This post walks through how to set up DNS on tailscale so it places nicely with self hosted services. It assumes you are running AdGuard or PiHole but a similar solution should be available for any DNS service.

I recently deployed tailscale on my network and its been working well. I installed it on my main server, my OPNSense Router, and all my edge devices.

OpnSense Setup

I start wireguard on the router with the following command:

tailscale up --reset --accept-dns=false --advertise-exit-node --advertise-routes=

–advertise-exit-node Allows client to funnel all traffic through this node

–advertise-routes Allows clients to reach other devices on the LAN not running tailscale.

This allows any device to funnel all traffic through my router. This is useful when on public wifi. It also allows access to all the devices on my LAN even if they do not have tailscale IP’s.

Overall this has worked great, but I ran into a problem with DNS resolution on any self hosted services when behind the VPN.

DNS setup in Tailscale

Log in to tailscale and go to the DNS settings page.

  1. Enable MagicDNS
  2. Override DNS
  3. Set the global nameserver to the Tailscale IP address of your OpnSense Router

Tailscale DNS Settings

DNS Rewrites in AdGuard

Finally in order to resolve the DNS issues for clients funneling traffic through tailscale, enable DNS rewrites in adguard.

DNS Rewrite Menu

DNS Rewrite

DNS Rewrites in PiHole

To set up DNS rewrites in pihole create the file: /etc/dnsmasq.d/02-my-wildcard-dns.conf

The contents of the file should look like: