I am using tailscale on my NAS, Macbook and on my phone. At home I am running adguardhome on my NAS (similar to pi-hole) to block ads.
When I am not at home I would like my Macbook and mobile phone to use the NAS as the DNS when tailscape is connected on those devices.
The benefit would be that if I want to surf securely I would connect my phone to tailscale and it would automatically use my NAS as DNS hence I would see no ads on my phone.
As soon as I disconnect from tailscale my phone would again use my ISP’s DNS.
The only relevant article I found was this one: Subnet routes and relay nodes - Tailscale as it touches upon the subject but there they only route certain domains through tailscape.
Can you please try adding your NAS IP as DNS in the Tailscale admin console? That should help you to use your NAS as your DNS server for all your tailscale devices.
Nameservers: these are the IP addresses of existing DNS servers you want your Tailscale nodes to use for lookups, whenever they are connected to your network. Many companies have internal private DNS servers with the names of their private machines. If so, you can add those DNS servers here. Note that unless your DNS servers are either public, or using Tailscale 100.x addresses, you will probably need to configure subnet routing so that your nodes can reach the private DNS server(s).
NAS, Macbook and phone. The ad filtering DNS runs on the NAS and is listening on 0.0.0.0:53 so if I go to my tailscale dashboard => DNS and enter the 100.x.x.x IP of the NAS as DNS it works insofar as
a) my Macbook can resolve domain names
b) my NAS can resolve domain names
c) my mobile phone is completely cut off from the internet, no name resolution works
d) my DNS only shows the NAS as client and none of the other 2 devices
I assume I could solve d) by starting tailscale on the nas with “tailscale up --advertise-routes=10.0.0.0/24” I guess? 10.0.0.0/24 being my internal home network for example. (I just tried, it did not help)
I found a solution to c) on my android phone go to Settings => Private DNS and turn it to off. I had set it to dns.adguard.com previously and this had worked with zerotier which I am switching away from.
I am wondering if someone can double check this to confirm that the Android setting of “Private DNS” clashes with tailscale vpn settings as described.
This looks like https://github.com/tailscale/tailscale/issues/915, that Android’s VPN Service framework and Private DNS framework are incompatible. We haven’t come up with a good general solution yet, ways to avoid the problem are either:
turn off Private DNS on the Android device (as you noted)
Don’t configure any DNS servers in login.tailscale.com, nor enable Magic DNS. The incompatibility is between Private DNS and the Android VPN Service DNS support, by omitting any DNS servers we never call the VPN DNS support.
Note that this incompatibility is not unique to Tailscale, there are similar issues open for Cisco VPN and for the Google Fi VPN. Any Android VPN which calls the VPNService DNS functions while Private DNS is enabled runs into the same problem.
