I have a unique situation where I have a dedicated pi-hole instance acting as DNS for an open-wifi (no security) captive portal. The desire is to have users (customers) easily connect and use the pi-hole instance to ONLY access resources which resolve from 3 domains (and their sub domains). The intent is to have only DNS resolution for content referenced in the 3 *.xxx.com domains which use Akamai (lots of edge proxy IPs) which are resolved from the 3 *.xxx.com domains. Any other DNS requests would be resolved to bogus IP(s).
I came upon the whitelist DNS topic trying to figure out how to do this. Anyone have a better idea for this use case?
So I have 'a solution'. Should I just run a dnsmasq instance on a different interface than pi-hole and call this done (I still need pi-hole for other users)? Is there a smarter way?
The next major release of Pi-hole will support regex whitelisting, which would support this use case.
However, if you know the exact domains which you want to allow, you could add a blacklisting regex of .* and add those specific sites to the whitelist.
After proposing the dual forwarder/resolver solution and showing it working on the same virtual machine on different interfaces (split brain), everyone bought off on it. The environment I'm in can easily support a light VM, but not separate containers yet, so a VM it was! I went ahead and created a custom systemd service for good old-fashion dnsmasq pointing to an alternative configuration directory to handle the domain whitelisting on the dnsmasq interface.
So far so good. I've had 225 devices querying the dnsmasq instance with 70 server entries (35 allowed domains with redundancy) and 3 address lines (to enforce safe search and the last one to resolve the rest to 0.0.0.0). The query performance has been decent enough nobody complained. Seems to work.