[Feature] Support "Use with exit node" feature for nameservers #1116

New Issue

adam · 2025-12-29T02:28:20+01:00

adam commented

2025-12-29 02:28:20 +01:00

Originally created by @stratself on GitHub (Oct 26, 2025).

Use case

I want to use an exit node with my self-hosted DNS server (Pihole etc), without needing to take the round trip to the exit node itself.

Current:

graph LR
client --> exit-node --> internet
exit-node --> dns-server --> internet

Wanted:

graph LR
client --> exit-node --> internet
client --> dns-server --> internet

Previously, this wasn't possible, because connecting to an exit node teleports my DNS resolutions there too. I have to configure routebacks to Pihole and open up ACLs from the exit node.

Description

Starting with v1.90.1 Tailscale now allows you to use a specific DNS resolver even when connecting to an exit node. The feature is documented here.

On the Tailscale panel it looks something like this:

I'd kindly request support for this feature to be integrated into Headscale.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

Config-wise, it'd probably be another field in the config.yaml

dns:
  nameservers:
    global:
      - 100.64.0.53
    split: {}
    use_with_exit_node:
      - 100.64.0.53

But maybe nameservers can be configured via API too. I'll leave the details to implementors.

Originally created by @stratself on GitHub (Oct 26, 2025). ### Use case I want to use an exit node with my self-hosted DNS server (Pihole etc), without needing to take the round trip to the exit node itself. Current: ```mermaid graph LR client --> exit-node --> internet exit-node --> dns-server --> internet ``` Wanted: ```mermaid graph LR client --> exit-node --> internet client --> dns-server --> internet ``` Previously, this wasn't possible, because connecting to an exit node teleports my DNS resolutions there too. I have to configure routebacks to Pihole and open up ACLs from the exit node. ### Description Starting with [v1.90.1](https://tailscale.com/changelog#2025-10-23) Tailscale now allows you to use a specific DNS resolver even when connecting to an exit node. The feature is documented [here](https://tailscale.com/kb/1054/dns#nameservers-and-exit-nodes). On the Tailscale panel it looks something like this: <img height="600" alt="Image" src="https://github.com/user-attachments/assets/5ce23135-fd49-43c5-aae0-f3d0bebf105f" /> I'd kindly request support for this feature to be integrated into Headscale. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? Config-wise, it'd probably be another field in the `config.yaml` ```yaml dns: nameservers: global: - 100.64.0.53 split: {} use_with_exit_node: - 100.64.0.53 ``` But maybe nameservers can be configured via API too. I'll leave the details to implementors.

adam added the enhancement no-stale-bot DNS labels 2025-12-29 02:28:20 +01:00

adam commented

2025-12-29 02:28:21 +01:00

@stratself commented on GitHub (Nov 17, 2025):

An update:

My initial understanding of this feature is incorrect. Tailscale allows UseWithExitNode with both Split DNS and Global nameservers:

In the first case, requests will go directly to the resolver for split DNS domains
In the second case, requests will go directly to the resolver for all domains

This could be useful for homelab setups, where you want only some of your domains to be resolved directly without the roundtrip to the exit node itself.

graph LR
  client -->|all-other-domains| exit-node --> internet
  client -->|homelab.domain| local-dns

The following configuration on Tailscale's control plane:

Would result in the following tailscale debug netmap DNS:

{
    "DNS": {
        "Resolvers": [
            {
                "Addr": "100.64.0.1"
            },
            {
                "Addr": "100.64.0.2"
            },
            {
                "Addr": "100.64.0.3",
                "UseWithExitNode": true
            }
        ],
        "Routes": {
            "homelab.org": [
                {
                    "Addr": "100.64.0.1",
                    "UseWithExitNode": true
                },
                {
                    "Addr": "100.64.0.2"
                }
            ],
            "tailc4ff1e.ts.net.": null,
            "ts.net.": [
                {
                    "Addr": "199.247.155.53"
                },
                {
                    "Addr": "2620:111:8007::53"
                }
            ]
        }
    }
}

@stratself commented on GitHub (Nov 17, 2025): **An update:** My initial understanding of this feature is incorrect. Tailscale allows `UseWithExitNode` with both Split DNS and Global nameservers: - In the first case, requests will go directly to the resolver for split DNS domains - In the second case, requests will go directly to the resolver for all domains This could be useful for homelab setups, where you want only some of your domains to be resolved directly without the roundtrip to the exit node itself. ```mermaid graph LR client -->|all-other-domains| exit-node --> internet client -->|homelab.domain| local-dns ``` The following configuration on Tailscale's control plane: <img width="2074" height="1486" alt="Image" src="https://github.com/user-attachments/assets/a7a45d19-e5e3-4283-9faa-346df8c8c541" /> Would result in the following `tailscale debug netmap` DNS: ```json { "DNS": { "Resolvers": [ { "Addr": "100.64.0.1" }, { "Addr": "100.64.0.2" }, { "Addr": "100.64.0.3", "UseWithExitNode": true } ], "Routes": { "homelab.org": [ { "Addr": "100.64.0.1", "UseWithExitNode": true }, { "Addr": "100.64.0.2" } ], "tailc4ff1e.ts.net.": null, "ts.net.": [ { "Addr": "199.247.155.53" }, { "Addr": "2620:111:8007::53" } ] } } } ```

adam referenced this issue

2025-12-29 03:18:39 +01:00

[PR #1116] [CLOSED] Repeat ToStringSlice #1892

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1116