Tailscale not returning preferential IP when DNS gives multiple responses

I am running my own DNS server via pihole+unbound on my private LAN (192.168.1.0/24). I have a reverse proxy instance (caddy) that also runs a tailnet client and as a subnet router for the range of the private LAN.

Everything works fine, except for one app (jellyfin).

For security reasons I have a single jellyfin instance running on two different subnets, one of which is meant to be an internal VLAN. I have DNS set up to return both IPs when resolving the jellyfin hostname.

Most applications when receiving multiple addresses from the DNS will preferentially choose the one on the same subnet… But tailscale is responding with the other subnet (meant for the VLAN)…

Is the best option overriding the host using MagicDNS?

I’ve got good reasons for setting it up this way:

  • pihole does not allow multiple IPs per address by default (though I´ve since learned it’s possible to override it via config)
  • unbound sees all requests as coming in from localhost so can’t differentiate requests originating from difference subnets - otherwise this would be self-contained in the unbound config

I know having preference for same-subnet is not guaranteed but tailscale is the first package I’ve seen that doesn’t follow this convention.

Thoughts?