General question on Groupmanagement

Hi All,

one general question:

on Groupmanagement I can create groups and add devices
But that’s it.

So what is the purpose of this feature?

Thanks
Markus

Per user blacklist/domain, or per group.

http://pi.hole/admin/groups-domains.php
http://pi.hole/admin/groups-adlists.php

See also

https://deploy-preview-201--pihole-docs.netlify.com/database/gravity/example/

2 Likes

Can someone confirm my understand of groups?

Without reading the instructions (as you do), I created a new group, added my machine to it (and removed my machine from unassigned) then tried toggling it off and on to no effect. No ads being blocked… After then reading the instructions I now understand this is how it is supposed to work since my newly created group had no rules associated and not being part of Unassociated meant nothing got blocked.

So clients can be members of multiple groups, but groups seem to be about groups of block lists/whitelists/blacklists rather than groups of users.

You create groups of block lists for example using lists for porn or gambling, then add the kids devices to those groups. This would allow you to turn those groups of blocks on/off for all clients associated with those groups. Great.

If I wanted to have devices that had no blocks, creating a new group then adding clients to that group (and removing them from Unassociated) would acheive this. Awesome.

But if I wanted to temporarily add a user to no blocks the only way to do this is to find the user and manually remove them from Unassociated, then manually add them back?
Am I the only one who would want to temporarily disable blocking for a given device?

Previously I would just use the disable for xx minutes, but that would turn pihole off for all devices. If this concept was extended to individual clients it would be great.

Following that line, if there was an ability to hit a particular URL for example http://pi.hole/admin/temp-disable.php which would allow clients (without authentication) to automatically invoke a temporary disable for xx minutes (assuming PiHole can detect the incoming IP).
This would then mean I could save that URL on my wifes iPad and Desktop allowing her to hit that link and enable ads again if something isn’t working that should be. It would also mean I didn’t have to give everyone full admin access to the Pi to turn thins off when they need to.

(Yes I know users can manually update their DNS, but explaing that to users is harder than saying ‘log in here and press disable for 10 minutes’).

:+1:

:+1:

:+1:

It would even be sufficient to remove said clients from the unassociated group. No need to add them to an empty group, however, it may be clearer to add them to a group called no-blocking for the sake of documentation.

Yes. It would be complicated to add a GUI element for this, how should we do it without overloading what we already have? However, what you wrote is exactly what has to be done.

Following our examples, you could easily make a script which would allow you to do this with a single-click:

  1. Remove device from unassociated group
  2. Call pihole restartdns reload-lists
  3. Sleep X seconds
  4. Add device from unassociated group
  5. Call pihole restartdns reload-lists

This seems to be a security hole. Advertisement providers are well aware of Pi-hole by now, some even implement specific checks for DNS based blocking into their adblocking-detectors. Once, we even found a comment in the Javascript code of an adblock-detecting script of a well-known newspaper containing a comment like “detect Pi-hole”.

If we would add this, may it be without or even with some basic authentication, this will be abused to sneak ads through. I think it’s safe to assume that this is more than a theoretical threat.

I see what you’re aiming at, however, the current disable/enable works only with authentication and CORS, X-XSS, and other protection measures. A simple link on a device cannot satisfy the same requirements, at first glance.

An idea could be to create a private secret that is only known to the devices but not a foreign website trying to disable adblocking locally. It may be tractable, however, surely not anymore for v5.0 which we hope to get through the door rather sooner than later.

Thanks for taking the time for such a detailed reply, it is appreciated.

To keep it clear in my head I have created a group called Unblocked and have a handfull of configured clients so when I need to turn off block for those I just add/remove them from the Unassigned group. It also makes it nice a easy to see who is blocked and who is not. I probably need to conceed that it’s a pretty narrow use case for people to be temporarily on/off the blocking.

As it turns out, the solution for my Wife has been to disconnect her iPad from the WiFi and fall back to cellular data when she wants ads (usually for some god awful iOS game she’s playing). Turning it back on hasn’t been an issue because the amount of ads that do come through are enough to remind her to re-connect to the WiFi for that sweet sweet Pi-Hole goodness.