MagicDNS forces the use of Tailscale’s fallback resolver - Pihole+Unbound+Tailscale

*Pihole Tailscale address has been set as the default global nameserver. MagicDNS activated to use "machine’s name instead of its IP address"

Expected Behaviour:

Expected to see Pihole Tailscale address after nslookup.example.com

nslookup google.com
Server: Pihole Tailscale Address
Address: Pihole Tailscale Address#53

  • Operating System - Macos Ventura 13.7.1
  • Core v6.1.4
    FTL v6.2.3
    Web interface v6.2.1
  • Hardware - 2.3 GHz Quad-Core Intel Core i7
  • Running a Pihole+Unbound+Tailscale pipeline ...(trying)

Actual Behaviour:

nslookup example.com

Server: 100.100.100.100 -
Address: 100.100.100.100#53
MagicDNS = fallback resolver forced at 100.100.100.100

No way to make MagicDNS use only Pi-hole IP as the visible DNS server unless disabling MagicDNS from the Tailscale admin interface. DNS queries are partially bypassing Pi-hole?

log shows Pi-hole is receiving DNS queries and forwarding them to Unbound (127.0.0.1#5335), then replying correctly.

  • some DNS queries might still bypass Pi-hole by going to Tailscale’s fallback DNS (100.100.100.100).

Thanks in Advance.

Debug Token:

https://tricorder.pi-hole.net/vBwEg12P/

You can use Pi-hole and Tailscale MagicDNS together without leaks.

MagicDNS 100.100.100.100 will will reply authoritatively to *.ts.net and forward all other requests to your configured servers in Tailscale admin UI > DNS > Nameservers.
To avoid DNS leaks via DNS servers provided by the OS (possibly via DHCP), it is recommended to set "Override DNS servers" to true.

When using MagicDNS all DNS traffic seems to be going to 100.100.100.100, which then will forward the queries. Pi-hole however still sees the original Tailscale IP in the logs.

Note that 100.100.100.100 is not a server run by Tailscale but an IP-Address used by the locally running tailscaled.

I’m pausing my use of Tailscale for now until they provide full control over routing and DNS without forced fallback resolvers.

What do you mean by "fallback resolver"?
In my setup I rely on specific DNS requests getting blocked(if they aren't blocked it may cause several hours of inconvenience) and the only 2 times I had a leak/issue when Tailscale was unable to start.

What do I mean? Not all DNS queries are routed through Pi-hole, so some tracking and ad domains slip through. When MagicDNS is on, Tailscale injects (uses) 100.100.100.100 as a fallback DNS, causing inconsistent DNS resolution. Split behavior.

It might be worth your time to examine the Tailscale docs.

They are quite detailed:

Global nameservers

A global nameserver handles DNS queries for any domain. You can use a public DNS nameserver or run your own that to include additional DNS mappings.

By default, your tailnet's devices use their local DNS settings for all queries. To force clients to always use the nameservers you define, you can enable the Override DNS servers toggle.

Again, Tailscale’s DNS is built for ease of use, not for strict DNS control. When MagicDNS is enabled, it forces 100.100.100.100 as a fallback, which can and does bypass Pi-hole at some point, depending on OS behavior, config, or network conditions. For context, Tailscale has had DNS and identity issues in the past

  • Jan 2024: hello.ts.net leaked identity data due to an IP assignment bug. It was patched by Jan 29, but it happened.
  • TS-2023-006: The client allowed external exposure of UDP ports via UPnP. Fixed in v1.48.1, but again — it’s proof of design tradeoffs.

Just to be clear, they’ve had multiple Windows security flaws tied to their service. I believe Tailscale works well for quick setups but isn’t bulletproof or fully controllable. Tho, built on WireGuard it provides a solid foundation.

...meantime

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.