Per-Client Privacy Levels

Hey
I would like to have the option to only see specific clients dns queries (per-client privacy levels). Which would work just like per-client blocking implemented in V5.0.

The usecase for this is for example, you use the pihole for your entire family and you don't want to see which domains they visit, but only your own devices.

This morning I was reorganizing my Pi-hole setup to make use of the new group management feature. And by the way, what a great feature! There are so many possibilities with it, I love it!

My question: is it currently possible (or will it be possible in the near future) to assign a specific privacy level to groups? For example, right now I have a group with all my regular devices associated to it, and I leave the "Default" group to be automatically assigned to visitors. Is it possible to assign a privacy level 0 to the group associated with my devices, and a privacy level 1 to the Default group?

2 Likes

It's not possible at the moment.

Thanks! I see the mods moved the thread to the Feature Requests section.

I think it would be a great feature to have. That way you could still keep the great monitoring that the Pi-hole offers for your own devices, while respecting the privacy of the visitors (or anybody else) on your network.

1 Like

Hello there,

I'd be really interested in such a feature for the same reason as others in this thread: being able to monitor my own devices, and the different headless devices connected to my home network, without compromising my spouse's privacy.

I am willing to develop this functionality, but before looking too much into it, I would like to know if this feature would have its chances of making it to the main branch?

Here is the feature behavior as I imagine it:
We could have a default privacy level and a per-group privacy level.
The default privacy level would be the one set in the configuration, as it is today.
It would be used in all the places where the information can not be linked to a specific client.

We would add a privacylevel column to the group table, that would be set to -1 by default, to represent the aforementioned mentioned default level.
It could also be set to a specific level via a drop-down menu on the web interface.

When a query arrives, instead of setting its privacy level to the privacy level retrieved from the config, we would do a lookup to collect the groups of the client (if it has any).
If the client is not explicitly defined, the default privacy level is used.
If the client is defined, the privacylevel of the query is set as the maximum of all the groups' privacy levels.

Does this looks like a good behaviour?
I think it would allow users to keep the current behaviour if they want to, but to change the privacy level of specific groups if needed.
It is the first time I look into the insides of Pi-hole, so please tell me if there is any edge cases or pitfall I did not take into account.

Thank for this great piece of software.

Privacy levels only affect the long term database at /etc/pihole/pihole-FTL.db.

There is also the dnsmasq log at /var/log/pihole.log to consider.

When you say 'per-client', is that truly what you want instead of per-group? When working with permissions, its usually more advisable to handle it on a group basis. There would be nothing stopping you from creating groups of a single user - not ideal if you only want to do it for single users but scales much better.

If I am not mistaken, it also has an influence on the values returned by some functions in the api/api.c file. But those are indeed the only two places in the code that I could find where the privacylevel configuration value is used.

Currently, the approach is to ignore completely this file privacy-wise, and to warn the user that requests are completely logged anyway if the privacy level is non 0, and request logging is enabled, right ? Imho, we could keep doing that, because modifying the way dnsmasq logs the requests seems like a lot of work, but I could be wrong.

I don't know about OP's intent, but the per-group approach is what I had in mind. Since there are only 4 privacy levels, and since clients can belong to multiple groups, there is actually no need to create more than 4 groups with a non default privacy setting.
Clients could belong to one or many "filtering groups", and to one of the "privacy group". Those groups would not be fundamentally different, the "filtering groups" would have a privacy level set to the default value, and the "privacy groups" would have no ad list related to them, but a specific privacy level.

The algorithm to calculate a known client's privacy level would be, in pseudocode:

int client_privacylevel = -1;
/*List of group privacy levels:*/
array groups_privacylevels = [-1,-1,0,2];
for each privacylevel in groups_privacylevels:
    client_privacylevel = max(client_privacylevel, privacylevel);
end
if (client_privacylevel < 0)
    client_privacylevel = config.privacylevel;
end

And an unknown client's privacy level would always be equal to config.privacylevel.

1 Like