How to configure split DNS for subnet router in Tailscale?
Situation:
In my home network, there is a main router with IP address 10.10.10.1
Behind it is a subnet 20.20.20.0/24 where various IoT devices are located, including YI cameras.
After setting up a subnet router in the subnet, all devices became accessible from outside, and the system works correctly.
However, YI cameras do not support DHCP reservation and IP binding to MAC addresses. Setting a static IP address directly on the devices themselves is not possible. As a result, after the DHCP lease expires, devices receive random IP addresses, which requires manual searching and connecting.
Question:
How to set up a local DNS server? What and where needs to be configured so that requests to cameras are made through local names, for example: rtsp://camer001.local/channel1? It is also necessary to provide the ability to determine the current IP address of a device by its local name.
Setting up split DNS for subnet router in Tailscale
You can configure split DNS for a subnet router in Tailscale through the DNS section of the admin console by adding a local DNS server to resolve internal device names. For YI cameras that don’t support DHCP reservation, local DNS will allow you to access devices by persistent names such as camer001.local, regardless of their current IP address.
Contents
- What is split DNS and why you need it
- Setting up a local DNS server
- Configuring split DNS in Tailscale
- Setting up subnet router for DNS access
- Practical implementation for YI cameras
- Troubleshooting access issues
- Alternative approaches
What is split DNS and why you need it
Split DNS is a configuration where DNS requests are directed to different servers depending on the domain. In the context of Tailscale, this allows:
- Using an internal DNS server for local domains (e.g.,
.local) - Continuing to use public DNS servers for internet domains
- Ensuring persistent resolution of IoT device names, regardless of their IP addresses
Important: As noted in the Tailscale documentation, split DNS creates a DNS server that responds to records not used on the public internet.
Setting up a local DNS server
To solve the YI camera issue, you need a local DNS server in your network. Here are several options:
Option 1: Using your router
If your main router (10.10.10.1) supports local DNS functionality:
- Log in to your router’s web interface
- Find the DHCP/DNS section
- Enable the local DNS option
- Add records for your devices
Option 2: Installing a separate DNS server
For a more robust setup, you can install a separate DNS server on a device in the 20.20.20.0/24 subnet:
# Example of installing dnsmasq on Linux
sudo apt update
sudo apt install dnsmasq
Option 3: Using Docker
docker run -d --name=local-dns \
-p 53:53/udp \
-e "DOMAINS=local" \
-e "DNSMASQ_HOSTS=camer001.local=20.20.20.10, camer002.local=20.20.20.11" \
--restart=always \
andyshinn/dnsmasq:latest
Note: As explained in the subnet router article, to use an internal DNS server, you need to configure split DNS in the DNS section of the admin console.
Configuring split DNS in Tailscale
To configure split DNS, follow these steps:
- Go to the Tailscale admin console
- Click “Add nameserver”
- Specify the parameters:
- DNS server: IP address of your local DNS (e.g., 10.10.10.1 or the server’s address in the subnet)
- Domains:
localor the specific domains of your devices
Example configuration:
Server name: Local DNS Server
IP address: 10.10.10.1
Domains: local, .local
Tip: As mentioned in the Reddit discussion, for proper operation,
nas.localshould point to your DNS server.
Setting up subnet router for DNS access
Since your local DNS server is in the 20.20.20.0/24 subnet, you need to ensure that the subnet router is properly configured to route DNS requests:
- Check subnet router settings:
tailscale status
- Ensure routes are properly advertised:
tailscale set --advertise-routes=20.20.20.0/24
- Check DNS server availability:
# From a device in Tailscale
nslookup camer001.local 10.10.10.1
Important: As stated in the Tailscale documentation, if your DNS servers are not public or don’t use Tailscale IP addresses, you’ll likely need to configure subnet routing to access private DNS servers.
Practical implementation for YI cameras
For YI cameras that don’t support DHCP reservation, the implementation will look like this:
Configuration on the local DNS server
Add static records for your cameras:
For dnsmasq:
address=/camer001.local/20.20.20.10
address=/camer002.local/20.20.20.11
address=/camer003.local/20.20.20.12
For a router with DD-WRT:
- Go to Services → DNSMasq
- Add:
address=/camer001.local/20.20.20.10
address=/camer002.local/20.20.20.11
Camera access configuration
Now you can access the cameras via names:
# Examples of accessing cameras
rtsp://camer001.local:554/channel
rtsp://camer002.local:554/channel1
rtsp://camer003.local:554/stream
Tip: As seen in the GitHub example, for local names you can use subdomains like
local.zila.dev, which allows using unified TLS certificates.
Troubleshooting access issues
Problem 1: DNS requests don’t reach the local server
Solution:
- Check that the subnet router is properly routing traffic to the subnet
- Ensure the firewall isn’t blocking UDP port 53
- Check the split DNS configuration in the Tailscale console
Problem 2: Cameras aren’t accessible by name
Solution:
# Check name resolution
nslookup camer001.local 10.10.10.1
# Check connectivity
ping camer001.local
# Check RTSP stream access
ffprobe -i rtsp://camer001.local:554/channel
Problem 3: DNS server conflicts
Solution: As mentioned in client settings, if you want to use only local DNS, uncheck “Use Tailscale DNS settings” in the device menu.
Alternative approaches
1. Using MagicDNS for Tailscale
If your devices have IP addresses in the 20.20.20.0/24 subnet, you can use MagicDNS:
# Configure MagicDNS for names in the subnet
tailscale set --magicdns=enabled
tailscale set --advertise-routes=20.20.20.0/24
2. Using /32 routes
As mentioned in the discussion, you can use /32 addresses in CIDR notation for the subnet router:
tailscale set --advertise-routes=20.20.20.10/32,20.20.20.11/32,20.20.20.12/32
3. Reverse proxy
For camera web interfaces, you can set up a reverse proxy on the subnet router:
# Example Nginx configuration
server {
listen 80;
server_name camer001.local;
location / {
proxy_pass http://20.20.20.10;
proxy_set_header Host $host;
}
}
Important: As noted in the DNS rebinding article, for problematic DNS servers, you may need to configure an exception for specific domain names.
Sources
- Configure Split DNS with Tailscale and Local DNS
- DNS in Tailscale - Official Documentation
- SplitDNS magic with Tailscale
- Subnet routers - Tailscale Docs
- What is Split DNS & Why Should You Use It?
- Custom DNS for machines - GitHub Issue
- Manage client preferences - Tailscale Docs
- DNS problems with internal services - Tailscale Docs
Conclusion
Setting up split DNS for a subnet router in Tailscale allows you to solve the problem with dynamic IP addresses of IoT devices like YI cameras. Key points:
- Set up a local DNS server in your network to resolve internal names
- Configure split DNS in the Tailscale admin console by adding your DNS server for the
.localdomain - Ensure proper routing between subnets to access the DNS server
- Add static DNS records for your cameras so they resolve to fixed IP addresses
- Test access via RTSP streams using local names
After configuration, you’ll be able to access cameras through persistent names like rtsp://camer001.local/channel, which will significantly simplify device management and eliminate the need to manually search for IP addresses.