I have Debian running on an old laptop, with Pi-hole + Unbound + Tailscale running in independent docker containers.
When trying to update ad lists (through the admin interface or via sudo docker exec pihole pihole -g on the host), I receive Status: Connection Refused. It seems that the pi-hole cannot resolve any domains, as when I generated the debug log, there were multiple resolution errors. The upload also failed with Error message: curl: (6) Could not resolve host: tricorder.pi-hole.net.
However, the system does seem to work, as devices on my LAN and the Tailnet use the pi-hole (queries are shown, and ads are blocked on a few test websites across different devices).
More details on my system: Pi-hole & Unbound have their network_mode set to the Tailscale container. Tailscale is additionally running on the host. The Tailnet is configured to use the Tailscale container (not the host) as the global nameserver ("Local DNS override" is enabled).
The Docker compose file is here: docker-compose.yml - Pastebin.com
The unbound configuration is here: pi-hole.conf - Pastebin.com
The file a-records.conf (used in the Docker setup) includes a DNS map of the Tailnet name to 100.100.100.100 (the Tailnet nameserver).
The file 99-edns.conf (used in the Docker setup) contains just 1 line: edns-packet-max=1232.