Hi, I can not post a github issue for unknown reasons, so I post here.
Pihole does not show any interfaces in the web admin interface.
I want dnsmasq only to listen on 127.0.0.1 and on the wg0 interface.
Yes, i have wireguard installed and want to use pihole for the wg clients.
I can not select it in the GUI, there is simply NO interface at all shown in the interface section.
How can I add the requirement "listen only on localhost and wg0" add to the dnsmasq toml file?
Thank you very much for your fast reply, very appreciated.
When you write "dns.interface" I guess that is the variable "interface" in the section dns?
How do I specify two values there? I want only localhost and wg0.
Listen only on the specified interface(s). Dnsmasq automatically adds the loopback (local) interface to the list of interfaces to use when the --interface option is used.
I added interface = "wg0" into the dns section of /etc/pihole/pihole.toml and restartet pihole with systemctl restart pihole-FTL but it still listens on 0.0.0.0, I do not want it to listen on the public interface:
Ah, ok, wait - I now can select the wg0 interface in the web gui, and when I select bind only to interface wg0 and then restart pihole in deed it only binds to localhost and to the wg0 ip address!
So that dns.interface in /etc/pihole/pihole.toml does not set the value for the actual dnsmasq configuration variable, but for the admin gui, ok, understood.
However, now I have still the admin GUI accessible on the public interface - how can I configure it to listen only on localhost? I did not find any hints about that in the docs, I guess I just did not search good enough?
Thanks again, meanwhile I did find the webserver.port setting in /etc/pihole/pihole.toml.
Pihole now seems to be isolated from the public interface.
Not sure if there will be some surprises, but currently I see no component listening on a public interface.
I am still not able to create a github issue, so i would like to ask you to add this text as a new issue:
Do not listen on public interfaces by default when non-private ip address detected.
Ask user explicitely to listen on public interface for DNS and admin.
Linux admin human evolution lead to recognize our brains a combination of public and admin as toxic and the learned default association should be nowadays to avoid if not absolutely neccessary. That was learned in the times around the Cambrian Explosion I guess, can not remember exactly, very far away.
Please do not bind on public interfaces any services and if you do it for some reasons ask users while installation process or at least tell them "You are now one exploit away from a security nightmare just by exposing an interface that you will probably need only one or two time in a year. It will listen 24/7 for the one day somebody found an exploit in our software and then will hijack all pihole servers on the internet in 15 seconds because the admin is accessible on public network interfaces everywhere".
What we see here is a dinosaur from ancient times: binding admin to public interfaces by default not even telling the user what that means.
Do not do that, thanks.
(I hate to be that guy, but I wonder how such a thing can still exist in 2025.)
To end positively: the floating "Apply" button is a great GUI pattern, seriously a nice solution to that old problem of "where to show the button that still needs to be pressed".
The recommended setting does not survive a reboot. Did you know that?
Did you ever use wireguard?
Pihole seems to start before wireguard and I need to manually add some systemd configuration to wait until wg0 is available. Is this unkonwn to you?
In 2025 wireguard is not exactly something exotic.
Pihole should be able to handle that out of the box.
The experience at this point is very alpha.
How many years are you working on this?
And you did not hit the problems I see here after the first time using it?
This is just a very simple default "use some cheap internet vm as wireguard proxy" situation, not very advanced stuff and pihole can not handle that out of the box. Why not?
Please try to reach higher.
Also I am really questioning the whole idea of extensive query logging you are offering to users.
I am not sure such an extremely privacy invading feature should even available or a "feature" of an end user facing software. At the very least you should put some very big red remarks about how unethical it is (and in some countries simply illegal), instead you are presenting the log query feature as something to be proud of. Very strange and very detached from appropriate linux admin ethics.
This whole open source thing is not only about the source being available, this is just a side effect, but about user freedom and this of course should include teaching pihole admins about the huge responsibility they take and not to make it easy for them to slide into creepy behavior of some jerk watching the DNS requests of his family / colleagues.
You should try to reach higher also in that ethics and legal department.
One more bad anti-pattern: there does not seem to be any automated security updates of the software out of the box. I see some manual pihole command to update it in the docs, but no cron jobs or anything will update the software automatically? And it is installed in a way that regular debian system updates will not touch it?
If this really is the case: there should be something so unattended-upgrades will also update potential pihole security holes. No extra fiddling updates because for one pihole thing. Please add that to the issue tracker, too. Hope I am wrong here.