diff --git a/app.go b/app.go
index 9e29640f..c8c799b1 100644
--- a/app.go
+++ b/app.go
@@ -16,6 +16,7 @@ import (
 	"gorm.io/gorm"
 	"inet.af/netaddr"
 	"tailscale.com/tailcfg"
+	"tailscale.com/types/dnstype"
 	"tailscale.com/types/wgkey"
 )
 
@@ -104,6 +105,17 @@ func NewHeadscale(cfg Config) (*Headscale, error) {
 		return nil, err
 	}
 
+	if h.cfg.DNSConfig != nil && h.cfg.DNSConfig.Proxied { // if MagicDNS
+		magicDNSDomains, err := h.generateMagicDNSRootDomains()
+		if err != nil {
+			return nil, err
+		}
+		h.cfg.DNSConfig.Routes = make(map[string][]dnstype.Resolver)
+		for _, d := range *magicDNSDomains {
+			h.cfg.DNSConfig.Routes[d.WithoutTrailingDot()] = nil
+		}
+	}
+
 	return &h, nil
 }
 
diff --git a/dns.go b/dns.go
new file mode 100644
index 00000000..91afe519
--- /dev/null
+++ b/dns.go
@@ -0,0 +1,30 @@
+package headscale
+
+import (
+	"fmt"
+
+	"tailscale.com/util/dnsname"
+)
+
+func (h *Headscale) generateMagicDNSRootDomains() (*[]dnsname.FQDN, error) {
+	base, err := dnsname.ToFQDN(h.cfg.BaseDomain)
+	if err != nil {
+		return nil, err
+	}
+
+	// TODO(juanfont): we are not handing over IPv6 addresses yet
+	// and in fact this is Tailscale.com's range (not the fd7a:115c:a1e0: range in the fc00::/7 network)
+	ipv6base := dnsname.FQDN("0.e.1.a.c.5.1.1.a.7.d.f.ip6.arpa.")
+	fqdns := []dnsname.FQDN{base, ipv6base}
+
+	for i := 64; i <= 127; i++ {
+		fqdn, err := dnsname.ToFQDN(fmt.Sprintf("%d.100.in-addr.arpa.", i))
+		if err != nil {
+			// TODO: propagate error
+			continue
+		}
+		fqdns = append(fqdns, fqdn)
+	}
+
+	return &fqdns, nil
+}