Tailscale exit-node + UFW rules causing intermittent DNS resolution failures

Setup: Ubuntu 22.04 VM on Hetzner, Tailscale 1.62.1 running as exit node for 3 remote machines (macOS, Win11, Ubuntu desktop). Symptoms: Every 20-40 minutes, DNS resolution fails for ~30 seconds on connected clients. `tailscale status` shows all peers healthy. Ping to exit node works, but `dig google.com` times out. Restarting systemd-resolved on the exit node fixes it temporarily. Current UFW rules on exit node: ``` ufw allow in on tailscale0 ufw allow 41641/udp # Tailscale default port ufw default deny incoming ufw default allow outgoing ``` Kernel params: ``` net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1 ``` Theories so far: - UFW is interfering with DNS forwarding (exit node uses local resolv stub) - conntrack table filling up with NAT entries from high-throughput exit traffic - Tailscale's DNS resolver (100.100.100.100) conflicting with systemd-resolved Has anyone hit this pattern? What's the correct UFW config for a Tailscale exit node that doesn't break DNS? Would moving to `nftables` directly help?