diff --git a/wgengine/tsdns/tsdns.go b/wgengine/tsdns/tsdns.go
index 680bf51b3..23db7bba4 100644
--- a/wgengine/tsdns/tsdns.go
+++ b/wgengine/tsdns/tsdns.go
@@ -194,6 +194,11 @@ func (r *Resolver) Resolve(domain string, tp dns.Type) (netaddr.IP, dns.RCode, e
 		return netaddr.IP{}, dns.RCodeServerFailure, errMapNotSet
 	}
 
+	// Reject .onion domains per RFC 7686.
+	if dnsname.HasSuffix(domain, ".onion") {
+		return netaddr.IP{}, dns.RCodeNameError, nil
+	}
+
 	anyHasSuffix := false
 	for _, suffix := range dnsMap.rootDomains {
 		if dnsname.HasSuffix(domain, suffix) {
diff --git a/wgengine/tsdns/tsdns_test.go b/wgengine/tsdns/tsdns_test.go
index a2f56a168..66a62d107 100644
--- a/wgengine/tsdns/tsdns_test.go
+++ b/wgengine/tsdns/tsdns_test.go
@@ -219,6 +219,7 @@ func TestResolve(t *testing.T) {
 		{"mx-ipv6", "test2.ipn.dev.", dns.TypeMX, netaddr.IP{}, dns.RCodeSuccess},
 		{"mx-nxdomain", "test3.ipn.dev.", dns.TypeMX, netaddr.IP{}, dns.RCodeNameError},
 		{"ns-nxdomain", "test3.ipn.dev.", dns.TypeNS, netaddr.IP{}, dns.RCodeNameError},
+		{"onion-domain", "footest.onion.", dns.TypeA, netaddr.IP{}, dns.RCodeNameError},
 	}
 
 	for _, tt := range tests {