diff --git a/hw/vade/default.nix b/hw/vade/default.nix
index 9848e0c..c00b67a 100644
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -40,11 +40,7 @@
     ''
   ];
 
-  # Internal Metacircular service addresses. Tailscale's MagicDNS intercepts
-  # *.mcp.metacircular.net queries (via its ~. catch-all on tailscale0) and
-  # returns wrong IPs. Static /etc/hosts entries bypass DNS entirely.
-  # When MCNS becomes a full service with proper DNS integration, this can
-  # be replaced with split-horizon DNS configuration.
+  # Internal Metacircular service addresses via /etc/hosts.
   networking.hosts = {
     "100.95.252.120" = [
       "metacrypt.svc.mcp.metacircular.net"
@@ -53,4 +49,21 @@
       "rift.mcp.metacircular.net"
     ];
   };
+
+  # Tailscale sets ~. (catch-all) on tailscale0, which hijacks all DNS
+  # queries — even when Tailscale is disconnected. Replace it with a
+  # specific routing domain so normal DNS resolution works.
+  systemd.services.fix-tailscale-dns = {
+    description = "Remove Tailscale DNS catch-all routing";
+    after = [ "network-online.target" "tailscaled.service" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.systemd}/bin/resolvectl domain tailscale0 ~scylla-hammerhead.ts.net
+    '';
+  };
 }