Hi all. I use pi-hole in my LAN in a dedicated Raspberry Pi box running as the DHCP server. Yesterday I was setting up a new PC for my kids and I wanted to add a family filter to it. I've decided to use the Family Filter DNS servers from cleanbrowsing.org. However, by setting their PC to use the DNS addresses from cleanbrowsing.org, the ad-blocking feature from the pi-hole becomes unavailable for it. It also has the disadvantage of me not being able to track what they are browsing via pi-hole, since their PC wouldn't be using it.
I realize I can use cleanbrowsing.org's DNSes as upstream DNS servers in the pi-hole. However, this would make the family filter apply to the entire network, which is not desirable.
So my question is: is there a way to apply certain upstream DNS servers only to specific devices in the LAN? This way all devices would benefit from the pi-hole services, but certain devices in the network get alternative upstream DNS servers.
The only choice that would allow you to use a different DNS server and still see requests logged in Pi-hole would be to setup a second Pi-hole machine in your network.
If you are familiar with Docker already, you could setup a second Pi-hole in a Docker container, preferably as macvlan. Alternatively, adding a Zero to your network would work much in the same way as you've addded the first.
Keep in mind that using DNS as your sole way of parental control isn't sufficient once and if your kids are intent on by-passing it.
Both approaches may involve manual changes to your kid's machines DNS settings, which may as easily be reverted once your kids know how to do that.
In fact, that's how they could circumvent Pi-hole anyhow.
Bucking_Horn, I much appreciate the tips. It's a bummer that I'd have to run another instance of pi-hole to accomplish that, but I think that's the best option for now. I've heard of Docker, but I don't have any experience with it. Would it be possible to run it in the same box where I currently have pi-hole running natively?
As for preventing the kids from bypassing the filter, I have setup my router to block DNS requests from all DHCP assigned addresses. Since the pi-hole box uses a static IP outside of the DHCP pool, only it can make DNS requests external to the LAN. I understand this still not foolproof, but I'm pretty confident it's a major blocker for them. It also prevents other devices in the network of bypassing the default DNS settings and making DNS requests directly (like my smart TV likes to do).
Yes, but since you've no experience with Docker, I'd recommend you carefully weigh your options.
Running a container may be comparatively easy once you know how that works, but the networking part is trickier than setting up bare metal, especially if you haven't touched networking before.
Setting this up in a way it doesn't conflict with your original Pi-hole adds to complexity, which is why I suggested you should be already familiar with Docker at least. It's also an uncommon setup, so quite likely, there won't be any ready made tutorials for this.
Expect to invest a good amount of hours before you get that right.
If you are seeing this as a learning opportunity, go ahead.
If you are after a working solution without too many hassles, some 20 euros will buy you a Zero including sd card and psu that you can setup just like your existing Pi-hole.
Absolutely. Running pi-hole in Docker with my existing hardware sounds like a challenge to me, and I'm willing to try it out before I consider other options. I have dumped the image of my current SD card as a backup so that if I mess it up, I can easily restore the current setup. So I think the worst that can happen is I learn something new.
Again thanks for the wealth of tips Bucking_Horn, it is much appreciated!
Just for the kids?
Why not for everyone?
Why not set a time lock on Windows.
Lock the computer after max 2 hours computer time.
Good for everyone's health.
