How to point internal hostname to Tailscale machine IP?

Hi there,

As a summary, this is how I have Tailscale configured on my home network:

  • Tailscale installed in my Raspberry Pi
  • Tailscale started with --accept-dns=false --advertise-exit-node --snat-subnet-routes=false
  • DNS server (AdGuard Home) installed on Raspberry Pi
  • Tailscale global nameserver pointing to the Pi 100.x address (with “Override local DNS” enabled)
  • DNS server upstream servers goes to Cloudflare 1.1.1.1 by default, but if it matches my own custom domain (example.com) it goes to my router’s DNS server instead (e.g., machine.domain.example10.0.10.123)

So far, everything is working as expected, but it’s now time to share my DNS server with my family and friends.

For testing purposes, I’m using my wife’s Google account. I created her own Tailscale account, and shared the Pi machine with her. I then proceeded to configure her account DNS to point the global nameserver to the Pi 100.x address (with “Override local DNS” enabled). Now, with her laptop and Tailscale account connected, I can ping machine.domain.example and I get 10.0.10.123. So far, so good. If I ping anything else (like tailscale.com), it also works, and I get whatever Cloudflare returns. In conclusion, her account goes through my DNS server installed on the Pi successfully.

The problem is that she can’t access 10.0.10.123, Tailscale does not work like that. She could, however, access the 100.x address pointing to the same machine. So, in a nutshell, this is what I aim to achieve:

  • Inside our home network
    • Not connected to Tailscale, pinging machine.domain.example returns 10.0.10.123
    • Connected to Tailscale, pinging machine.domain.example returns 100.x
  • Outside our home network
    • Connected to Tailscale, pinging machine.domain.example returns 100.x

I’m thinking that we’d need to have some kind of override functionality in the Tailscale DNS interface, so that we could tell Tailscale DNS to return a Tailscale machine IP for a specific hostname, otherwise fallback to the global nameserver. But I don’t think this functionality exists yet.

So far, the only workaround I found to achieve this, is to forget about sharing, and use my own account in my wife’s laptop, while advertising my home’s subnet. But “my wife’s laptop” was just an example, ideally I would want to share specific machines to multiple friends and family, and sharing my account credentials is not feasible.

Is this not possible to achieve in some other way? What are my alternatives?

Currently, a shared node doesn’t advertise any routes into the sharee tailnet. In testing the user experience that led to too many unwelcome surprises of what the sharee could reach with local LAN access. It is likely that there will at some point be a larger sharing option which might share multiple nodes and subnet routes, but not yet.

An option available now is a multiuser tailnet. Though it leads with a discussion of open source projects, https://tailscale.com/blog/community-github-pricing is also suitable for friends and family use.

I didn’t know that, so I just e-mail them and request that friends/family plan?

Either way, I found a workaround that seems to be working well for me, not sure if I’d be better off with a multiuser tailnet (probably). How this works is that I’ve defined some custom filtering rules in my DNS Server, like this:

|machine1.domain.example^$client=100.64.0.0/10,dnsrewrite=NOERROR;A;100.x.x.x
|machine2.domain.example^$client=100.64.0.0/10,dnsrewrite=NOERROR;A;100.x.x.x

So, if the DNS server receives a request for one of the specified machines from a Tailscale client, it redirects them to the correct Tailscale IP address. If Tailscale is disconnected and the user is inside my home network, the same DNS server is used, and the local IP returned instead, because the filtering rule will not apply.

But I might just take upon their offer, and migrate to the friends/family plan.