The webserver config has no effect on DNS resolution of pi.hole
on your clients at all. This is entirely a question of whether clients use Pi-hole to resolve DNS names, or something else. My guess is DoH, being widely available, maybe enabled by default in some cases, in browser and even on OS level in the meantime (Windows 11 at least). It overrides the DHCP-provided DNS.
This is not enabled/blocked by default, but needs to be selected manually from this dialogue:
│ In order to increase security, it is recommended to block public access to the Pi-hole admin panel, so that only │
│ connections from within your LAN or via VPN are possible. │
│ │
│ Practically this means to deny access from all IPs that do not match the reserved loopback and LAN ranges: │
│ - 127.* │
│ - 192.168.* │
│ - 10.* │
│ - 172.16.* - 172.31.* │
│ - ::1 │
│ - fe80:* - febf:* (LLAs) │
│ - fc00:* - fdff:* (ULAs) │
│ │
│ Note that if you use IPv6 and hostnames within your LAN, but no ULAs (Unique Local Addresses), this might also block │
│ accesses from within your LAN, as then GUAs (Global Unicast Addresses) are used, which cannot be distinguished from │
│ public accesses. │
│ │
│ You can always enable/disable this later using the commands: │
│ - <webserver_depending_command> │
│ - webserver_depending_command> │
│ │
│ Do you want to block public access to the admin panel now?
with this being the relevant note:
Note that if you use IPv6 and hostnames within your LAN, but no ULAs (Unique Local Addresses), this might also block accesses from within your LAN, as then GUAs (Global Unicast Addresses) are used, which cannot be distinguished from public accesses.
But I agree this is probably not clear enough/too much text etc, and you are not the only one enabling the block, and then recognising that pi.hole
does not work. However, it cannot explain why "only some" of your IoT devices pass trough Pi-hole, as DNS requests can only be done with IP addresses, and this block affects the websever/web UI only, no DNS traffic.
Again, the webserver question is not related to bypassing DNS requests, and choosing Lighttpd does not bypass the dialogue where you can enable the public web UI access lock. We somehow need to rephrase the dialogue to motivate users not doing the block, unless they understand the possible implication with pi.hole
(any hostname for the Pi-hole server system) when doing so. Or we just remove that option, and leave it to the admin. As DNS is such a sensitive thing for security of the whole local network, we'd then at least replace the dialogue with another one, recommending to switching the Pi-hole web UI password ASAP.