Consistent DNS across public/private networks

Not sure if I’m in the right category here, this is more of a general networking / VPN question and how an optimal tailscale would apply to my situation.


I’m creating a homelab that will be running some services that I want to share with friends. I’ll use the example of a minecraft server as my shared service. Here’s my requirements:

  1. When my friends are visiting my home (and on my LAN), I want them to be able to access the server with minecraft.mydomain-dot-com, no installlation of tailscale required. You could imagine this as useful for large gaming LAN parties, and setup is seamless when they all join my wifi/switch.

  2. When my friends want to visit the server outside of my LAN, I tell them to create a tailscale account and I share my device with them such that minecraft.mydomain-dot-com works remotely as well

My question is effectively “how should I set up DNS in my registrar (cloudflare) and within tailscale” to get this working

Attempted Solutions

  1. Create DNS A records in the registrar pointing to both the LAN IP and tailscale IP. This means that when client applications try to hit minecraft.mydomain-dot-com, they’ll possibly cycle/attempt one IP before falling back to the other; only one will work depending if they are on LAN or on tailscale. For web browsers this seemed to work fine, as eventually the browser would try the correct IP address and resolve. However, not all clients trying to resolve myservice.mydomain-dot-com after failing a request would go all the way back to the DNS response and try the other IPs returned by the registrar (ran into this with jellyfin)

  2. Have the public DNS registrar point to the tailscale IP and run a DNS server locally on my LAN that will resolve minecraft.mydomain-dot-com. This seemed non-ideal because then I’d need to tell my LAN-party guests to adjust their DNS settings to point to (or something local) for the domain names to work

  3. Have the public DNS registrar point to the LAN IP, and run a DNS server that resolves minecraft.mydomoain-dot-com in my tailnet to the tailscale IP. This is what I currently do, and I’m wondering if there’s alternatives for it that are better/automatic. When I want to share my minecraft server with remote friends, I tell them to install tailscale, I share my device running the service/DNS, tell them to add a split-dns entry for mydomain-dot-com, and give an DNS IP address of the minecraft device which is also running a DNS server.

Fundamentally, I want to be able to “push” DNS rules to my friends, which is maybe more straightforward in more traditional VPN setups (???). When I share my device with friends, I want it to also register that device (or another one) as a domain-name server, or something similar; obviously you don’t want shared devices hijacking a user’s normal DNS. Any advice? Thanks!

Hi, I solved it this like this:

→ Public DNS always resolves to tailscale ip. (check my sync script: Cloudflare DNS Sync)
→ Use a subnet router for your local network to get the TCP sessions synchronous (could be optional, depending on your network design)
→ Set a route for in your local router and point it to your local tailscale router/minecraft server.

Now your guest should reach the service with the same hostname (and ip) regardless if they are using tailscale remote, or if they’re at your local network

Basicly always use the tailscale ip and route it in your local network accroindling for computers not connected to your tailnet

IMO, the best bet would be to just direct everyone to use Tailscale regardless of being on the LAN or not. Shouldn’t be a big deal since its a direct tunnel even when on your local network. Then you can just have your minecraft domain point to your Tailscale IP.

Set a route for in your local router and point it to your local tailscale router/minecraft server.

Hmm I could give this a shot, I wouldn’t need a local DNS server in this way either which would be nice. Shouldn’t be too hard to add to my edgerouterx.

I’ll look at the cloudflare dns sync script, thanks! Right now my setup is pretty simple, with one device running a reverse-proxy and a bunch of services (minecraft, jellyfin, pihole). If I had a future with multiple devices running different services, I’d look into this; right now I’m fine with hardcoding the DNS A Record (or maybe maintaining the hardcoded IP addr and using it as a k3s ingress to access other services)

IMO, the best bet would be to just direct everyone to use Tailscale regardless of being on the LAN or not

Ya for something like minecraft where users can control their computers, this would be totally fine. I also like the prospect of not having to modify my local router much (like the prev answer); sometimes these side projects get abandoned and then something breaks later and ruins my (now angry) partner’s internet.

One example where this would break down though was if I was trying to connect a device w/o tailscale (android-tv/roku) to a media server like jellyfin. In these one-off cases, I can’t directly use the LAN IP address of minecraft either, because my reverse-proxy relies on servicename in servicename.mydomain-dot-com to route properly

Thanks both for the answers! Will play round with them

I had similar requirements and solved it by using one-to-one NAT rule on my opnsense router with my Tailscale IP in the public DNS. I have blogged about the instructions at Sharing public domain with Tailscale and Internal Network with One-To-One NAT using OPNSense - Prabir's Blog

Your router might have similar settings that you can configure.