Thank you for that.
So you are saying using “Block Non-VPN Traffic” will prevent leaks if we also simply set the custom DNS under “DNS Server Settings” to 100.100.100.100? Is this the MagicDNS resolver, if so then I guess we would need to enable that on the tailscale side too.
Also I was wondering if this is needed if in Tailscale we have “Override local DNS” enabled? My experience with this setting forces dns queries to go through the tailscale tunnel and resolve at the other side from the DNS IP specified.
By default, clients of your network will use their local DNS settings for all queries. To force clients to always use nameservers you define, you can enable the “Override local DNS” toggle.
DNS in Tailscale · Tailscale Docs
There is also client side option, so I guess you can do it on a client-by-client basis. I usually have both enabled anyway.
I think for Linux it is this flag.
tailscale up --accept-dns=true
Curious what your thoughts on this is @hansome. Thanks!