Kiraso

Hey #tailscale #homelab crowd, I need your wisdom! In my network I run a few services, some of them are on tailnet, some of them aren't. My clients are mostly on tailnet, but some aren't. I don't have DNS server for local name resolution - I just use #headscale DNS extra records to point clients to most important services.

Now, I want #pihole. How to make it available for both Tailscale and non-tailscale clients? Am I reading correctly that I'll need another DNS server to resolve local names?

Jul 9 at 9:00pmWeb
Show threadLucas Janin 🇨🇦🇫🇷3d ago
@kiraso I'm not sure I fully understand your goals. However, I have added my three Pi-holes to the Headscale configuration, making them available for both Tailscale and non-Tailscale clients.
Show threadKiraso3d ago
@lucas3d I want ad-blocking of #pihole for #Tailscale and non-Tailscale clients, and I want local services DNS names resolved for both client types. I believe Tailscale clients should get Tailnet IPs of services, and regular clients should resolve them to local IPs. Plus, some local services are not available on Tailnet at all
Show threadpanda ♥️ 🇪🇺3d ago

@kiraso Im running tailscale on my router and I added a /24 route on the router announcing itself to the tailnet.

In the admin panel I added the /32 of the router as a DNS server.

My router serves DNS replies for hosts sending their hostname in their dhcp request.

Show threadKiraso3d ago

@panda Not sure if I follow you. In my case, I can similarly run #Tailscale on my #pihole container and set it as a DNS for the tailnet. That will solve ad-blocking for tailnet, and may solve name resolution for services already on tailnet if I use that feature of Pi-hole.

What's the purpose of using it as a subnet router too? How this helps my non-tailscale clients resolve names of local services to non-tailscale IPs?

Show threadpanda ♥️ 🇪🇺3d ago
@kiraso You dont have to use it as a subnet router. I just explained my setup. My DNS server does not listen on the routers tailnet ip, thats one of the reasons i added a route.
Show threadKiraso3d ago
@panda Ah, so you don't bother with having to resolve names conditionally, and all services just work on your local network IPs. And the subnet router helps Tailscale clients to reach them. Nice and simple. Looks like I may be overthinking my setup. Thank you!
Show threadBenny2d ago
@kiraso setup a Subnet Router, to allow your Tailscale Devices to route to IPs in your local LAN.
Than setup in your DHCP that all client should use the PiHole IP as DNS. This way all your devices in your local LAN will use PiHole.
For your Tailscale clients, which are not in your local LAN, you can set the DNS Server IP in the Tailscale Admin Console in the „DNS“ Section.
Show threadKiraso2d ago

@benny Yeah, I was hoping to avoid using a subnet router - it's another failure point, potential bottleneck, and an extra hop for all DNS queries.

But this solution is simple. I'll definitely keep it in mind as a backup option if I cannot figure out anything else

Show threadBenny2d ago

@kiraso you can also run Tailscale on the same machine as your PiHole, than you can use the Tailnet IP of this Machine in your Tailnet DNS config and do not need a Subnet Router.
You only need to configure that PiHole is listening on all interfaces and not only your Ethernet/WIFI interface.

https://docs.pi-hole.net/ftldns/interfaces/

All local devices will still use your local LAN IP

Interfaces - Pi-hole documentation

Show threadKiraso1d ago
@benny I don't think it's correct. Without a subnet router, how would roaming Tailscale clients connect to LAN services?
Show threadBenny1d ago

@kiraso When the Service (#PiHole) is running on a Client which is also a #Tailnet Client, than it is a "local LAN Service" and "Tailnet Service".

For example, if you install the Tailscale client and PiHole on a Raspberry Pi, you can access PiHole via both networks.
Devices on your local network will use the local IP address of the Pi, e.g. 192.168.0.2.
Devices on your Tailnet will use the Tailnet IP address of the PI, e.g. 100.100.99.99.

Show threadKiraso1d ago
@benny yes, that's right. But I'm talking about other services on my local LAN, like Nextcloud. It has a different IP from the Pihole device, and I'd want to access it by a domain name from both LAN and Tailscale clients.
Show threadBenny1d ago
@kiraso sorry, miss that it is more than PiHole. In theory you can bring all services into the Tailnet, but Subnet Router is maybe easier to use
Show threadBenny1d ago

@kiraso maybe App Connectors are an option for you. They are similar to an Subnet Router, but working on Domain and not IP Level.

https://tailscale.com/kb/1281/app-connectors

I didn‘t have used them yet. But when I get it right, you configure an Tailnet Client as App Connector and say all requests from Tailnet Clients to domain *.home.local has to be route over this client. The client, which is part of LAN, than knows from PiHole that the domain e.g. nextcloud.home.local is the device with the IP 19.168.0.2

How app connectors work · Tailscale Docs

Route SasS application traffic in your tailnet using app connectors.

Tailscale
Show threadKiraso1d ago
@benny I'll check that out, thanks!