Pihole blocking on devices that are not on the groups designated to be blocked

Expected Behavior: I put my kids devices (via mac address) on a group called kids, and all the blocklists are set to block on kids, it's blocking on ALL devices and yes I've verified that the blocklists are assigned to only that group

Replace this text with what you think should be happening. Please include as much detail relevant to your system/install as possible including, but not limited to:

  • iPad OS
  • iPads
  • Truenas SCALE App

Actual Behaviour:

Pihole is blocking on devices that are not part of the block group

Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:

pihole -d

or if you run your Pi-hole as a Docker container:

docker exec -it <pihole-container-name-or-id> pihole -d

where you substitute <pihole-container-name-or-id> as required.

https://tricorder.pi-hole.net/CSWECnVT/

Here you go thank you

Apparently your groups are correctly configured and devices in "kids" group should be blocked, but not the devices in Default group.

Can you please post a screenshot showing the query log table rows where devices from Default group are blocked? Please remember to click on the rows to expand the details, like this:

Sure, this is a block on my that was triggered for my phone

image

Are there other domains besides Apple ones being blocked?

Pi-hole will block tracking from Mozilla and Apple by default. I'm trying to find the link to documentation to explain how and why it is configured but I can't find any valid links to the proper configuration documentation anymore.

The description of the settings are giving an explanation of why Mozilla and Apple queries are blocked:

1 Like

Looking through it, it seems to be mostly just Apple at the moment

As you are blocking MAC addresses for the kids group, are you sure that the devices are not using variable MAC addresses?

In the meantime it's a default setting due to security reasons.

So update on this, I just tested going to pornhub.com on my kids ipad pihole just straight up allowed the traffic.

Here is my debug token just in case: https://tricorder.pi-hole.net/a0aNDe0P/

How have you assigned that client to the Kids group?

I see only the following:

*** [ DIAGNOSING ]: Clients
   id    group_ids     ip                                                                                                    date_added           date_modified        comment                                           
   ----  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1     1             10.0.0.19                                                                                             2025-06-27 15:11:28  2025-06-27 15:11:28  Nintendo Switch                                   
   2     1             34:A8:EB:68:F2:B7                                                                                     2025-06-27 15:24:35  2025-06-27 15:24:35   iPad                                        
   3     1             44:C6:5D:43:1A:94                                                                                     2025-06-27 15:25:41  2025-06-27 15:25:52   iPad                                       
   5     1             DC:08:0F:B1:02:33                                                                                     2025-06-27 15:36:17  2025-06-27 15:36:17   iPad                                       

Are those mac addresses stable or do your Apple devices have mac address randomization enabled so that the mac addresses change when they connect?

Wi-Fi privacy with Apple devices - Apple Support

yes those mac addresses are stable as I have disabled that private wifi address on the ipads

Then please open a new topic since this one is about unintended blocking.