A self-hosted DNS filtering setup built on Docker Engine with host networking for per-device query visibility, Tailscale peer routing for tailnet-wide filtering, and internal HTTPS through Nginx Proxy Manager backed by a private Root CA.