Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> This lets people gradually use Tailscale SSH over time without messing with their system one.

That is something I have really appreciated about Tailscale. It seems to consistently not mess with the existing environment. Considering it does networking witchcraft and it works on a variety of architectures and OSs this is quite an accomplishment.

I suspect Tailscale's customers have found the same.



Not really. It messes with DNS big time. Try enabling the "MagicDNS" or "Exit Nodes" features, and watch as /etc/resolv.conf is edited with each change. I can easily reproduce scenarios where it's left empty and there's no working DNS resolution.

This is one of the major things I _don't_ like about Tailscale. I wish they'd just stick to enabling Wireguard and making the authentication easier (i.e., where they started). I'm not a fan of most of the features they've added since. I don't want service discovery, magic DNS, SSH key management and/or the kitchen sink bolted on.


It only messes with /etc/resolv.conf if you did `--accept-dns` and don't have systemd-resolved, which nowadays is much more common.

Linux DNS is a clusterfun: https://tailscale.com/blog/sisyphean-dns-client-linux/

But, yeah, without systemd-resolved Linux DNS is a fight for the death between uncooperating processes. NetworkManager is okay but there are a dozen buggy variants in the wild we have to work around.

Linux is by far the worst platform for DNS config.

I totally recommend systemd-resolved. It's the only thing that does DNS well on Linux.


What about using NSS[1]? You could add a Tailscale provider to the `hosts` entry.

[1]: https://en.wikipedia.org/wiki/Name_Service_Switch


Consistently I’m unable to use Tailscale on a GCP instance and also use GCP services cleanly, because it messes with the DNS route to the metadata server. Otherwise, it’s a great product.


Thanks for the feedback. I've filed https://github.com/tailscale/tailscale/issues/4911 to fix that.


https://github.com/tailscale/tailscale/issues/4911 is now fixed and will be in the next release.


I don't use GCP, but this is a high quality example of a company doing feedback right. Nicely done!


That is not a feature it is a bug and a big hole.

The firewall is the system. Just like apple bypass its own firewall and just send packet back home. Or the chinese way.

Of course as said by one of the author the key is to control port 22 or rule for ssh. That is not a totally lost. Still, one that is ok … you are breaking the system by promoting a way to bypass it. Or just 1 rule. It is so hard to remember.


No, it's not. Network access control is the whole point of Tailscale; it is the network filtering layer. It serves literally the same function that a Checkpoint Firewall-1 installation would have in 1997, and that's why people buy it. This is basic stuff from the Tailscale website; it doesn't even qualify as analysis. You really ought to understand how these things work before you describe things as "big holes".


Because that's what we all want. Yet another place to look for ACL rules...


If you're deploying Tailscale? Yeah, that's about right.


Considering how simple it is to use Tailscale ACL rules with node auto-tagging, yes I absolutely want it.


Anyway there's a loophole on your network. Tailscale is just a way to use it.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: