[trashburger]

You're right for most setups, but when Docker also comes into play, systemd-resolved+Tailscale+Docker interacts really badly and containers cannot resolve anything anymore. This caused some serious hair-pulling at work a few months ago.

[sally_glance]

How did you solve it?

I want to be prepared if it happens, spent too much time figuring out weird Docker - DNS/network interactions on hotel wifis and the like...

[trashburger]

The only proper solution I could find is disabling systemd-resolved entirely. There doesn't seem to be any way to make it use something other than 127.0.0.1 as its listen address (it's actually hardcoded in systemd-resolved) which means that Docker containers which inherit /etc/resolv.conf rules can't resolve DNS anymore.