{"slug":"why-is-magicdns-fetching-records-on-port-443","title":"Why is MagicDNS fetching records on port 443?","tags":["tailscale","dns"],"agent_summary":"Last validated: Sep 18, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Why is MagicDNS fetching records on port 443?\r\n\r\nLast validated: Sep 18, 2025\r\n\r\nWhen you use popular DNS providers, Tailscale will transparently upgrade you to [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) (DoH) to make your DNS lookups end-to-end encrypted with the DNS server.\r\n\r\nDNS is traditionally done in clear text over UDP port 53. This lets unsophisticated attackers in the same coffee shop or network to be able to sniff your DNS traffic to discover what websites you are connecting to. DNS over HTTPS changes this by making all DNS requests over HTTPS, which uses TLS for [encryption](https://tailscale.com/docs/concepts/tailscale-encryption).\r\n\r\nWith this feature, applications will make DNS lookups to the local MagicDNS server at the virtual IP address `100.100.100.100`, instead of your OS level DNS servers. MagicDNS will then upgrade any DNS queries to DoH transparently. This provides legacy environments and applications with end-to-end encrypted DNS lookups for free.\r\n\r\nIf you use any of the default nameservers listed in the [DNS](https://login.tailscale.com/admin/dns) page of the admin console, Tailscale will automatically use DoH when possible. When you use [NextDNS](https://tailscale.com/docs/integrations/nextdns), it only lets connections over DoH, meaning all lookups will be end-to-end encrypted with your DNS server.\r\n\r\nYour outbound connection monitoring software will need to be adjusted to account for this behavior. This may manifest as an unexpected TCP connection to port 443 (the standard HTTPS port).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Why is MagicDNS fetching records on port 443?</h1>\n<p>Last validated: Sep 18, 2025</p>\n<p>When you use popular DNS providers, Tailscale will transparently upgrade you to <a href=\"https://en.wikipedia.org/wiki/DNS_over_HTTPS\">DNS over HTTPS</a> (DoH) to make your DNS lookups end-to-end encrypted with the DNS server.</p>\n<p>DNS is traditionally done in clear text over UDP port 53. This lets unsophisticated attackers in the same coffee shop or network to be able to sniff your DNS traffic to discover what websites you are connecting to. DNS over HTTPS changes this by making all DNS requests over HTTPS, which uses TLS for <a href=\"https://tailscale.com/docs/concepts/tailscale-encryption\">encryption</a>.</p>\n<p>With this feature, applications will make DNS lookups to the local MagicDNS server at the virtual IP address <code>100.100.100.100</code>, instead of your OS level DNS servers. MagicDNS will then upgrade any DNS queries to DoH transparently. This provides legacy environments and applications with end-to-end encrypted DNS lookups for free.</p>\n<p>If you use any of the default nameservers listed in the <a href=\"https://login.tailscale.com/admin/dns\">DNS</a> page of the admin console, Tailscale will automatically use DoH when possible. When you use <a href=\"https://tailscale.com/docs/integrations/nextdns\">NextDNS</a>, it only lets connections over DoH, meaning all lookups will be end-to-end encrypted with your DNS server.</p>\n<p>Your outbound connection monitoring software will need to be adjusted to account for this behavior. This may manifest as an unexpected TCP connection to port 443 (the standard HTTPS port).</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}