Table of Contents

What is split DNS?

Split DNS is a mechanism to route DNS records differently depending on the network.

It’s easier to explain this with an example.

Given a domain,, we can route it and all its subdomains to an IP address:

Performing a look up on will return

dig +short

Performing the same look up via private DNS can return different results:

dig +short

Why is this useful?

I use this for exposing services within my Tailnet rather than the public internet.

This is useful for services that may have their own authentication, but where I don’t trust the authentication mechanism(s), or where I’m not sharing the service with any friends or family.

Examples of services I host like this:

Implementing Split DNS

Set up Tailscale

Follow Tailscale’s excellent quick start documentation.

Next, install Tailscale on the machine you’ll be hosting private services on.

At this point you should have:

  • Tailscale installed on your development machine
  • Tailscale installed on the machine you’ll be using to expose private services
Take note of your private machine's IP address, as we'll be setting DNS to route to this IP in the next section.
tailscale status   hugos-mbp            username@      macOS   -    private-machine      username@      linux   -
  └── Take note of this IP address

Set up DNS with NextDNS

I have no interest in running my own DNS service, so I use NextDNS (sidenote: Don’t worry, this isn’t a referral link, I promise. I genuinely use this service, and find it useful for blocking ads as well.)

Once you’ve signed up, you’ll need to configure devices accessing private services to use NextDNS.

As we only want to route private services, we can (sidenote: This way we avoid having to add a new DNS route for each of our services.) our DNS record with internal, e.g. *

Including the * prefix routes all subdomains to the same route, e.g. and will resolve to the same IP address.

Now you can add an internal rewrite in settings, routing * to the Tailscale IP address of the private machine that we noted down in the previous section:

Now NextDNS should return the Tailscale IP address of your service:

dig +short

If you’re running a webserver, that should also return a default response:

<head><title>404 Not Found</title></head>
<center><h1>404 Not Found</h1></center>

Restrict access with Kubernetes Ingress

As a bonus, if you’re running Kubernetes on your private machine, you can restrict access to only IP addresses within your Tailnet.

Conveniently, all Tailscale IP addresses are in the 100.x range. You can restrict access by adding this annotation to your Ingress:

kind: Ingress
  name: foobar-internal
  namespace: foobar
  annotations: ""
# ...


I’m aware I haven’t gone into great depth in this post, so feel free to contact me if you have any trouble or questions.