> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).
However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"
I do force all plain DNS on port 53 to my local dns (Adguard home + unbound on a gl-inet router). And I block common DoH addresses. There are many lists on Github. I collect them using github action to have one big list of their IP and addresses and block them.
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
I've run into some performance issues routing everything over a local wireguard link. I have a 10gig connection between my desktop and my NAS, though I only get ~1.1gbps over the wireguard link to the NAS. Without wireguard I can saturate the link.
I could probably tweak it, but I haven't had the bandwidth (ha) to troubleshoot it.
Neat! I set up something very similar a few years ago (just with raw dnsmasq); fun to see someone else hit upon the same solution.[0] For anyone running a similar setup: if you want to keep everything as-is, but also expose a single service to the Internet, you can use Tails ale's "Funnel" feature.[1] I use it to self-host Plausible on my home server (i.e. to allow hits to my blog to be counted by my home server, even though that server isn't "generally" available on the Internet).
10 comments
[ 3.1 ms ] story [ 33.7 ms ] threadCan’t you force traffic to 8.8.8.8 / 8.8.4.4 (especially port 53) to hit your PiHole instead?
> Side note: for those wondering, Tailscale is Canadian and can't see the content of connections (although if you're worried about this it's also possible to self-host using Headscale).
However this is no longer the case. From Tailscale's Terms of service "Schedule A", "New customer accounts on or after September 3, 2024" are bound to "Tailscale US Inc., a Delaware corporation"
This is not a bullet proof solution in case there is a semi known custom DoH an application use. But it is the best that I can do without Enterprise network gear and more complex setup that I would like to maintain.
Why trust the wires at all. Just run all traffic through VPN, even if it's in the same LAN.
This way, I know all traffic is encrypted. I don't have to worry about SMB or the like being plaintext.
I could probably tweak it, but I haven't had the bandwidth (ha) to troubleshoot it.
Can't an attacker spoof an IP and do SSRF? Or is nginx too good at detecting those kinds of attacks?
[0]: https://simpsonian.ca/blog/securing-home-network-dnsmasq-tai...
[1]: https://simpsonian.ca/blog/selfhosting-plausible/