Inside / outside homelab DNS setup, too fancy?

Hi all!

I’m a web developer new to homelab. I’ve gotten into homelab stuff and made a ton of progress this month. (see disclosure triangles below) A lot of this was thanks to videos from Jay and LLTV.

Lab progress thus far

Lab progress thus far

  • Set up OpwnWRT on my existing router
  • Put switches at center of local network
  • Added a NAS with its own reverse-proxy and wildcard letsencrypt via the DNS api
  • Added a UPS and NUT server on the NAS for the NAS and PiHole (How cool is NUT!?!)
  • Discontinued all DDNS and port-forwarding into my home
  • Added Tailscale to every host
  • Configured wifi SSIDs for home, guest, and IOT with their own DHCP address blocks and routing rules to block IOT from the web and segment guests and IOT from the lan
  • Configured all DNS traffic at home going through PiHole via OpwnWRT firewall, even if a host tries to use
My network setup

My network setup

OpenWRT router runs DHCP and DNS server
OpenWRT router has PiHole as an upstream DNS server
OpenWRT passes its own DNS server out via DHCP
PiHole listens on all interfaces (that means via Tailscale interface too)

How I can help others

How I can help others

  • web setup
  • ssh configs, remote access, portforwards
  • vim setup for remote editing
  • reverse proxies with nginx, traefic etc.
  • lets-encrypt and certificates

Now I’m looking for a final piece of setup that’s at the edge of my abilities.

My current challenge

I’d like to move from swapping DNS servers manually and editing hosts files to using DNS to solve roaming outside my home LAN while preserving domain names and TLS certificates.

Basically, I want my personal domain address, e.g. myhost.subdomain.mydomain.tld, to resolve to a local IP when at home, and a Tailscale (wireguard) IP when elsewhere. For example, in the ideal case my iOS apps and music web-apps served from my NAS would have no idea they’re switching between Tailscale and local connections.

How would I configure the PiHole/OpenWRT DNS setups to resolve two IPs for one domain name or host name?

I’m having trouble even knowing what to call this technique, so definitely at the edge of my abilities. It’s basically a single host name with multiple IPs, and I have OpenWRT, PiHole, and Tailscale to adjust to achieve this. At first I thought it was “split DNS”, or maybe something “search domains” could solve, or something leveraging “localise-queries” in dnsmasq, or perhaps special DNS configs purely within Tailscale.

Anyone know what this kind of setup is called?

Welcome to the forum, globstarr!

I heard it’s pretty cool. I only used apcupsd in the (distant) past, so NUT would probably be a big upgrade over that.

I’m not sure that’s possible. But I wonder why you’d need such a thing.

When I was working as a sysadmin, I had my external DNS (1 and 2) setup to answer to host.domain.tldand the internal DNS (3 and 4) setup to answer to host.intranet.domain.tld. But even if a host was accessed from the intranet without the intranet subdomain, it wouldn’t be too much of an issue, because ultimately, the traffic would go something like LAN → router1 → DMZ → router2 → back to DMZ → router1 → LAN (either same lan or another one), so it wouldn’t be getting out on the internet except for reaching the edge router.

However, you will have to explain your scenario deeper. I’m not familiar with Tailscale or how it sets up a wg vpn. Being a VPN, that means you have some kind of local access to the network, so I don’t see the point of not resolving a FQDN host into a single IP, the VPN can just go through to the network. Maybe instead of that, you need routes pushed on the wireguard config to know through which endpoint to go to access your resources.

In any case, the only thing I can think of to solve this would be to have 2 separate DNS servers and each resolving the same domain name, but giving out different IPs. Basically, when you are at home, your DHCP would serve you DNS-H (home), which would resolve host.subdomain.domain.tld into an IP address local on the network. If my assumption is right, you want DNS-O (outside) to resolve the same host.subdomain.domain.tld into the IP address used by the Wireguard interface instead? It would be just a matter of setting up a 2nd DNS and mapping the FQDN to the IP address and have your clients that are connected to the VPN use another DNS.

Again, I’m unfamiliar with Tailscale, but Wireguard itself has a parameter to set a custom DNS server for the client you are connecting to the tunnel to. Under the wgX.conf, add this:

DNS = ip-address

The IP should be of the DNS that resolves the IP addresses of the Tailscale IPs, but for that, you’d have to map them manually.

Still, the problem is that if you don’t disable your VPN, you would still be required to use the VPN addresses, unless again, the hosts on the VPN are resolved as the same IP as on the LAN, which would make having different IPs for the same FQDN irrelevant.

My unfamiliarity with tailscale makes me kinda unfit to answer this question, but if it’s anything like a normal VPN that you self-host, you would still only go to the edge router at most and come back to the internal network, so not leaving to the internet. But if the gateway is something on the internet, then I guess I would understand not wanting to go from the local LAN to the internet and back on the LAN.

Still, there are issues with changing the IP addresses on the fly, due to TCP handshakes. TLS is a layer7, so it doesn’t really matter so long as the domain remains the same.

I can tell you what I’m doing to solve this:

  • I’m running an internal DNS resolver at home (Unbound) where my local domains are set up. For instance points to internal servers like, etc.)
  • I have configured my DNS settings on a public DNS hosting service (like OpenDNS or similar). Here, points to my public IP address.
  • In my firewall, I’ve added portforwarding, so that HTTP/HTTPS requests go to the proper internal IP address (in this case my reverse proxy)
  • My laptop is configured to get DNS settings from DHCP - in this way it gets my local DNS server ( when I’m at home (and then resolves the internal IP address), and the default DNS server for the network when I’m not home (and then resolves my outside IP address for the domain)
  • If I wanted to force a specific DNS service when not at home (like Google or Cloudflare) I would have to change the DNS setting away from DHCP to a specific address (like or

I believe this is “just” called DNS. So hope it makes sense.

1 Like

Yeah, in your case even if you have your VPN connected while at home, it would still work fine and not go to the internet, just that the traffic will go to the edge of your network to the router facing the internet and back. Not a deal breaker for 90% of the networks.

I don’t know what tailscale does. I guess I’m hardheaded enough that I need a drawing of the network to understand OP’s needs.

Biky, thank you so much for your response. It’s been a few weeks since I initially started, and I’ve landed on something that’s working for me at the moment.

My solution now is to have my openwrt router act as a local DNS server and for its DHCP server to pass out it’s address as the DNS server. That DNSmasq on the router answers local queries for the domain locally, so on the lan names resolve to local 192.168.1/24 addresses. The router is not running tailscale.

When the above DNSmasq on the router needs to answer a query it doesn’t know about, I set it to forward to, my pi-hole DNS server. The pihole runs tailscale and answers queries on the 192.168.1/24 address space, and on the 100.* carrier-grade NAT addresses that tailscale uses. This means that the pi won’t get local LAN queries, but it will get them from tailscale 100.* devices.

They key thing here that you and ameinild helped with was getting the pi-hole to answer queries from tailscale devices on the same names. This took two steps.

The first step was to set tailscale up with “split dns” (their word for it), with the 100.x.x.x tailscale address of the pi-hole configured to answer queries from other 100.* addresses for the domain.

The second step was making pi-hole aware of those IPs. For this I had to dig into the dnsmasq configuration of pi-hole and read their documentation. The TL;DR of this is I added an addn-hosts directive into the pihole dnsmasq.d config file directory. In the file referenced by that directive I place the names and IPs of tailscale hosts using the tailscale-cli and a cron job that clobbers the file every hour, and another cron to restart the pihole dns server.

The drawbacks here are that it could take up to six hours for a new device to resolve, but I’m willing to accept that because I have a number of other manual steps when adding a host, and I have few hosts.

So to sum up, now inside or outside the house, the same domains “just work” on my phone, and I bypass wireguard while at home. Even my phone apps behave :slight_smile:

Thanks again :slight_smile:

1 Like