Show HN: Pi-hole deployed at the edge on Fly.io and accessed via TailScale (github.com)
My simple solution involves running it on Fly.io to make it easy to relocate anywhere, and embedding tailscale into the same firecracker VM (né docker container) to keep the infra dead simple and cheap.
Naively deploying a publicly accessible DNS resolver is not ideal[^2] so the main constraint was to secure the VM by 1) keeping all public ports closed and 2) having Pi-hole listen only on the private network interface created by TailScale.
It's all very straightforward but it's noticeably improved my bandwidth usage and page loading times across my laptop and mobile phone, so I figured I'd share. Suggestions for improvement are also welcome!
[^1]: https://twitter.com/QuinnyPig/status/1558521941538983936
[^2]: https://www.cloudflare.com/learning/ddos/dns-amplification-d...
19 comments
[ 3.5 ms ] story [ 60.5 ms ] threadI think you can solve this limitation by passing in a static machine key.
It is stored in a json in /var/lib/tailscale/tailscaled.state. It's a bit off the beaten path but I believe that'll make the new instance keep the same 100.x IP address.[^1]: https://github.com/tailscale/tailscale/wiki/Glossary#machine...
Seriously, this is super interesting and useful.
To be fair though, the "VPN" here is peer-to-peer and, in the case of the Pi-hole, only used for DNS. We're not talking about tunneling all traffic. According to https://ping.nextdns.io/ the latency is similar.
I'd also imagine that on iOS the NextDNS app is implemented as a VPN, no? How else would they enforce the DNS config across networks? How would they avoid annoying tricks like ISP intercepting DNS?
But overall, I agree my setup probably only makes if you're already using tailscale for other things. :p
This made me realize that if someone is willing to give up the NextDNS apps and simply rely on their DNS nameservers, then they might still want to use Tailscale as a way to automatically enforce NextDNS nameservers for all enrolled devices. Kind of the best of both worlds.
For 8 quid a year, I own my own cloudflare domain which I can use for DDNS purposes. I run this on top of wireguard, and now I have a globally accessible VPN which I can use to access my personal home infrastructure wherever I go.
I wouldn't put pihole as something that needed to individually be run on the edge.
I have a bit of latency reaching my home lab when I'm traveling, hence my approach with Fly.io.
There's also the appeal of having a single self-contained Docker image solving a specific problem. I'm quite adverse to running critical services, or anything that I can't redeploy trivially, so overall I'd rather pay a bit of money for the peace of mind that a PaaS offers.
So maybe I’ll just run it over the open Internet..
I imagine that everyone’s battery usage is a bit different though. Based on their blog post on how they achieve NAT traversal, I could see some network topologies requiring aggressive efforts to keep everything connected. YMMV.
I do use Tailscale to also proxy all my traffic over my exit node. This means it has to be always active. For just dns I wouldn’t need to do that of course. Might save a lot of battery.