Problem
When using the tailscale/github-action with App Connectors, DNS queries for App Connector domains are not automatically routed through MagicDNS (100.100.100.100) on Ubuntu GHA runners. This means the App Connector never intercepts DNS, never injects subnet routes, and connections to internal resources (e.g., AWS RDS via App Connector) fail silently.
Root Cause
On Linux with systemd-resolved, Tailscale needs to configure split DNS so that App Connector domain queries go through the tailscale0 interface (MagicDNS). Currently this doesn't happen automatically.
The only way to force DNS through MagicDNS is resolvectl domain tailscale0 '~.', but this routes all DNS through MagicDNS, breaking external resolution (github.com, AWS APIs, OIDC endpoints, etc.) — which is not viable in CI.
On macOS/Windows, Tailscale integrates with the OS DNS stack more tightly and this works transparently.
Expected Behavior
After tailscale-action connects, App Connector domains should be resolvable without manual intervention. Ideally:
- The action reads App Connector domain config from the node's netmap
- Configures
resolvectl to route only those domains through tailscale0
- e.g.,
resolvectl domain tailscale0 '~rds.amazonaws.com' for RDS endpoints
- Waits for subnet route injection before completing
Current Workaround
We had to implement a manual workaround in our composite action:
- name: Verify DB connectivity via Tailscale App Connector
shell: bash
run: |
# 1. Query MagicDNS directly (bypass systemd-resolved)
RDS_IP=$(dig +short @100.100.100.100 "$RDS_HOST" | tail -1)
# 2. Wait for Tailscale to inject subnet route
for i in $(seq 1 5); do
if ip route show table 52 | grep -q "$RDS_IP"; then break; fi
sleep 2
done
# 3. Verify TCP connectivity
for i in $(seq 1 5); do
if bash -c "echo > /dev/tcp/$RDS_IP/3306" 2>/dev/null; then break; fi
sleep 2
done
# 4. Add to /etc/hosts so tools can connect by hostname
echo "$RDS_IP $RDS_HOST" | sudo tee -a /etc/hostsThis is fragile, requires knowledge of Tailscale internals (table 52, MagicDNS IP), and defeats the purpose of App Connector's transparent DNS interception.
Environment
- Runner: Ubuntu 24.04 (both standard GHA and Blacksmith runners)
- tailscale/github-action: v4
- Use case: Connecting to AWS RDS (Aurora MySQL) via App Connector from GHA for database migrations
- ACL: App Connector domains configured in
nodeAttrs with tailscale.com/app-connectors
Related Issues
Problem
When using the
tailscale/github-actionwith App Connectors, DNS queries for App Connector domains are not automatically routed through MagicDNS (100.100.100.100) on Ubuntu GHA runners. This means the App Connector never intercepts DNS, never injects subnet routes, and connections to internal resources (e.g., AWS RDS via App Connector) fail silently.Root Cause
On Linux with
systemd-resolved, Tailscale needs to configure split DNS so that App Connector domain queries go through thetailscale0interface (MagicDNS). Currently this doesn't happen automatically.The only way to force DNS through MagicDNS is
resolvectl domain tailscale0 '~.', but this routes all DNS through MagicDNS, breaking external resolution (github.com, AWS APIs, OIDC endpoints, etc.) — which is not viable in CI.On macOS/Windows, Tailscale integrates with the OS DNS stack more tightly and this works transparently.
Expected Behavior
After
tailscale-actionconnects, App Connector domains should be resolvable without manual intervention. Ideally:resolvectlto route only those domains throughtailscale0resolvectl domain tailscale0 '~rds.amazonaws.com'for RDS endpointsCurrent Workaround
We had to implement a manual workaround in our composite action:
This is fragile, requires knowledge of Tailscale internals (table 52, MagicDNS IP), and defeats the purpose of App Connector's transparent DNS interception.
Environment
nodeAttrswithtailscale.com/app-connectorsRelated Issues
resolv.confordering)