diff --git a/net/connstats/stats.go b/net/connstats/stats.go
index 94d75212a..dbcd946b8 100644
--- a/net/connstats/stats.go
+++ b/net/connstats/stats.go
@@ -13,6 +13,7 @@ import (
 
 	"golang.org/x/sync/errgroup"
 	"tailscale.com/net/packet"
+	"tailscale.com/net/tsaddr"
 	"tailscale.com/types/netlogtype"
 )
 
@@ -92,6 +93,11 @@ func (s *Statistics) UpdateRxVirtual(b []byte) {
 	s.updateVirtual(b, true)
 }
 
+var (
+	tailscaleServiceIPv4 = tsaddr.TailscaleServiceIP()
+	tailscaleServiceIPv6 = tsaddr.TailscaleServiceIPv6()
+)
+
 func (s *Statistics) updateVirtual(b []byte, receive bool) {
 	var p packet.Parsed
 	p.Decode(b)
@@ -100,6 +106,15 @@ func (s *Statistics) updateVirtual(b []byte, receive bool) {
 		conn.Src, conn.Dst = conn.Dst, conn.Src
 	}
 
+	// Network logging is defined as traffic between two Tailscale nodes.
+	// Traffic with the internal Tailscale service is not with another node
+	// and should not be logged. It also happens to be a high volume
+	// amount of discrete traffic flows (e.g., DNS lookups).
+	switch conn.Dst.Addr() {
+	case tailscaleServiceIPv4, tailscaleServiceIPv6:
+		return
+	}
+
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	cnts, found := s.virtual[conn]