From 5aceb496e8dd49791ab321d0df1c4e03538b3917 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Fri, 3 Apr 2026 09:25:49 -0700 Subject: [PATCH] Fix incident report: Tailscale was disabled deliberately MagicDNS routed all DNS through broken MCNS, making external services (Claude, Gitea) unreachable. Disabling Tailscale was the correct action to restore external DNS, not a mistake. Co-Authored-By: Claude Opus 4.6 (1M context) --- log/2026-04-03-uid-incident.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/log/2026-04-03-uid-incident.md b/log/2026-04-03-uid-incident.md index efdb8c0..5b558ea 100644 --- a/log/2026-04-03-uid-incident.md +++ b/log/2026-04-03-uid-incident.md @@ -76,9 +76,13 @@ DNS config pointed to MCNS. Tailscale itself remained functional (its coordination servers are external), but hostname resolution via Tailscale DNS names failed. -The operator turned off Tailscale on vade (the workstation) thinking -Tailscale was the problem. This broke connectivity to rift entirely -since the MCP agent binds to the Tailnet IP only (`100.95.252.120:9444`). +The operator turned off Tailscale on vade (the workstation) because +Tailscale's MagicDNS was routing ALL DNS queries through the broken +MCNS resolver — external services including Claude Code and Gitea +were unreachable. Disabling Tailscale was the only way to restore +external DNS resolution. However, this also broke connectivity to +rift since the MCP agent binds to the Tailnet IP only +(`100.95.252.120:9444`). ### Recovery @@ -205,9 +209,11 @@ ownership changes. was no tool to translate a service definition into a `podman run` command without the full MCP deploy pipeline. -6. **Tailscale is not the problem when DNS breaks.** Tailscale's - control plane is external. Turning off Tailscale makes things worse, - not better, because the agents bind to Tailnet IPs. +6. **Tailscale MagicDNS amplifies DNS failures.** When MCNS is down + and MagicDNS routes through it, ALL DNS breaks — not just internal + names. Disabling Tailscale restores external DNS but loses Tailnet + connectivity. The fix is fallback resolvers that bypass MCNS, not + disabling Tailscale. ## Action Items