Split DNS
Split DNS lets you split your DNS requests on different DNS servers depending on the website. For example you can use your own local DNS only for your domain.
Understanding Split DNS
Tailscale's Split DNS feature is incredibly powerful for home lab users, allowing you to seamlessly integrate your private network with your local DNS resolver (like AdGuard Home or Pi-hole). This guide walks you through setting up a custom domain for your local services, choosing between using a purchased domain or a local-only domain.
When you enable Tailscale's Split DNS, you create a sophisticated networking environment:
Default Behavior: All standard, non-homelab queries (e.g., browsing Google, checking news) continue to use your device's normal public DNS servers. Your internet experience remains unchanged.
Split Behavior (Local Domain): Queries specifically directed to the domain you've configured in Tailscale (e.g.,
*.yourdomain.fr) are redirected to your local DNS resolver (like AdGuard Home or Pi-hole) running on your Tailnet.
The Key Benefit: This allows you to use clean, memorable hostnames like adguard.yourdomain.fr for internal applications, even if they aren't publicly exposed. The DNS resolution happens locally, removing the dependency on external DNS.
How to setup in Proxmox
Create Adguard Home LXC (or Pi-Hole if you prefer) https://community-scripts.github.io/ProxmoxVE/scripts?id=adguard. Setup is on port 3000 and after that, dashboard is on port 80
Create your Reverse Proxy in another LXC, for simplicity, we'll go https://community-scripts.github.io/ProxmoxVE/scripts?id=npmplus
Enable Split DNS in https://login.tailscale.com/admin/dns for
yourdomain.frto points to your local Adguard LXC IP (e.g: 192.168.1.110). To do this click on Add a nameserver > Custom:
Go to
Adguard Dashboard > Filters > DNS Rewrites. Add 2 entries like this pointing towards NPM LXC IP:
In
NPM > TLS Certificates. Add your 2 certificates (1 for*.yourdomain.frand another foryourdomain.fr). You only need to buy a domain if you want public access (it's useful for apps like immich or nextcloud where you want to be able to sync 24/24 for example). If you have bought your domain you can just use Let's Encrypt in NPM, but if you want to go local-only (free) domain, you'll need to generate a self-signed cert, check Using a Local-Only (Unpurchased) Domain.NPM > Proxy Hosts. Add your each services.
A lot of apps need Websocket enabled in NPM
Using a Local-Only (Unpurchased) Domain
You can use any domain name you like (e.g., myhomelab.local) without purchasing it, but this requires manual handling of TLS/SSL certificates.
The Self-Signed Certificate Challenge
Since public certificate authorities (CAs) cannot see or verify a domain that exists only on your local network, you must generate a self-signed certificate.
When using a self-signed certificate, your browser will display security warnings. To eliminate these warnings (and enable modern security features like HTTP/2), you need to manually install and trust the generated .crt file on every device you use (on windows just double click it and add it to "trust certificates" store).
Script to Generate a Wildcard Self-Signed Certificate
This script generates a certificate valid for 100 years (36,500 days) for a wildcard domain (*.YOURDOMAIN.FR) and the root domain (YOURDOMAIN.FR).
You can then add it to NPM, and if you have bought a domain name, you don't need to generate your certificate, NPM can do it for you. To avoid creating requesting another cert for each subdomain you can ask a cert for *.YOURDOMAIN.FR and reuse this for each proxy.
Last updated