DNS Issue - PiHole

ligistx · December 31, 2025, 4:55pm

I run pihole at home on my server, and my issues stem around local hostname resolution. I also run Tailscale which has intermitant issues while I am physically away and split tunneled, but only on my iPhone, and seemingly only with my internal services.

I have a reverse proxy setup (Nginx Proxy Manager) and pihole has manual entries for A and CNAME records for my internal services. Macbook works fine, other VM’s work fine, my only issue is my iPhone.

When I am home, I am not connected to the tailnet and things mostly work ok, although right now as I type this my phone is not working correctly with internal services. I am seeing chrome on my phone fail trying to connect via cloudfalre which means this request is making its away out onto the internet somehow… I see the query pop up in pihole and it showing served from cache and it is serving the correct IP, but somehow its still trying to go out the WAN:

(iphone is at 10.70.5.13, nginx proxy manager is at 10.90.5.6, so theoretically the below log is showing things should work, I think?).

2025-12-30 12:32:11.582 query[HTTPS] frigate.mydomain.com from 10.70.5.13 
2025-12-30 12:32:11.582 config frigate.mydomain.com is <CNAME> 
2025-12-30 12:32:11.585 query[A] frigate.mydomain.com from 10.70.5.13 
2025-12-30 12:32:11.585 config frigate.mydomain.com is <CNAME> 
2025-12-30 12:32:11.585 /etc/pihole/hosts/custom.list npm.mydomain.com is 10.90.5.6

Example above is from my phone trying to connect to frigate via chrome on iphone while being local (so not even routing through tailnet so this instance isn’t a tailscale issue at all (I am not sure any of my issues are specific to tailscale, it sure seems like a pure DNS issue on iPhone).

I routinely do see this happen when I am split tunneled on my iPhone (which is 100% of the time when away from home), but my Macbook works flawlessly always which is also always split tunneled when away, also using chrome. I know I don’t know enough to understand why, but I have a feeling my phone is trying to use DoH or something and is somehow bypassing the response from pihole?

daemond · December 31, 2025, 6:57pm

I am confused as to what you are doing with cloudflare.

I have an adguard host on my lan which I am able to use on my tailnet by simply specifying the adguard tailnet ip 10.xxx.xxx.xxx as a dns server in tailscale admin. When I am physically at home, I turn off tailscale on my client machines which then switch to the local ip 192.xxx.xxx.xxx of the adguard host (as configured on clients by the adguard dhcp server).

This basically allows me to seamlessly access http(s)://adguardhostname as an unqualified domain (or adguardhostname.home in the case of my friggin’ Windoze clients) regardless of whether I am at home or remotely connected to my tailnet.

No cloudflare required…

ligistx · December 31, 2025, 8:00pm

Cloudflare is being hit because I host zero trust tunnels and DDNS via Cloudflare, so my domain name does publicly resolve to my public IP… but that shouldn’t be happening with frigate or any of my other local services as I have custom records in Pihole to redirect them to my nginx proxy manager which then forwards the traffic onto the correct local service.

The fact cloudflare is being hit is an indication the query is somehow making its way onto the internet and not staying local as it should. And since frigate.my host name does not actually resolve publicly, that’s why there is an error, but that is just the byproduct of the problem; this should never even try and hit the WAN…