Hello I have returned after a long time which means that I have had no issues with Pi-hole. I want to redo my Pi-hole setup to be more effective. I would like to block the entire internet and then manually whitelist in sites I need/use.
I have no experience with regex but if I added the below to my blacklist would this block everything?
[a-zA-Z0-9]
I added . as a regex blacklist to my domain list. Looks like everything is blocked now.
You can use Tools > Audit Log to identify the most attempted blocked sites and whitelist them from there. That might be a quick way to home in on the sites you need/use the most.
Oh I did not even know about that feature. Thank you so much. I'm in the process of rebuilding the internet (my whitelist) and have been using the queries blocked page.
If I add all the ip addresses of DOH/DNS servers or whatever they are called to my firewall blacklist. Would that protect my pi-hole list from being bypassed by DOH?
I assume you mean a real firewall which is managed with rules. If you can block the DoH endpoint, yes, as the DoH client on your network won't be able to connect to it.
But bear in mind that a client could use a different DNS server, either on your network (eg an ISP router) or off your network (eg a public service such as Google), and they would be able to resolve things that you've blocked in Pi-hole.
Since you have a firewall, though, you could block access to external DNS from any IP other than that of your Pi-hole, so that's the only device that can send DNS to an upstream server.
However a smartphone can be dropped off the wifi and onto the cellular data network and have no restrictions, so if it's being used for kids or something like that, bear that in mind too.
I'm using UFW as a firewall and plan on adding pfSense later on as a network firewall.
Smartphones can be locked down with a good app locker program. I learned by trial and error that multiple layers are necessary to protect a network from bad things. Pi-hole is one piece/layer and I have a few others such as router software, UFW, browser management, etc.
Out of interest do you have some specific use case which makes this block-by-default-then-whitelist approach more suitable?
For a typical home network you're going to be exploring and whitelisting thousands of domains, and that's just related to the things you initiate and know about.
Then there are the domains needed for all the under-the-hood stuff to work properly, such as Apple or Microsoft devices, and you may end up losing data without knowing something is broken (eg if a document fails to sync).
I can see how it could be viable if, for example, you had a single device you wanted to restrict, but allow a small amount of specific external access and had evaluated how the device's services would be affected. The Pi-hole default block all approach, enforced with a firewall, might be viable there, hence asking.
I already finished whitelisting the internet for my personal needs. It didn't take too long as I only needed about 20 or so sites. The only thing I couldn't solve was logging into three websites which require www.google.com/recaptcha. But those were not important websites as they are the websites for my cell phone, realvnc.com, and another website which I don't use often.
Tomorrow I will work on my work computer which should be easier and I will refine it as I do all my work related stuff over the next few days. I only use probably about three websites and then MS Outlook, MS Teams, the whole MS suite. We'll see how that goes.
This is mainly for myself. I find the internet to be a massive time waster and just bad overall. I don't think this is limited to myself as its not good for most people (my opinion :D).
By the way if you know a way to solve the recaptcha issue I'm having let me know.
Use the tools recommended in this post How do I determine what domain an ad is coming from? to find which domains are being blocked when you load the page using the recaptcha.
Then, try to whitelist these domains until the service works again.
Thank you I took a look at the above link. I did not know about the terminal command pihole -t. I was using the GUI to take a look at the blocked queries and had to constantly refresh the page. This is much more efficient as its real time. Will save a lot of time.
www.google.com is the domain for the recaptcha I don't think I can get around that. I would rather that website (google) be blocked than have access to those other three websites.
Never knew about that one either. I guess I should spend some time looking at the tools/features some more. Missed out on some useful things.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
