Need some help with default DNS when using tailscale

I am using tailscale on my NAS, Macbook and on my phone. At home I am running adguardhome on my NAS (similar to pi-hole) to block ads.

When I am not at home I would like my Macbook and mobile phone to use the NAS as the DNS when tailscape is connected on those devices.

The benefit would be that if I want to surf securely I would connect my phone to tailscale and it would automatically use my NAS as DNS hence I would see no ads on my phone.

As soon as I disconnect from tailscale my phone would again use my ISP’s DNS.

The only relevant article I found was this one: Subnet routes and relay nodes - Tailscale as it touches upon the subject but there they only route certain domains through tailscape.

Any help would be appreciated.

P.S. my NAS is running Debian.

Can you please try adding your NAS IP as DNS in the Tailscale admin console? That should help you to use your NAS as your DNS server for all your tailscale devices.

Thank you,

Thanks for helping out.

That did not work, at least not when I used the internal IP of my NAS. I guess my mobile phone had not way to connect to my NAS using the internal IP.

I could use the tailscale IP assigned to my NAS? OR is there a need for some routing rules?

I think I figured it out, let me give it another try. I have read through: DNS in Tailscale - Tailscale and found this passage which might help:

Nameservers: these are the IP addresses of existing DNS servers you want your Tailscale nodes to use for lookups, whenever they are connected to your network. Many companies have internal private DNS servers with the names of their private machines. If so, you can add those DNS servers here. Note that unless your DNS servers are either public, or using Tailscale 100.x addresses, you will probably need to configure subnet routing so that your nodes can reach the private DNS server(s).

Yes, sorry I was not clear in my reply, but you have to use your NAS’s Tailscale IP as a DNS server.

I still need help.

I have 3 devices:

NAS, Macbook and phone. The ad filtering DNS runs on the NAS and is listening on 0.0.0.0:53 so if I go to my tailscale dashboard => DNS and enter the 100.x.x.x IP of the NAS as DNS it works insofar as

a) my Macbook can resolve domain names
b) my NAS can resolve domain names
c) my mobile phone is completely cut off from the internet, no name resolution works
d) my DNS only shows the NAS as client and none of the other 2 devices

I assume I could solve d) by starting tailscale on the nas with “tailscale up --advertise-routes=10.0.0.0/24” I guess? 10.0.0.0/24 being my internal home network for example. (I just tried, it did not help)

I found a solution to c) on my android phone go to Settings => Private DNS and turn it to off. I had set it to dns.adguard.com previously and this had worked with zerotier which I am switching away from.

I am wondering if someone can double check this to confirm that the Android setting of “Private DNS” clashes with tailscale vpn settings as described.

This looks like https://github.com/tailscale/tailscale/issues/915, that Android’s VPN Service framework and Private DNS framework are incompatible. We haven’t come up with a good general solution yet, ways to avoid the problem are either:

  1. turn off Private DNS on the Android device (as you noted)
  2. Don’t configure any DNS servers in login.tailscale.com, nor enable Magic DNS. The incompatibility is between Private DNS and the Android VPN Service DNS support, by omitting any DNS servers we never call the VPN DNS support.

Note that this incompatibility is not unique to Tailscale, there are similar issues open for Cisco VPN and for the Google Fi VPN. Any Android VPN which calls the VPNService DNS functions while Private DNS is enabled runs into the same problem.

Sent from Front

2 Likes

Thanks for clarifying.