I run pihole at home on my server, and my issues stem around local hostname resolution. I also run Tailscale which has intermittent issues while I am physically away and split tunneled, but only on my iPhone, and seemingly only with my internal services.
I have a reverse proxy setup (Nginx Proxy Manager) and pihole has manual entries for A and CNAME records for my internal services. Macbook works fine, other VM’s work fine, my only issue is my iPhone.
When I am home, I am not connected to the tailnet and things mostly work ok, although right now as I type this my phone is not working correctly with internal services. I am seeing chrome on my phone fail trying to connect via Cloudflare which means this request is making its away out onto the internet and trying to resolve to my DDNS IP provided by Cloudflare somehow… I see the query pop up in pihole and it showing served from cache and it is serving the correct IP, but somehow its still trying to go out the WAN:
(iphone is at 10.70.5.13, nginx proxy manager is at 10.90.5.6, so theoretically the below log is showing things should work, I think?).
2025-12-30 12:32:11.582 query[HTTPS] frigate.mydomain.com from 10.70.5.13
2025-12-30 12:32:11.582 config frigate.mydomain.com is <CNAME>
2025-12-30 12:32:11.585 query[A] frigate.mydomain.com from 10.70.5.13
2025-12-30 12:32:11.585 config frigate.mydomain.com is <CNAME>
2025-12-30 12:32:11.585 /etc/pihole/hosts/custom.list npm.mydomain.com is 10.90.5.6
Example above is from my phone trying to connect to frigate via chrome on iphone while being local (so not even routing through tailnet so this instance isn’t a tailscale issue at all (I am not sure any of my issues are specific to tailscale, it sure seems like a pure DNS issue on iPhone).
I routinely do see this happen when I am split tunneled on my iPhone (which is 100% of the time when away from home), but my Macbook works flawlessly always which is also always split tunneled when away, also using chrome. I know I don’t know enough to understand why, but I have a feeling my phone is trying to use DoH or something and is somehow bypassing the response from pihole?
Have you looked at the VPN configuration profile for Tailscale to see if there are any DNS settings, persistent settings or anything? (I’m not familiar with Tailscale on iOS so these are more universal checks rather than being specific to Tailscale).
Have you tried completely removing Tailscale from your iPhone to see if the problem persists? (make sure the config profile gets removed with Tailscale.
I just read it over, but that doesn’t really provide any useful information beyond the simple setup. I truly believe this is an issue with DNS on iPhone since everything works perfectly on my MacBook while home and away (when away, its split tunneled just like my iPhone).
I encountered a similar issue with an iPhone yesterday. We set up a Synology for the client’s camera system. We want them to be able to use the DS Cam app with a dynamic DNS name to access the camera system when they’re on the internal LAN/Wifi, or on 5G or other location with wifi. We set up a dynamic DNS like {sitename}.ourdomain.com which UniFI updates as expected with the outside WAN IP. In UniFi, I added an A DNS record for {sitename}.ourdomain.com that points to the Synology Internal IP.
This works perfectly with a laptop, dns resolves properly on wifi, and if I tether the laptop to my cell phone we get the WAN IP.
Both an iPhone and Android phone always resolve the actual Dynamic DNS WAN IP no matter what. DHCP is handing out the UniFi Gateway’s IP for DNS as designed, and I can see that in the iPhone settings. So there’s somewhere else the phones are using for DNS lookups and after a quick Google search I gave up.
