Pi-hole blocks a domain as long as it is contained in at least one of the blocklists that are configured for a client and that domain is not whitelisted for that client.
So a Default group client will only block matching domains if they are contained in one of the Default group blocklists.
But I rather suspect your issue to be related to your facebook RegEx, as that would match anything that ends in facebook, but not e.g. graph.facebook.com or connect.facebook.net, and also not facebook.com-y.ru (which you probably want to stay blocked?).
facebook.com
Querylog on Pihole: OK answered by localhost#5335
Browser shows FB login page.
The difference I see is connect.facebook.net is in gravity and the others are on whitelist but should be blocked because of the settings in Goup Management.
I repeat: Your nslookup results clearly indicate that Pi-hole is correctly blocking domains as expected.
Some software on your client may bypass Pi-hole.
Most likely, your browser would do so via DNS-over-HTTPS (DoH).
Verify that DoH is disabled in your browsers.
Yes it is.
All the domains typed in the browser are listed in the query log so the Pihole is used.
My current setup of Pihole still allows me to visit FB.
(FB is just an example for my question)
Also, could you provide an nslookup result for a domain that you expect to be blocked from your client, but observe to be accessible via your client's browser, along with the respective lines from /var/log/pihole.log?
Please share the complete nslookup, including the exact command.
sudo resolvectl status
Global
LLMNR setting: no
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.pi.ho.le
DNS Servers: 192.pi.ho.le
.....
Link 3 (wlp3s0) <---- wifi card
Current Scopes: DNS
DefaultRoute setting: yes
LLMNR setting: yes
MulticastDNS setting: no
DNSOverTLS setting: no
DNSSEC setting: no
DNSSEC supported: no
Current DNS Server: 192.pi.ho.le
DNS Servers: 192.pi.ho.le
Your pihole-fb.txt file doesn't include an entry that would match your nslookup of facebook.com.
Maybe you ran nslookup www.facebook.com instead?
I also note that you've obfuscated origin IP addresses in that file.
Doing so will prevent me from assessing whether DNS requests are processed correctly.
There is no harm in sharing private range IP addresses - they are not publically accessible.
Your client doesn't use Pi-hole for DNS, but rather a local stub resolver at 127.0.0.53.
While this seems to use Pi-hole as its sole upstream (provided that stub resolver is the one that is configured via resolvectl), it may also cache results, e.g. if the client in question very recently had access to other networks as well. This may affect filtering until the respective record is removed from your stub resolver's cache (usually after a DNS record's TTL has expired).
Your client (.102) issuing the nslookup for facebook.com is associated with groups 0,5,6 and 8.
Your whitelist regex entries for facebook are only associated with group 4.
All of your blocklists are associated with the default group (group 0) exclusively.
As far as I can tell, none of those blocklists contains facebook.com or www.facebook.com.
(You should be able to verify this, e.g. by executing pihole -q facebook.com -exact -all).
So your observation is expected, as explained before:
Then I don't understand the concept or missing something obvious.
Only access fb if client is member of group 'fb'.
Example 4 is, I think, what I want to do.
Last sentence:
'Client 2 got the whitelist entry explicitly assigned to. Accordingly, client 2 does not get the domain blocked whereas all remaining clients still see this domain as blocked.'
The table above states blocked 'Client 2 Blocked Yes'??
Can you please tell me how I block fb by default for all clients except when a client is member of group 'fb'?
Thanks.