diff --git a/net/dnsfallback/dnsfallback.go b/net/dnsfallback/dnsfallback.go
index d60404ddc..c7d08858b 100644
--- a/net/dnsfallback/dnsfallback.go
+++ b/net/dnsfallback/dnsfallback.go
@@ -39,14 +39,22 @@ import (
 	"tailscale.com/util/slicesx"
 )
 
-var disableRecursiveResolver = envknob.RegisterBool("TS_DNSFALLBACK_DISABLE_RECURSIVE_RESOLVER")
+var (
+	optRecursiveResolver     = envknob.RegisterOptBool("TS_DNSFALLBACK_RECURSIVE_RESOLVER")
+	disableRecursiveResolver = envknob.RegisterBool("TS_DNSFALLBACK_DISABLE_RECURSIVE_RESOLVER") // legacy pre-1.52 env knob name
+)
 
 // MakeLookupFunc creates a function that can be used to resolve hostnames
 // (e.g. as a LookupIPFallback from dnscache.Resolver).
 // The netMon parameter is optional; if non-nil it's used to do faster interface lookups.
 func MakeLookupFunc(logf logger.Logf, netMon *netmon.Monitor) func(ctx context.Context, host string) ([]netip.Addr, error) {
 	return func(ctx context.Context, host string) ([]netip.Addr, error) {
-		if disableRecursiveResolver() {
+		// If they've explicitly disabled the recursive resolver with the legacy
+		// TS_DNSFALLBACK_DISABLE_RECURSIVE_RESOLVER envknob or not set the
+		// newer TS_DNSFALLBACK_RECURSIVE_RESOLVER to true, then don't use the
+		// recursive resolver. (tailscale/corp#15261) In the future, we might
+		// change the default (the opt.Bool being unset) to mean enabled.
+		if disableRecursiveResolver() || !optRecursiveResolver().EqualBool(true) {
 			return lookup(ctx, host, logf, netMon)
 		}