Block certain sites

Dear pi-Hole team,

I’ve been looking into pi-Hole and love it so far, even told a friend of mine about it and and got him excited as well. But then he asked me if he could protect his kids from certain sites or subpages and I had to disappoint him. Would be brilliant if pi-Hole could do this for the entire network so he does not have to do this on every device.
He would for instance like to block “- YouTube, but not the entire youtube domain.

Request: Block a domain of subpages on the network.

Kind regards,
Matt

To filter specific URLs you would need a transparent proxy server like Squid. Pi-Hole is a DNS resolver that blocks whole domains and sub-domains.

This is exactly right, but see below...

If Pi-hole was solely a DNS server, than this would be correct. However, Pi-hole also includes a Web server, which can actually handle the URLs. Here is an example that I have been experimenting with assuming adserver-us.adtech.advertising.com is a blocked domain.

By default, if you curl -I this domain, you get a response like this:

HTTP/1.1 200 OK
X-Pi-hole: A black hole for Internet advertisements.
Content-type: text/html; charset=UTF-8
Date: Sun, 12 Feb 2017 21:30:14 GMT
Server: lighttpd/1.4.35

And if you go directly to this domain, you will end up at the Pi-hole block page, which is the expected behavior.

If you go to a specific URL of that domain such as adserver-us.adtech.advertising.com/pubapi/3.0/10126.1/3891134/0/0/ADTECH;v=2;cmd=bid;cors=yes;alias=300c;misc=08098983434, you get the same results.

Now if you add the following to lighttpd.conf:

$HTTP["url"] =~ "^(/pubapi/).*" {
        url.redirect = ( "(.*)"  => "192.168.1.200"   )
}

If you curl just the domain again, you get the expected result, but if you curl a full URL of the domain, you get this:

HTTP/1.1 301 Moved Permanently
Location: 192.168.1.100
Date: Sun, 12 Feb 2017 21:58:18 GMT
Server: lighttpd/1.4.35

This shows that the redirect directive is working on the URL level and not the domain level. It would be difficult to make a rule for every part of a URL or domain and to get it to go to the right place...but like I said, I have just been experimenting with it.

So this request is out of scope for now, if not impossible.

2 Likes

Also, it would require that the domain be blocked so that the request is forwarded to the Pi-hole's web server.

1 Like

I have seen this used in a dns blocker package in pfsense, that reveals in it's log page, the url part of the blocked request, which imho is a privacy concern. I use Pi-Hole for it's simplicity - it is a lean, mean machine so to speak. It has made my internet noticeably faster.

You can also disable lighttpd's access log if you're concerned about privacy, because that logs all server access including blocked pages.

Yeah, you would almost need a second Pi-hole to just forward it upstream. But again, it's totally experimental and theoretical--just fun to think about.