Per device or device group whitelist to keep your internet connected devices under control with Pi-Hole


#1

The use case is pretty easy: you have internet connected devices like TVs, lightbulbs and what the heck else you can have on your network. You want to block every internet connection besides those which are required that these devices can operate.

So it would be nice to:

  • create groups of devices like all your lightbulps, all your tablets, all your TVs, whatever
  • disable all traffic by default for these devices or device groups
  • only allow traffic to specific domains for those devices

As far as I understood how pi-hole works today this is a pretty tough request as either all or none is possible when it comes to blocking.

If it helps to understand my use-case better, see:


Per IP/MAC block
White- and (wildcard-)blacklisting domains for single devices
#2

This is a feature which if often requested. Unfortunately, the heart of Pi-hole - the caching DNS server dnsmasq in not capable of having any per-client rules. There are very few exceptions to that when you also use the Pi-hole DHCP server (you can specify to have certain clients excluded from the Pi-hole’s filtering altogether), but what you are asking for is certainly technically impossible.


#3

I’m not 100% sure, but when looking at man dnsmasq, I feel like I’ve seen something along the lines of zones.

I believe you could set a “parent/admin” zone for a set range of ip addresses (static ip’s) and the dhcp range could be set to “child”

Pi-Hole would essentially need to listen on 53, but then also run 2 loopback dns servers, one that uses “parent” settings, and one for child settings.

Settings can include the external dns servers to use, and what adlist to use.


#4

Thanks a lot for your thoughts on this topic. I’m aware of the complexity of my request but I also think that besides the advertisment bias the IoT problem we already have out there is a huge thing which deserves some time thinking about. Even if with the current setup it’s not possible I would apreciate if we at least think about possible solutions. I’ll check out the current code base of Pi-Hole and dnsmasq if I see a solution. If not there might be possible solutions by setting up networks in a proper way e.g. with two virtual LANS and two Pi-Hole instances in both LANs.

Thanks again for taking the time to give valuable feedback.