diff --git a/clusters/cl01tl/platform/authentik/templates/ingress.yaml b/clusters/cl01tl/platform/authentik/templates/ingress.yaml
index 7ccf9072e..dcba4a20f 100644
--- a/clusters/cl01tl/platform/authentik/templates/ingress.yaml
+++ b/clusters/cl01tl/platform/authentik/templates/ingress.yaml
@@ -9,6 +9,8 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: tailscale
     app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:
   ingressClassName: tailscale
   tls:
diff --git a/clusters/cl01tl/platform/vault/templates/ingress.yaml b/clusters/cl01tl/platform/vault/templates/ingress.yaml
index a34338b78..3827cd349 100644
--- a/clusters/cl01tl/platform/vault/templates/ingress.yaml
+++ b/clusters/cl01tl/platform/vault/templates/ingress.yaml
@@ -9,6 +9,8 @@ metadata:
     app.kubernetes.io/version: {{ .Chart.AppVersion }}
     app.kubernetes.io/component: tailscale
     app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    tailscale.com/experimental-forward-cluster-traffic-via-ingress: "true"
 spec:
   ingressClassName: tailscale
   tls:
diff --git a/clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml b/clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml
new file mode 100644
index 000000000..efdad3e4d
--- /dev/null
+++ b/clusters/cl01tl/services/tailscale-operator/templates/dns-config.yaml
@@ -0,0 +1,16 @@
+apiVersion: tailscale.com/v1alpha1
+kind: DNSConfig
+metadata:
+  name: tailscale-dns
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: tailscale-dns
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: tailscale
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  nameserver:
+    image:
+      repo: tailscale/k8s-nameserver
+      tag: unstable-v1.71.123