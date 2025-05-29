A reverse proxy is one of the best ways to access your self-hosted services, as tools such as Caddy and Nginx Proxy Manager will enable you to host services on various subdomains of a domain that you own, complete with their own SSL certificates. The downside of this is that, if hosted on a public IP address, your connections will be routed out of your home and then back in, or they may require you to keep a VPN like Tailscale always connected. There's a way around that, though; a Pi-hole.

A Pi-hole is typically a go-to recommendation for network-wide advertisement and tracking blocking, but it's actually more than that. It's a DNS management tool, and it blocks those advertisements by responding with blank data to DNS requests for blocked domains. However, as a DNS management tool, you can also implement your own DNS replacements, so that any domain can be overwritten to point to a specified place.

Even better is that your domains don't have to be valid DNS entries either. For example, I use ".home" for some services, which was a TLD proposal rejected in 2018 by ICANN. I can access my Zigbee2MQTT dashboard with "http://z2m.home"; however, this becomes even more powerful with a DNS override for an existing domain. While my hosted services are all accessed via Tailscale, I can also access them when I'm at home, without Tailscale, thanks to my Pi-hole.

Configuring a DNS override with Pi-hole

It's simple and worth it

The first thing you'll need to have set up is a Pi-hole that your devices are configured to use as a DNS. I have two: one on my Proxmox host and one on my TrueNAS host, and they're a direct copy of each other. My DNS servers in my router's DHCP are set to both of these addresses, so that they are automatically distributed to all devices on the network. This means when one goes down, my network is still robust and can resolve domains.

The reason I do this and don't simply use a public DNS provider as a fallback is due to the difference in how devices handle DNS queries. Many devices will simply use whatever DNS server replies first when configured by the DHCP, and it's not a case of simply making requests in order of primary and secondary DNS. While Windows will prioritize the first DNS provider, systemd-based Linux distributions will enact a "parallel probe" of all servers and pick the fastest responder. The same goes for Android, macOS, and iOS, where all servers are questioned at once, and the fastest to answer is considered correct. If you can only deploy one instance of a Pi-hole, you may need to use it as your only DNS provider, depending on the devices you use.

To configure local DNS overrides for your reverse proxies, go to your Pi-hole's admin panel and click Settings, followed by Local DNS Records. Here, you can add any kind of domain you want with an associated IP address. In my case, I have "jellyfin.example.ie" pointing to the Tailscale IP address of the reverse proxy host in my site's DNS records, but I can override it to point to the local IP address of my reverse proxy instead when I'm on my home network. While Tailscale will generally try to establish a direct connection between devices when on the same network, this may not always be possible or detected by Tailscale, and the same goes for other similar providers.

However, there's an even bigger benefit when using this. If I'm at home, it means that my services are resolvable without needing to use Tailscale at all. I can turn off the Tailscale VPN on my phone or my PC and still access all of my self-hosted services through my domain, even though they're only referenced via Tailscale IP addresses in my domain's A records. My reverse proxy still gets a request referencing a specific domain, so it knows what service I'm trying to use, even if the IP address it's being contacted on has changed. Even better, the SSL certificate is still valid, as it's still on the same domain. It's convenient, it greatly reduces latency, and means devices that can't even use Tailscale can still interact with my self-hosted services so long as they accept the DNS servers from OPNsense.

If you self-host your own services, a Pi-hole is a must. Even if it didn't also help to protect my privacy online and block trackers and advertisements, it would be an invaluable tool in my network for accessing the self-hosted tools I use at home. Plus, it's nice to use short and easy-to-remember addresses like "z2m.home" and "pi.hole" to access some of my services, too.