研读了 tailscale 文档发现是 DNS REBINDING PROTECTION 的问题，如下：
DNS servers that have DNS rebinding protection enabled will block DNS responses that include a private IP address. On the public Internet, that does not cause any problems because public websites do not use private IP addresses. When accessing devices on your private network, this becomes an issue if the DNS names of those devices are visible to public DNS servers because sometimes those DNS responses will be blocked.
Use the Tailscale DNS configuration with the ‘override local DNS’ option enabled to send all DNS queries (other than MagicDNS or domain names configured to use specific nameservers) to a public DNS service that does not include DNS rebinding protection. This is similar to the previous option but applies to the entire tailnet.
谢谢各位，现在可以通过 tailscale 访问 duckdns 记录的内网 ip 域名了。