I have a tailscale exit node set up in a Linux VPS. On that VPS I’ve also installed pihole to act as DNS for the tailnet.

When I run a DNS leak test from a machine on the tailnet I get confusing results. I appear to be using servers in my home country (also my current location).

The servers don’t say they are owned by my ISP but I suspect that’s the case. Its the only way the machine could have got their addresses. I’ve tried on multiple machines to test this.

In Tailscale settings each machine is configured to use Tailscale DNS. Tailscale has been told to use Quad9 in the event pihole is unreachable. Needless to say, Quad9 is not located in my home country.

I’m a noob to both Tailscale and pihole so I’m probably missing something obvious?

  • SteveTech@aussie.zoneEnglish
    1·
    2 hours ago

    On that VPS I’ve also installed pihole to act as DNS for the tailnet.

    What’s the upstream server for pihole? Is it also Quad9, or are you doing full recursive DNS with unbound or something?

    Needless to say, Quad9 is not located in my home country.

    Quad9 uses an anycast IP that can route to one of over 200 locations in 90 different nations, usually this routes to your closest location.

    You can use on.quad9.net to check if you are using Quad9.

  • DecronymBEnglish
    3·
    2 hours ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    HTTP Hypertext Transfer Protocol, the Web
    HTTPS HTTP over SSL
    IP Internet Protocol
    PiHole Network-wide ad-blocker (DNS sinkhole)
    SSL Secure Sockets Layer, for transparent encryption
    VPS Virtual Private Server (opposed to shared hosting)

    5 acronyms in this thread; the most compressed thread commented on today has 6 acronyms.

    [Thread #1012 for this comm, first seen 21st Jan 2026, 02:55] [FAQ] [Full list] [Contact] [Source code]

  • stratself@lemdro.idEnglish
    2·
    12 hours ago

    In your Tailscale DNS panel, disable “Use with exit node” option for your nameservers.

    When turned on, that option actually allows you to talk directly to nameservers without tunneling DNS queries through the exit node. Since Quad9 in fact has a worldwide CDN, this would leak your (general) DNS query location.

    I believe Tailscale send the queries in parallel and fetch the faster response, which is Quad9 in this case. Ideally for your use case, all your queries should be able to reach and show up in Pi-hole’s logs. Use tailscale dns commands for further debugging

  • Atherel@lemmy.dbzer0.comEnglish
    5·
    16 hours ago

    Which test are you running exactly?
    Two things I would check:
    Resolvers configured in PiHole
    Test using browser with DNS over HTTPS instead of the system configuration

    • jobbies@lemmy.zipOPEnglish
      2·
      13 hours ago

      I’m using this checker.

      Did a bit more digging - the two companies listed (woodynet and i3d) are both linked to quad9. But - I had assumed quad9 always resolved in Switzerland. Woody resolves in my home country, i3d in the same country as the VPS.

      I3d I can understand. Woodynet resolving in my own country is very odd.