From afb065fb6842ccbe6efd2a26096b609e73a3f41b Mon Sep 17 00:00:00 2001
From: Nick Khyl <nickk@tailscale.com>
Date: Thu, 12 Feb 2026 22:37:41 -0600
Subject: [PATCH] net/dns: write MagicDNS host names to the hosts file on
 domain-joined Windows machines

On domain-joined Windows devices the primary search domain (the one the device is joined to)
always takes precedence over other search domains. This breaks MagicDNS when we are the primary
resolver on the device (see #18712). To work around this Windows behavior, we should write MagicDNS
host names the hosts file just as we do when we're not the primary resolver.

This commit does exactly that.

Fixes #18712

Signed-off-by: Nick Khyl <nickk@tailscale.com>
---
 net/dns/manager_windows.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/dns/manager_windows.go b/net/dns/manager_windows.go
index 118dd18dd..bc1e64560 100644
--- a/net/dns/manager_windows.go
+++ b/net/dns/manager_windows.go
@@ -399,7 +399,15 @@ func (m *windowsManager) SetDNS(cfg OSConfig) error {
 		if err := m.setSplitDNS(resolvers, domains); err != nil {
 			return err
 		}
-		if err := m.setHosts(nil); err != nil {
+		var hosts []*HostEntry
+		if winenv.IsDomainJoined() {
+			// On domain-joined Windows devices the primary search domain (the one the device is joined to)
+			// always takes precedence over other search domains. This breaks MagicDNS when we are the primary
+			// resolver on the device (see #18712). To work around this Windows behavior, we should write MagicDNS
+			// host names the hosts file just as we do when we're not the primary resolver.
+			hosts = cfg.Hosts
+		}
+		if err := m.setHosts(hosts); err != nil {
 			return err
 		}
 		if err := m.setPrimaryDNS(cfg.Nameservers, cfg.SearchDomains); err != nil {