Using DNS VPNs like NextDNS & CloudFlare

When I’m running on MacOS 12.3.1, I like to use NextDNS or CloudFlare for browser privacy and blocking ads. But if I have this enabled and try to access my tailscale nodes, everything times out. Is there a setting to correct this?

I don’t know if there’s a setting for that. It seems incompatible to run both at the same time, since they are both fighting for supremacy over your internet traffic. However, you could setup a PiHole and set the global nameserver in your tailscale account to the PiHole’s 100.x.x.x IP address. That would send all your DNS over tailscale to the PiHole, which would run ad blocking for you.

Yeah, i thought about that. It’s just nice having both as in MacOS apps.

The thing I would have expected, actually, is that tailscale had a setting to turn off DNS, or just grab DNS when they were related to tailscale devices.

The thing I would have expected, actually, is that tailscale had a setting to turn off DNS

In the Tailscale icon in the menu bar in Preferences is a “Use Tailscale DNS Settings” selection which may do what you’re looking for.

Ooo - was hopeful, but gave it a try and still timed out.

How do you have your system configured to use NextDNS / CloudFlare? Are they set as the DNS resolvers in your OSX system preferences?

In Tailscales admin panel you can also configure DNS settings for your nodes to use. Does it work if you set the NextDNS / CloudFlare IPs there?

I’ll also note that if you put in any of the addresses in this list, they will automatically be contacted over an encrypted channel (DoH) so your ISP can’t see them: https://github.com/tailscale/tailscale/blob/cd916b728b0cc6ecd4613453f811f138f594d778/net/dns/publicdns/publicdns.go#L55-L98

If you’re not using the TS DNS, then you’ll need to add the TS addresses to whatever DNS you are using in order to be able to access them by name. The choices I see are:

  • Add the required external DNS servers to TS admin panel and turn on magicDNS. You’ll need to remove or turn off the app from your hosts for this to work.
  • Create your own DNS server that returns TS adresses for TS hosts and forwards the request elsewhere for other hosts. This is the same as Mandhok suggested, and again requires turning off the local app.
  • Turn off TS DNS entirely and add the relevant addresses to whichever DNS you do use. I do this on my home account and add the TS names to NextDNS in Settings / Rewrites.

The last option seems the best for simplicity in your case and I think you’re already half way there.

Generally, it’s just i’m doing most of my work browsing/etc, but I use TS to get into my AWS/GCP accounts. Turning off is ok, but then every time i switch over to do development, i have to remember that’s why my tunnels are timing out.

One thing that works pretty well is using NextDNS in conjunction with MagicDNS and “override Local DNS” set to on, if you use the unique IPv6-adress NextDNS gives you for your configured server. Do not add the IPv4-adress, since that needs you to connect a client’s IP and keep that refreshed. For the same reason, you can’t use the AdGuard DNS beta as of now.

You’ll lose per-Client stats, of course, but everything else works.

For the future i’d wish Tailscale/MagicDNS adds support for DoH or something like that, maybe even with the possibility to give each Tailscale-client a different DNS-server, or maybe automatically build compatible adresses for NextDNS based on names.

Oh, we’re using this as part of an org, so I need to ask my global admin?

I only meant turn off the DNS in Tailscale, not disconnect everything. If you’re not in control of the Tailscale settings for the account you should still be able to turn off the DNS for your local machine:

After that, add the Tailscale addresses you need to the NextDNS settings and everything should work at once.

Using my NextDNS IPv6 addresses seems to break all DNS queries.

I just re-tested it. It works fo rme. The only thing that breaks android-devices, is having them configured with Private DNS server in the android-settings. Disable that and DNS goes through tailscale > NextDNS just fine.