#ACL grants for Tailnet DNS server?

I'm running pihole in Docker with Tailscale sidecar on my home server and set it as Tailnet DNS server in the Tailscale Admin Console with "Override local DNS" enabled. Do I also need to create ACL grants for it?

The guide on the homepage doesn't mention ACL grants and from testing it seems other clients and containers on the home server using a Tailscale sidecar can connect to it fine.

However, the home server host itself and containers on the home server exposed as Tailscale Services on the host (without Tailscale sidecar) can't resolve the DNS server. If I set the ACL grants for the home server to access the DNS server, it works.

Why is that? Is this weirdness excpected?

ACL grants for Tailnet DNS server?

setting a Tailscale IP as your DNS server doesnt implicitly give devices access to that server:port, if youre not using the default allow-all policy then yes you will need to add one giving access to the DNS server

the guide most likely doesnt mention this because it assumes youre using the allow-all defaults (since it starts from tailnet creation), but after reading this I do agree it should at least mention the possibility

Thank you for clarifying. I realize my clients have the allow-all rule. I don‘t understand how other containers with Tailscale sidecars (tagged) are also able to connect to it without any ACL grant. I assumed there is some default rule that allows DNS traffic to the custom Tailnet DNS server?

I assumed there is some default rule that allows DNS traffic to the custom Tailnet DNS server?
there isn't. would need to know more about your setup (like the exact grants you have configured) to speak more to what happened in your case