FRESH

Hacker News

Configuring Split Horizon DNS with Pi-Hole and Tailscale

117 points by gm678

by dolmen

3 subcomments

The post says:
> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).
However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"

by elashri

2 subcomments

I do force all plain DNS on port 53 to my local dns (Adguard home + unbound on a gl-inet router). And I block common DoH addresses. There are many lists on Github. I collect them using github action to have one big list of their IP and addresses and block them.
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.

by JoshWVS

0 subcomment

Neat! I set up something very similar a few years ago (just with raw dnsmasq); fun to see someone else hit upon the same solution.[0] For anyone running a similar setup: if you want to keep everything as-is, but also expose a single service to the Internet, you can use Tails ale's "Funnel" feature.[1] I use it to self-host Plausible on my home server (i.e. to allow hits to my blog to be counted by my home server, even though that server isn't "generally" available on the Internet).
[0]: https://simpsonian.ca/blog/securing-home-network-dnsmasq-tai...
[1]: https://simpsonian.ca/blog/selfhosting-plausible/

by leipert

6 subcomments

> Chromecasts ignore local DNS... grrr
Can’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?

by snvzz

3 subcomments

I use headscale and took the high road: Tailscale IPs all the time.
Why trust the wires at all. Just run all traffic through VPN, even if it's in the same LAN.
This way, I know all traffic is encrypted. I don't have to worry about SMB or the like being plaintext.

by udev4096

1 subcomments

> allow 192.168.3.0/24;
Can't an attacker spoof an IP and do SSRF? Or is nginx too good at detecting those kinds of attacks?

by pinoy420

0 subcomment