Pi-hole, Tailscale and split horizon

sab · December 8, 2024, 2:42pm

I have Tailscale on my home network using Pi-Hole as DNS server. I have web services running through a reverse proxy. I have a fqdn that I only want to use inside my networks, but with locally signed certificate. I want to be able to access my web services both through Tailscale and connected to my network directly. So bascially have different DNS records depending on the interface that access my pi-hole server. I have tried many different ways to configure dnsmasq, but not yet found how to have the 2 interfaces (eth0 and tailscale0) serve different ip addresses.

What is the way to make this work? Is there a howto somewhere that describe the process?

tomder · December 9, 2024, 8:39pm

I am not sure about others but I do not understand what you are asking ... could you elaborate ? Mostly how all that relates to your pi-hole as dns filter ...

Bucking_Horn · December 9, 2024, 10:07pm

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or do it through the Web interface:

Tools > Generate Debug Log

sab · December 9, 2024, 10:30pm

I'm sorry for the confusing question. I'll try to clarify.

My Pi-Hole server has these interfaces:
local network (eth0): 192.168.0.68
tailscale network (tailscale0): 100.118.1.10

My proxy server:
local network: 192.168.0.61
tailscale: network: 100.110.120.43

I have the domain myproxy.mydomain.com that I want to setup like this (using dig as example lookup):
"dig myproxy.mydomain.com @192.168.0.68" should return 192.168.0.61
"dig myproxy.mydomain.com @100.118.1.10" should return 100.110.120.43

So my question is how I can achieve this?

I have tried stting up Pi-Hole and dnsmasq in may different ways but not been able to get this split response.

I hope I was able to clarify what I'm trying to do here

tomder · December 9, 2024, 10:40pm

correct me where I am wrong .
your pihole is NOT an authoritative dns for myproxy.mydomain.com right ? meaning that it will resolve myproxy.mydomain.com to whatever it gets from the upstream DNS server.

sab · December 9, 2024, 10:49pm

No, my intention is that it IS authoritative dns for myproxy.mydomain.com. It should only be available on my networks, either my "physical" network or my tailscale network.

tomder · December 10, 2024, 12:12am

are we crossing the wire there?

pihole is acting as a cache DNS and is not holding the record for myproxy.mydomain.com this domain resolves authoritatively elsewhere and pihole only 'asks' for it? Is that right ?
how do you go about resolving myproxy.mydomain.com to two different IP addresses ? what is doing it?

potentially jumping to conclusion but if you are trying to tell your computers where proxy server is would not that be easier with a PAC file ?

tomder · December 10, 2024, 8:32am

Just to clarify, I do not believe you can natively create split horizon on pihole - this would require different DNS daemon e.g. bind and hence pihole would query upstream DNS using the vary same IP each time.

deHakkelaar · December 10, 2024, 8:32am

Pi-hole has below directive active:

$ cat /etc/dnsmasq.d/01-pihole.conf
[..]
localise-queries

$ man dnsmasq
[..]
       -y, --localise-queries
              Return answers to  DNS  queries  from  /etc/hosts  and
              --interface-name  and  --dynamic-host  which depend on
              the interface over which the query was received. If  a
              name has more than one address associated with it, and
              at least one of those addresses is on the same  subnet
              as the interface to which the query was sent, then re‐
              turn only the address(es) on that subnet. This  allows
              for a server  to have multiple addresses in /etc/hosts
              corresponding to each of  its  interfaces,  and  hosts
              will  get  the  correct address based on which network
              they are attached to. Currently this facility is  lim‐
              ited to IPv4.

If I add DNS records as an example:

$ ip -br -4 a
lo               UNKNOWN        127.0.0.1/8
eth0             UP             10.0.0.4/24

$ sudo nano /etc/pihole/custom.list
[..]
127.0.0.99 myproxy.mydomain.com
10.0.0.99 myproxy.mydomain.com

$ pihole restartdns
  [✓] Restarting DNS server

$ dig +short myproxy.mydomain.com @127.0.0.1
127.0.0.99

$ dig +short myproxy.mydomain.com @10.0.0.4
10.0.0.99

For above example, I manually edited the custom.list file bc the webGUI doesnt allow to add multiple records with the same domain name for some reason.

tomder · December 10, 2024, 8:37am

thats interesting - rather then do it by the source it would do it based on 'destination' interface - cool

sab · December 10, 2024, 11:42am

Wow, this was so much easier than what I was trying to do with fancy dnsmasq configs
Thank you very much @deHakkelaar !

deHakkelaar · December 11, 2024, 4:04pm

Maybe better to put those DNS records in a separate .list file so you can still use the webGUI to manipulate DNS records etc without errors.
For that you'd have to create a new config file with below content:

$ sudo nano /etc/dnsmasq.d/99-my-settings.conf
addn-hosts=/etc/pihole/my.list

FYI:

$ man dnsmasq
[..]
       -H, --addn-hosts=<file>
              Additional hosts file. Read the specified file as well
              as  /etc/hosts.  If --no-hosts is given, read only the
              specified file. This option may be repeated  for  more
              than  one  additional  hosts  file.  If a directory is
              given, then read all the files contained in  that  di‐
              rectory.

Dump those duplicate domain names with IP's in below file instead:

/etc/pihole/my.list

system · January 1, 2025, 4:04pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.