The best config I've found is to have the pihole use NextDNS as its upstream server and have the DHCP server on the router hand out the pihole's ip as the DNS server. Have tailscale set up on the pihole as a subnet router so it gives you access to your home network on the move. Then have your tailscale dns point to the tailscale ip of your pihole.
All machines on your local net now use the pihole as dns as handed out by the router, and when you roam tailscale routes your dns to your pihole.
If you're travelling overseas though, it makes sense to reconfigure tailscale to use NextDNS directly so its faster.
Mainly because you can set it to hand out a configured TTL - I set it to provide a min value of 2400 (40 mins) so the frequency of queries reduces and most other queries from across the LAN get answered locally from the pihole cache
You shouldn’t trust your upstream provider if you use a major ISP. Most collect data not only from their own DNS servers but also unencrypted traffic over port 53 and then sell that data.
Using NextDNS allows you to use encrypted DNS upstream (supported out the box with AdGuardHome, unlike pi-hole), meaning your ISP can’t as easily snoop on you. Of course, they still may be monitoring the hosts you connect to and the non-encrypted SNI requests, but that’s a lot more effort and most of the major US ISPs don’t do that at scale. DNS snooping does almost as well and is way easier.
ISP is payed and contracted service. NextDNS is free (300k queries/month) and Tailscale too. Who do you think most likely sell your data to make business?
All machines on your local net now use the pihole as dns as handed out by the router, and when you roam tailscale routes your dns to your pihole.
If you're travelling overseas though, it makes sense to reconfigure tailscale to use NextDNS directly so its faster.