Exclude certain LAN addresses from filtering

After reading this topic I found a way to use your local unbound instance to provide unfiltered DNS services, you can find it here. This will let you regain a bit of privacy (read here).
You still need to configure DHCP to use a different resolver (explained by @deathbybandaid here, but you will no longer use external DNS resolvers (if configured like this in unbound.
The topic also provides an alternative method to disable pihole temporary (for a single user, on windows).

This is the setup I'm using by having dnsmasq dhcp provide different DNS server to different hosts. I'm now adding a Windows Active Directory server. All the hosts that will be joining AD must point the DNS server at the AD DNS server or AD doesn't work. Now, Windows DNS must forward to somewhere and it can't do selective forwarding based on client.

Pihole needs to have the capability to exclude clients from filtering in order to integrate well with Windows AD -- to be able to exclude certain hosts from filtering.

Can you use Pi-Hole as the upstream server for the Windows DNS? For all AD clients, since it appears that the only clients mapped to the Window DNS are not mapped to Pi-Hole.

Conditionally forward your AD clients from the Pi-hole to the AD DNS server.

I would still like to see this feature added.

A simple 'whitelist' by local IP or MAC that allows DNS requests from those machines to bypass the PiHole filtering and just forward all requests / answer from cache.

I'm not using the DHCP of PiHole so the DHCP solution does not work for me.

2 Likes

If you have a MikroTik router, or any other router with the same capabilities, you could use a whitelisting rule for your IP addresses. I created some automated commands for my MikroTik which allows users to bypass filtering on the fly by visiting a specific URL.

I posted here Temporary bypass by IP address

We are actively working on this feature:

As this involves a large redesign of the DNS-level blocking algorithms, it will not make it into Pi-hole v5.0 where the beta testing phase is about to start soon.

3 Likes

@DL6ER any eta on beta? :+1:

As you're asking in this thread: The v5.0 beta will not contain the mentioned feature. The code is still somewhat in motion and I don't expect it to converge until maybe the end of the year (this is no ETA).

We are basically ready for v5.0 and just waiting for the entire team to agree (this is no ETA, either).

1 Like

Oh wow this is huge :slight_smile: keep up the good work. Was just wondering if it were possible to have this as some google.com requests, for example, should be block listed on some of my devices

Ah thanks, im ready to test :wink:

Thank you for this thread. Please can I have some further info?

I am running Pi-hole version is v4.3.2 (FTL v4.3.1). I was wondering if the 04-bypass.conf still works with this version? I understand there is no dnsmasq service?

Basically, I have a device, and i just want to send it to an Google DNS, rather than using the PiHole. I am unable to manually configure the device (IPCam).

Therefore, in the config file, do i just need two lines:

dhcp-option=tag:googlesdns1,6,8.8.8.8
dhcp-host=F0:XX:XX:XX:XX,set:googlesdns1

Then run:
sudo service pihole-FTL restart

Thank you in advance

Yes it does. Dnsmasq is embedded in pihole-FTL and all dnsmasq configurations work as before.

1 Like

One issue I had with setting specific dnsmasq conf files is described over this thread: Bypassing / Excluding IP address from Pi-Hole not working - #6 by Bucking_Horn
Hope this feature fixes that.

However, I would like to point out an improvement to this feature, which is the ability to select specific blacklists - instead of a global, have different sets of blacklists that can be applied to a certain client.

Example (blacklists sets)
IT Person: spam, tracking, shopping
Grandpa: spam, tracking, suspicious
Kids: spam, tracking, suspicious, shopping, parental, social media

Since that the feature request in this thread is a dependency to such improvement, I could submit a new one? Either way, I believe the above can be taken into consideration during implementation.

Thanks and keep up with the good work.

I believe this feature request has been submitted and evaluated. See below. If it is not the same as the feature you request, then please open a new feature request.

Thanks for the prompt response. Yes, it is the same, and I do see the evaluation.
If the HA feature is implemented, this could be possibly be achieved by having multiple servers with different sets of blacklists. Will see.

A post was split to a new topic: Identifying colors for group management

Seems like lots of people are asking for a workaround and I didn't seem to find a proper solution so I'll post it here for those that don't want to switch to v5 beta yet. This only works if your Pi-Hole is the DHCP-server.

First of all there's no need to add custom files as said previously. We only need to edit one file:

sudo nano /etc/dnsmasq.d/04-pihole-static-dhcp.conf

dhcp-host=MAC,IP,NAME,set:DNS-NAME
dhcp-option=tag:DNS-NAME,6,DNS-IP

Where:

MAC = "xx:xx:xx:xx:xx:xx"
IP = "x.x.x.x" (Static assignment)
NAME = "hostname" or whatever name you prefer
DNS-NAME = "name of your DNS-server"
DNS-IP = "x.x.x.x"

Example:

dhcp-host=AA:AA:AA:AA:AA:AA,192.168.0.200,AppleTV,set:Quad9
dhcp-option=tag:Quad9,6,9.9.9.9

Restart Pi-Hole Service:
sudo service pihole-FTL restart

Check Logging for static assignment:
tail -f /var/log/pihole.log | grep DHCP

/etc/dnsmasq.d/04-pihole-static-dhcp.conf is a file under Pi-hole sovereignty

This may only work until you update, repair or reconfigure Pi-hole.
Changes may be overwritten without notice.

1 Like

Implemented in pihole v5.0. via Group management.

1 Like