Do individual devices require configuration with Pihole+Unbound?

marce1 · February 26, 2025, 10:53pm

I have had Pihole and Unbound installed for years but am wondering if its blocking everything it should.

For example, Safari browser has its own DNS and therefore bypasses Pihole (right?) If this is correct then gaming devices or smart TVs, maybe even regular operating systems do the same.

So, my question is - are there configurations that need to be made outside of the Pihole for device queries to be blocked entirely?

Ladrien · February 27, 2025, 12:09am

So, my question is - are there configurations that need to be made outside of the Pihole for device queries to be blocked entirely?

Yes.

On your router's firewall, you will need to block outbound port 53 and 853 for all devices except your router & pihole. If your network is both IPv4 & IPv6, you will need to do this for both firewalls.
You will also need to block DNS over HTTPS, as this traffic does not use port 53. Consider implementing this blocklist into your pi-hole. If your firewall supports IP address lists/blocking, I would suggest adding the IP list into the firewall, to prevent hard-coded IPs in devices still using DoH.
Consider enabling the special domain blocking for iCloud relay and Firefox's DoH service in pi-hole's config.

jfb · February 27, 2025, 5:08am

Maybe. If you have iCloud Private Relay enabled, then Safari uses a DNS server other than Pi-hole.

By default, Pi-hole blocks iCloud Private Relay. From file /etc/pihole/pihole.toml:

# Should Pi-hole always replies with NXDOMAIN to A and AAAA queries of mask.icloud.com
# and mask-h2.icloud.com to disable Apple's iCloud Private Relay to prevent Apple
# devices from bypassing Pi-hole? This is following the recommendation on
# https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay
iCloudPrivateRelay = true

system · March 20, 2025, 5:09am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.