Pi-hole bypass issue on iPhone and questions about DHCP configuration

Hello everyone,

I recently installed Pi-hole on my home network, but I've encountered some issues and have additional questions regarding the optimal configuration.

1. iPhone and Mac bypassing Pi-hole: I noticed that my iPhone can still access blocked domains despite using Pi-hole. After some research, it seems the problem is related to the use of an IPv6 DNS server that my iPhone uses instead of IPv4. I tried manually configuring the DNS settings on my iPhone to IPv4, and it works; the blacklisted domains are indeed inaccessible. I'm wondering what are the best practices to ensure iOS devices correctly use Pi-hole without having to manually set the WiFi DNS?

2. DNS configuration with an SFR router: I'm an SFR customer and I'm having difficulties modifying the DNS settings for IPv6 on my router. Are there specific steps to follow to correctly configure IPv6 DNS on an SFR router so that they point to Pi-hole?

3. DHCP configuration and static IP addresses: I've read that it's recommended to disable the DHCP on your router and use Pi-hole's DHCP instead. However, I'm concerned about not being able to assign a static IP to my Raspberry Pi if I do this. How can I reconcile using Pi-hole's DHCP with the need to have static IP addresses for certain devices, particularly the Raspberry Pi hosting Pi-hole?

Thank you in advance for your help and advice on these different points. Any additional information on the optimal configuration of Pi-hole in this context would be greatly appreciated.

Best regards,

Apple offers Private Relay as a paid feature, which would route DNS to Apple's servers, unless a local DNS server would signal an Apple device that Private Relay should not be used for a connection.
As Pi-hole does so by default (see iCloud Private Relay domain handling), this is unlikely to contribute to your observation.

Generally, clients may by-pass Pi-hole via encrypted DNS connections, e.g. by browsers configured to use DoH.
This wouldn't be specific to iPhones and MACs, but the options exposed to control such behaviour would well be specific for an OSs and browsers.
In order to have clients sending all their DNS requests to Pi-hole, you'd have to make sure those options are disabled. Common labels would be Private DNS or Private Browsing.

If your router would advertise an alternative IPv6 DNS server address, that could well explain your observation of by-passes.

You'd have to find a way to configure your router to stop advertising an IPv6 DNS server at all, or at least advertise your Pi-hole host machine's IPv6 as local DNS server.

You'd have to consult your router's documentation sources on further details for its IPv6 configuration options.

If your router would advertise its own IPv6 for DNS immutably, you could also consider to configure Pi-hole as your router's only upstream.
IPv6 DNS requests would travel from client to router to Pi-hole then.

If your router doesn't support configuring IPv6 DNS, you could consider disabling IPv6 altogether, provided you'd not depend on IPv6 for reasons.

If your router doesn't support that either, your IPv6-capable clients will always be able to bypass Pi-hole via IPv6.

Wherever you've read that: The recommended way would be to configure your router to exclusively offer Pi-hole as the local DNS server for your network.
If that's not possible, configure your router to use Pi-hole for DNS as ist only upstream, but note that you won't be able to attribute DNS requests to individual clients then, and you wouldn't be able to take advantage of Pi-hole's client-specific filtering in such a configuration.

If neither option would be supported by your router, you could consider to shift DHCP duties to your Pi-hole.

That would depend on the network management tools of your chosen OS.
As you are using an RPi, Raspberry Pi OS by default would employ either Roy Marple's dhcpcd for older releases or NetworkManager since RPi OS 12/Bookworm.

Depending on your OS, you should add a static IP by editing /etc/dhcpcd.conf or by configuring NetworkManager, e.g. via nmtui.