Setting up Pi-hole on the Tailscale network

I have been a fan of NextDNS for the last year or so. It’s easy to use, is cheap, and makes it incredibly easy to manage my ad-block lists. The configuration functionality of NextDNS is great as well, as it allows for compartmentalized setup.

However, I have always wanted to start using Pi-hole as it offers more data control (self-hosted) and because it’s open source. While Pi-hole setup is straightforward and can act as a network-wide ad-blocker within your house, extending that to mobile/other networks, for on-the-go usage is not easy. Pi-hole docs have this guide about setting up that extension, using OpenVPN protocol but I hear Wireguard has superior performance.

I tried Rajan’s guide involving Wireguard, and later came Tailscale which makes VPNs stupidly easy.

Tailscale is built on the top of the Wireguard protocol as well.

Once you have installed and logged into your Tailscale account on your devices, they will basically be available on a flat network, thus allowing your devices to talk to each other. Talk in this context refers to setting up a service/server on one device, making it listen on the Tailscale network and making the other devices connect to it.

For the purpose of this post, I will explain how I set up my Pi-hole to listen on the Tailscale network, allowing for network-wide ad blocking.

Get Tailscale on your devices and log with a Google or Microsoft account

  • Tailscale is available for download on Android, iOS, Windows, Mac and Linux. You can get your copy here.
  • Once you have installed it, log into each device using your Google or Microsoft account.
  • Do so on the Linux device that you are about to use for your Pi-hole as well. If you have a Windows device, you can install Linux on it using Windows Subsystem for Linux.
  • Once that’s completed, you can find your devices on this Tailscale admin page.

Set up Pi-hole on a Linux device

It’s time to install Pi-hole on your Raspberry Pi or the Linux device.

Work through the Pi-hole setup guide here. The basic installer at the top of the page can work.


While setting that up, you will be prompted to choose a “listening interface”. Choose “tailscale0”, not “eth0”.

Once the set up is done, you can visit Settings > DNS tab of your Pi-hole settings to verify that Listen only on interface tailscale0 is selected under Interface listening behavior.

Image to indicate the "Interface Listening Behavior" setting on Pi-hole
Indicates the “Interface Listening Behavior” setting on my Pi-hole

At this stage, Pi-hole set up is all done!

Marking Pi-hole as DNS resolver for all Tailscale devices

Log into your Tailscale admin dashboard. Under the Name servers section, enter the Tailscale node address for the device you installed Pi-hole on.

Magic DNS

Make sure that you do not enable magic DNS. I am fuzzy on what it’s supposed to do, but I have noticed that non-Tailscale traffic doesn’t work when magic DNS is enabled. It’s probably being discussed on this GitHub issue.

In my case, I have two Pi-holes. One on my Raspberry Pi at home, and one on the Google Cloud. As such, the two addresses that I entered on my Tailscale name servers section are and

An image to indicate the DNS name servers settings on the Tailscale website
Name servers entered on my Tailscale account

Once your name servers are added, enable Tailscale on your computer/mobile devices. By doing so, your VPN configuration will be enabled, and all DNS queries will be tunneled to your Pi-hole. This will work even when you are on a mobile network, outside of your house!

Disable private DNS on Android

If you have a private DNS address added on your Android settings, turn it off.

Things to note

One of the things that Tailscale promises is that the Tailscale node address never changes for your device. This ensures that the name servers that you just entered always work, thus not leaving you without a DNS resolver.

Are apps/websites not loading?

It’s possible that you enabled Tailscale on your computer/mobile before adding the Pi-hole’s node address on Tailscale DNS page. In such a case, restart Tailscale on your device and it must fetch the name servers from your admin.

Do not enable Block connections without a VPN setting on your Android VPN settings. Brad explains why here.

You can share your Tailscale node where Pi-hole is running (your Raspberry Pi device or the Linux device) with other Tailscale users. Once they accept the invite, they can add your Tailscale node address as the name server on their DNS page. By doing so, they will get the benefit of your Pi-hole as well.

This is not an open resolver. This Pi-hole DNS resolver will be accessible only by Tailscale nodes on your Tailscale network, and by those that you invite to that device.

Whoogle on Tailscale

Access ad-free, tracker-free Google search results.

Hydroxide on Tailscale

Access your ProtonMail emails on a self-hosted, open-source bridge called Hydroxide.

libreddit on Tailscale

Self-host a private, ad and tracker-free reddit frontend UI with libreddit.

Leave a reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: