Skip to content

Instantly share code, notes, and snippets.

@razhangwei

razhangwei/nextdns-tailscale-funnel-debugging.md

Created April 4, 2026 19:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save razhangwei/2dca3e61575bc35ae34c312d9a4a10df to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save razhangwei/2dca3e61575bc35ae34c312d9a4a10df to your computer and use it in GitHub Desktop.
Download ZIP
NextDNS DNS Rewrite Breaks Tailscale Funnel Access — Debugging & Fix
Raw
nextdns-tailscale-funnel-debugging.md

NextDNS DNS Rewrite Breaks Tailscale Funnel Access

Problem

After setting up Tailscale Funnel to publicly expose self-hosted services (Home Assistant, Nextcloud), certain devices couldn't access the Funnel URLs (https://homelab.taile97128.ts.net and https://homelab.taile97128.ts.net:8443), while others worked fine.

Symptoms

  • Laptop (macOS, Tailscale running): ✅ Works
  • Laptop (macOS, Tailscale off): ❌ Cannot load
  • iPhone (NextDNS enabled): ❌ Cannot load (Safari, any browser)
  • iPhone (NextDNS disabled): ✅ Works
  • Wife's iPhone (NextDNS enabled): ❌ Cannot load

Misleading Clues

  • NextDNS logs showed no blocked queries for *.ts.net — the domain resolved successfully
  • DNS resolution via dns.google on the phone returned the correct Funnel IPs (208.111.34.11, 208.111.35.209)
  • dig and nslookup from other machines all resolved correctly
  • iCloud Private Relay was suspected but wasn't the cause

Root Cause

A NextDNS DNS Rewrite rule was configured:

*.taile97128.ts.net → 100.101.93.128

This rewrote the public Funnel IPs to a Tailscale-internal IP (100.x.x.x range).

  • When Tailscale VPN is connected, the device can route to 100.101.93.128 → works
  • When Tailscale VPN is off (or not installed), 100.101.93.128 is unreachable → connection hangs silently

This rewrite was likely set up before Funnel existed, to route ts.net domains directly to the Tailscale node. But once Funnel was enabled, it broke public access for any device going through NextDNS without an active Tailscale connection.

Why It Was Hard to Find

  1. No "blocked" log entries — DNS rewrites aren't logged as blocks in NextDNS
  2. DNS resolved successfully — the rewrite returns an IP (just the wrong one for non-Tailscale devices)
  3. Worked on some devices — any device with Tailscale running could reach the internal IP
  4. External DNS tests passeddig @8.8.8.8 and dig @45.90.28.0 bypass the per-config rewrite rules

Fix

Delete the DNS rewrite rule in NextDNS dashboard:

NextDNS → Settings → Rewrites → Remove *.taile97128.ts.net → 100.101.93.128

Without the rewrite, *.taile97128.ts.net resolves to the real Tailscale Funnel IPs, which are publicly accessible from any device.

Lessons Learned

  • DNS rewrites are invisible failures — they don't show up as blocks, and the domain "resolves" successfully (just to the wrong IP)
  • Tailscale Funnel and DNS rewrites to internal IPs are incompatible — Funnel is designed for public access; rewriting to 100.x defeats its purpose
  • Test from a device without Tailscale when debugging Funnel issues
  • Check NextDNS Rewrites tab, not just the Logs/Security/Privacy tabs, when troubleshooting resolution issues
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment