I have a tailscale exit node set up in a Linux VPS. On that VPS I’ve also installed pihole to act as DNS for the tailnet.
When I run a DNS leak test from a machine on the tailnet I get confusing results. I appear to be using servers in my home country (also my current location).
The servers don’t say they are owned by my ISP but I suspect that’s the case. Its the only way the machine could have got their addresses. I’ve tried on multiple machines to test this.
In Tailscale settings each machine is configured to use Tailscale DNS. Tailscale has been told to use Quad9 in the event pihole is unreachable. Needless to say, Quad9 is not located in my home country.
I’m a noob to both Tailscale and pihole so I’m probably missing something obvious?
In your Tailscale DNS panel, disable “Use with exit node” option for your nameservers.
When turned on, that option actually allows you to talk directly to nameservers without tunneling DNS queries through the exit node. Since Quad9 in fact has a worldwide CDN, this would leak your (general) DNS query location.
I believe Tailscale send the queries in parallel and fetch the faster response, which is Quad9 in this case. Ideally for your use case, all your queries should be able to reach and show up in Pi-hole’s logs. Use
tailscale dnscommands for further debugging