab of the admin console:
Accessing devices over Magic DNS
Once Magic DNS is enabled, any device signed in to your network can access other devices by using their machine name. For example, if you have a server named “monitoring”:
- To SSH into it, run
ssh username@monitoring - To ping it, run
ping monitoring - To open it in your browser, type
monitoringin your address bar.
host or nslookup circumvent system DNS resolution,
and will not work with Magic DNS. For example, host johns-iphone-6s will not work on macOS, even if ping johns-iphone-6s will.ping webserver.example2.com.beta.tailscale.net. We will relax this
restriction in future versions.Editing domain names
You can change how you access a machine by editing the machine name of the device. For more information on how machine names are generated, take a look at our docs on machine names.
Full domain names vs. machine names
Under the hood, Magic DNS generates a full domain name for every device on your network. The full domain name is made up of three parts:
- A machine name, which you can change.
- Your Tailscale network’s domain. For users on shared email hosts (Gmail, Outlook, etc), this is your full email address.
- A static suffix. The suffix is
beta.tailscale.netfor the duration of the Magic DNS beta, but may change in the future.
The table below shows how some example machine names, and domains combine to create the full domain name.
| Machine Name | Network Domain | Full Domain Name |
|---|---|---|
| monitoring | example.com |
monitoring.example.com.
|
| johns-iphone-6s | john.doe@gmail.com |
johns-iphone-6s.john-doe.gmail.com.
|
| free-form | example.onmicrosoft.com |
free-form.example.onmicrosoft.com.
|
Full domain names can be cumbersome to type, so when you enable Magic DNS, Tailscale automatically adds search domains to your network. With these search domains you only need to type the machine name to access a device.
For the example.com network, the following two commands are equivalent:
ping monitoring
ping monitoring.example.com.beta.tailscale.net
In most situations, you’ll want to use the machine name. But for security reasons, accessing devices shared with you requires using the full domain name.
You can see the full domain name of any device in your network by opening its machine page in the admin console.
Disabling Magic DNS
Magic DNS can be disabled for your whole network by toggling the same button you used to enable it in the admin panel.
If you are experiencing trouble with Magic DNS on a particular device and wish to disable it only there, the current solution is to stop accepting network DNS settings in general.
On Linux, stop accepting DNS with:
tailscale up [...] --accept-dns=false
On macOS, stop accepting DNS by holding option while clicking on the Tailscale menubar icon. From here, you can uncheck “Use Tailscale DNS” from the menu.
On Windows, stop accepting DNS by holding shift while right clicking on the Tailscale system tray icon, and unchecking “Use Tailscale DNS” from the menu.
In the future, we will have robust enough DNS configuration and resolution logic that disabling Magic DNS separately will never be necessary. At this point, the toggle will disappear.