diff --git a/hw/vade/default.nix b/hw/vade/default.nix
index f57d09c..0a5bb97 100644
--- a/hw/vade/default.nix
+++ b/hw/vade/default.nix
@@ -40,6 +40,10 @@
     ''
   ];
 
+  # Prevent Tailscale from setting a ~. catch-all on tailscale0,
+  # which hijacks all DNS queries through systemd-resolved.
+  services.tailscale.extraUpFlags = ["--accept-dns=false"];
+
   # Route internal Metacircular zones to rift's CoreDNS (MCNS precursor).
   # Uses systemd-resolved domain routing so rift handles only *.mcp.metacircular.net
   # while DHCP/Tailscale DNS handles everything else.