No way to make MagicDNS use only Pi-hole IP as the visible DNS server unless disabling MagicDNS from the Tailscale admin interface. DNS queries are partially bypassing Pi-hole?
log shows Pi-hole is receiving DNS queries and forwarding them to Unbound (127.0.0.1#5335), then replying correctly.
some DNS queries might still bypass Pi-hole by going to Tailscale’s fallback DNS (100.100.100.100).
You can use Pi-hole and Tailscale MagicDNS together without leaks.
MagicDNS 100.100.100.100 will will reply authoritatively to *.ts.net and forward all other requests to your configured servers in Tailscale admin UI > DNS > Nameservers.
To avoid DNS leaks via DNS servers provided by the OS (possibly via DHCP), it is recommended to set "Override DNS servers" to true.
When using MagicDNS all DNS traffic seems to be going to 100.100.100.100, which then will forward the queries. Pi-hole however still sees the original Tailscale IP in the logs.
Note that 100.100.100.100 is not a server run by Tailscale but an IP-Address used by the locally running tailscaled.
What do you mean by "fallback resolver"?
In my setup I rely on specific DNS requests getting blocked(if they aren't blocked it may cause several hours of inconvenience) and the only 2 times I had a leak/issue when Tailscale was unable to start.
What do I mean? Not all DNS queries are routed through Pi-hole, so some tracking and ad domains slip through. When MagicDNS is on, Tailscale injects (uses) 100.100.100.100 as a fallback DNS, causing inconsistent DNS resolution. Split behavior.
A global nameserver handles DNS queries for any domain. You can use a public DNS nameserver or run your own that to include additional DNS mappings.
By default, your tailnet's devices use their local DNS settings for all queries. To force clients to always use the nameservers you define, you can enable the Override DNS servers toggle.
Again, Tailscale’s DNS is built for ease of use, not for strict DNS control. When MagicDNS is enabled, it forces 100.100.100.100 as a fallback, which can and does bypass Pi-hole at some point, depending on OS behavior, config, or network conditions. For context, Tailscale has had DNS and identity issues in the past
Jan 2024: hello.ts.netleaked identity data due to an IP assignment bug. It was patched by Jan 29, but it happened.
TS-2023-006: The client allowed external exposure of UDP ports via UPnP. Fixed in v1.48.1, but again — it’s proof of design tradeoffs.
Just to be clear, they’ve had multiple Windows security flaws tied to their service. I believe Tailscale works well for quick setups but isn’t bulletproof or fully controllable. Tho, built on WireGuard it provides a solid foundation.