diff --git a/hosts/pinwheel/modules/tailscale/default.nix b/hosts/pinwheel/modules/tailscale/default.nix
index cc37916..32ada12 100644
--- a/hosts/pinwheel/modules/tailscale/default.nix
+++ b/hosts/pinwheel/modules/tailscale/default.nix
@@ -1,7 +1,23 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.tailscale.enable = true;
 
+  # Pinned to 1.96.5. 1.98.0 regressed split-DNS handling under work-vpn: the
+  # netmap's "resolve <tailnet>.ts.net locally via MagicDNS" hint is dropped
+  # when translated into systemd-resolved config, so *.ts.net queries get sent
+  # to a public resolver (199.247.155.53) that the corporate VPN's port-53
+  # egress filter blocks.
+  services.tailscale.package = pkgs.tailscale.overrideAttrs (_: rec {
+    version = "1.96.5";
+    src = pkgs.fetchFromGitHub {
+      owner = "tailscale";
+      repo = "tailscale";
+      tag = "v${version}";
+      hash = "sha256-vYYb+2OtuXftjGGG0zWJesHccrClB8YZpclv9KzNN/c=";
+    };
+    vendorHash = "sha256-rhuWEEN+CtumVxOw6Dy/IRxWIrZ2x6RJb6ULYwXCQc4=";
+  });
+
   networking.firewall = {
     checkReversePath = "loose";
     allowedUDPPorts = [ 41641 ];