> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).
However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
[0]: https://simpsonian.ca/blog/securing-home-network-dnsmasq-tai...
Can’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?
Why trust the wires at all. Just run all traffic through VPN, even if it's in the same LAN.
This way, I know all traffic is encrypted. I don't have to worry about SMB or the like being plaintext.
Can't an attacker spoof an IP and do SSRF? Or is nginx too good at detecting those kinds of attacks?