Need help with local + Tailscale DNS resolution – Technitium + Nginx Proxy Manager setup

1. Hi everyone,
2.  
3. I'm reaching out because I’ve hit a wall with my self-hosting setup. Neither AI nor the usual documentation seem to help with my specific issue, so I’m hoping someone here with more experience can point me in the right direction.
4.  
5. I’m not exactly new to self-hosting, but I’ve only recently started trying to set things up properly, following best practices. Here’s a quick overview of my setup and the problem I’m facing:
6.  
7. ---
8.  
9. Setup Overview
10.  
11. - Device: Dell OptiPlex running Tiny10 natively
12. - Installed Software:
13. - Native: Tailscale + Technitium DNS
14. - Docker Services: Grist, Keycloak, ConvertX, Jellyfin, etc.
15. - Local access: No issues. Everything works as expected on the LAN.
16. - Remote access: I’ve been relying on Tailscale, and it *was* working fine...
17.  
18. ---
19.  
20. Recent Changes
21.  
22. About a week ago, I started moving towards a more “standardized” setup by adding:
23.  
24. - Technitium DNS (with split-horizon DNS)
25. - Nginx Proxy Manager (for reverse proxy + HTTPS)
26.  
27. That’s when things got tricky. My goal is:
28.  
29. > When accessing `mylocaldomain.internal` locally, it should resolve to the 'LAN IP'.
30. > When accessing it via Tailscale, it should resolve to the 'Tailscale IP'.
31.  
32. Technically, I *did* manage to configure DNS resolution correctly. When I run:
33.  
34. ```bash
35. nslookup mylocaldomain.internal 192.168.1.10
36. nslookup mylocaldomain.internal 100.64.1.10
37. ```
38.  
39. …it resolves as expected. But despite that, I just can’t get remote access to work reliably. It feels like my DNS settings aren't being respected by Tailscale or my network adapters (Wi-Fi/Ethernet).
40.  
41. ---
42.  
43. Technitium Config (Simplified)
44.  
45. - Split-horizon DNS enabled
46. - Tried both 'primary zone' and 'conditional forwarder zone' — same results
47. - Static 'A records' work locally
48. - 'APP records' look like this ('@' and '*' records):
49.  
50. ```json
51. {
52. "100.64.1.1/24": ["100.64.1.10"],
53. "192.168.1.1/24": ["192.168.1.10"],
54. "127.0.0.1": ["192.168.1.10"]
55. }
56. ```
57.  
58. – and technically these resolve correctly, too (tested with `nslookup`).
59.  
60. - I’m *not* using the global config.
61. - 'SOA and NS records' were automatically generated by Technitium. I initially left them as-is, and later modified the NS record’s IP to match my server’s local IP (from my router) to see if it would make a difference — but unfortunately, I didn’t notice any improvement in either case.
62.  
63. ---
64.  
65. Reverse Proxy (NGINX Proxy Manager)
66.  
67. - I have several entries like:
68. `dns.mylocaldomain.internal → mylocaldomain.internal:5380`
69. - Only using HTTPS (with `mkcert` self-signed certs) for services like Vaultwarden and Heimdall
70. - These work fine locally
71.  
72. ---
73.  
74. What’s Going Wrong
75.  
76. Despite the correct resolution with `nslookup`, I can’t access my services over Tailscale. DNS lookups don't seem to work unless I manually specify the DNS IP, and even then I often get 502 errors, or the connection simply times out.
77.  
78. Other observations:
79.  
80. - When I set my server IP as the DNS on a client, `nslookup` shows either `hgw.local` or `unknown` as the DNS server — unless I explicitly define it in the command.
81. - I *don’t* want to mess with my modem/router settings if possible.
82. - I *don’t* have a public domain — everything is local/private.
83. - My self-signed certificates are trusted on my devices.
84. - Firewall shouldn't be an issue — I’ve checked rules on both the OS and the router, and nothing seems to be blocking the traffic.
85.  
86. ---
87.  
88. I know this is a long post — thank you for reading this far! If there's anything obviously wrong in my approach or configuration, I’d really appreciate any insights, ideas, or guidance.
89.  
90. Thanks again 🙏
91.