Allow different DNS for each group

tmysik · May 13, 2020, 8:50am

In Pi-hole 5, we have groups now. It would be great if one could specify different DNS servers for each group (typically, 1.1.1.3 for kids).

Thank you.

BassTeQ · July 6, 2020, 6:45am

I'm looking for this exact feature! Would save me having to run multiple piHoles only for the purpose of selecting upstream DNS!

DL6ER · July 6, 2020, 6:51am

What is the benefit of being able to use different upstream servers per client? I'm just asking this as it would be a massive work to get this implemented so it should be well-justified.

BassTeQ · July 6, 2020, 7:30am

For my purpose I have kids on a separate VLAN, I use OpenDNS for their vlan, and google for other VLANS.

192.168.100.X = 8.8.8.8
10.0.40.X = OpenDNS
10.0.30.X = 8.8.8.8

As per the original post, it should be configured by "group"

Group A = 192.168.100.0/24 = 8.8.8.8 (default)
Group B = 10.0.40.0/24/24 = OpenDNS
Group C = 10.0.30.0/24 = 8.8.8.8 (default)

Crispin · June 18, 2021, 6:32pm

This would be a great addition. At the moment I work around it by having 3 PIs running

My use-case is

I want my kids, known devices via static DHCP (pfSense) assignment, to be on 1.1.1.3
I want my personal and wife's devices on 1.1.1.2
I want my research devices on 1.1.1.1

I think Groups is a brilliant addition and now needs one more extension in functionality.

Thanks

DL6ER · June 19, 2021, 8:42am

I just want to clarify that this not being available has nothing to do with us not wanting this feature but rather the amount of work (and testing) required here.

We wrap tightly around the embedded DNS server dnsmasq. Client-individual behavior is something we added on top by being able to short-circuit some queries (the blocked ones). All other (non-blocked) queries are just sent back and are all handled as they would be without any Pi-hole intervention.

Concerning which DNS server to use, dnsmasq picks the "best" DNS server (in case you configured more than one) by infrequently sending some queries to all configured DNS servers and then favoring the one that replied fastest.

We could maybe overwrite this favorite server for specific queries but this is just an early idea and I'm not sure yet if there would be any drawbacks.

Another open question is: How could this be added to the existing group management interface? If we add a new page where you can add servers to groups, how would we handle if clients belong to multiple groups and/or multiple DNS servers are selected for one and the same group? I wouldn't want to implement a second level performance-measurement strategy (we cannot reuse the existing one) to determine the "best" DNS server for any individual client. This would slow down Pi-hole quite drastically and cause a lot of traffic.

My current best guess it that in case of such an unclear configuration would be to pick any of the configured ones without investing any effort into which one to pick (it'll likely be the first one in the database) and just issuing a warning on the dashboard that the configuration leads to unintentional behavior.

Tntdruid · June 19, 2021, 4:25pm

use tags for that:

dhcp-option=net:groupa,option:dns-server,8.8.8.8
dhcp-option=net:groupb,option:dns-server,OpenDNS
dhcp-option=net:groupc,option:dns-server,8.8.8.8

dhcp-host=xx:xx:xx:xx:xx:xx,set:groupa,SomeUser

dhcp-host=xx:xx:xx:xx:xx:xx,set:groupb,SomeUser

dhcp-host=xx:xx:xx:xx:xx:xx,set:groupc,SomeUser

DL6ER · June 19, 2021, 5:53pm

This may not be what this feature request is requesting, but we should clarify it:
What @Tntdruid suggests is Pi-hole acting as DHCP server telling some clients to use a specific DNS server instead of the Pi-hole. I understood this feature request rather as every client should still use the Pi-hole but then we should ask different upstream servers on behave of the clients.

But this nicely highlights one additional problem: Cache. Assume a parents device asked for baddomain.com and received the correct answer. This answer will then be added to the DNS cache and when the kid's device asks for the same domain, it will immediately get the cached answer instead of forwarding it answer another time. This is because dnsmasq's cache is entirely unaware of what the source of the query was (why should it). Such a configuration could only work if you disable caching at all. This is clearly a showstopper for this feature.

Mark_Carnahan · October 23, 2021, 1:08pm

Another use case for this is media streaming devices like roku and fire tv. I use cleanbrowsing.org as my upstream DNS and I routinely have to go through the query log and whitelist streaming sites as they change over time. It would be so much easier to allow my media streamers to use 1.1.1.1. I would statically set the DNS servers on my media streamers, but most of them don't allow it.

jfb · October 23, 2021, 2:02pm

If you use Pi-hole as the DHCP server, this can be done with a dnsmasq configuration.

github.com

deathbybandaid/piadvanced/blob/7e227f0651fee56f4253c2d23fc1f9194a36ff31/piholetweaks/dnsmasqtweaks/04-bypass.conf

## The contents here bypass pihole by mac address

## This will go straight to Googles DNS Servers.
dhcp-option=tag:googlesdns1,6,8.8.8.8
dhcp-option=tag:googlesdns2,6,8.8.4.4

## This will go straight to Opendns Servers.
dhcp-option=tag:opendns1,6,208.67.222.220
dhcp-option=tag:opendns2,6,208.67.222.222
## OpenDNS FamilyShield
dhcp-option=tag:opendns3,6,208.67.222.123
dhcp-option=tag:opendns4,6,208.67.220.123

## Level3 DNS
dhcp-option=tag:Level3DNS1,6,4.2.2.1
dhcp-option=tag:Level3DNS2,6,4.2.2.2

## Comodo Secure DNS
dhcp-option=tag:ComodoSecureDNS,6,8.26.56.26
dhcp-option=tag:ComodoSecureDNS,6,8.20.247.20

This file has been truncated. show original