The best config I've found is to have the pihole use NextDNS as its upstream server and have the DHCP server on the router hand out the pihole's ip as the DNS server. Have tailscale set up on the pihole as a subnet router so it gives you access to your home network on the move. Then have your tailscale dns point to the tailscale ip of your pihole.
All machines on your local net now use the pihole as dns as handed out by the router, and when you roam tailscale routes your dns to your pihole.
If you're travelling overseas though, it makes sense to reconfigure tailscale to use NextDNS directly so its faster.
Mainly because you can set it to hand out a configured TTL - I set it to provide a min value of 2400 (40 mins) so the frequency of queries reduces and most other queries from across the LAN get answered locally from the pihole cache
You shouldn’t trust your upstream provider if you use a major ISP. Most collect data not only from their own DNS servers but also unencrypted traffic over port 53 and then sell that data.
Using NextDNS allows you to use encrypted DNS upstream (supported out the box with AdGuardHome, unlike pi-hole), meaning your ISP can’t as easily snoop on you. Of course, they still may be monitoring the hosts you connect to and the non-encrypted SNI requests, but that’s a lot more effort and most of the major US ISPs don’t do that at scale. DNS snooping does almost as well and is way easier.
ISP is payed and contracted service. NextDNS is free (300k queries/month) and Tailscale too. Who do you think most likely sell your data to make business?
Yes, this. Although it's not so much a trick and more managing your home network so it's like any other. Computers connected to the network should automatically detect everything they need to work normally, so no manual settings are needed.
Otherwise, as the parent poster realized, moving the device to another network will require manual changes. And then changes again when you get back.
MikroTik's Router OS is able to have pi-hole in container directly on router, as well as Wireguard that is now in OS by default.
I'm just not able to configure custom upstream in pi-hole (ie Unbound or NetDNS). Probably some firewall rule or anything related to setting of container to work with pihole.
Wireguard has now been in the kernel for OpenWRT releases since 20.xx (maybe earlier?) so you don't even need a Pi if you have a decently robust router that will take OpenWRT. Netgear R7800s are a sweet spot for this setup, dual core 1.9ghz ARM A15 and they even have an eSATA port.
Then you lose all your blocking/filtering when you're least equipped to deal with the noise. I use NextDNS via DoH which a) works the same everywhere and b) encrypts the DNS traffic out of the machine.
This is why I have my rpi4 set up as 1) a Pi-hole, 2) Wireguard VPN host and 3) DHCP DNS server on on my home network. That as long as I am connected to the VPN from my phone I get no ads. If there's any kind of network issue at my house I can just disable the VPN on my phone. This also has a side benefit that I can use my phone's wi-fi hotspot to remote into my work machine at home as needed.
Sounds awful, most consumer connections have restricted upstream (like 1200/25 Mbps). Instead just take a travel router (GL-Inet makes nice ones) with you setup to use Wireguard and Mullvad and to internally serve DNS from NextDNS
I take your point. But how do you power this travel router? Also, does it have a 4G/LTE/5G SIM card? Otherwise, what is its modem; i.e. how does it route?
It connects to wired or WiFi connections and bridges it to a separate internal network and routes all traffic across its VPN tunnel. These are common devices for security conscious travelers. Yes, some support cellular either directly or via USB LTE modems.
That way when you're home, you get the pi-hole, but when on the road, you get whatever DNS is given for the network you're connected to.