I have a Google Nest router with single DNS pointed to my pihole (no backup DNS).
Then in my pihole config, I have a group, and in the group I have several devices with static IPs that I have assigned to the group as clients. The IPs are DCHP IP reservations via the router and not at the device level.
Then I have several black listed domains with the different regex variations. Youtube.com for example is one of them with all its different domains and variations.
Each client device is still able to access the blocked domains at what seems to me "random" times. I enable/disable the group and they are still able to access blocked domains.
nslookups on the devices all show they are going through my pihole. I have a similar setup using opendns and when using that dns it does block the domains.
Any ideas what I'm doing wrong or any other suggestions?
Debug Token:
https://tricorder.pi-hole.net/YanAdPhw/
I couldn't t find a log with this token.
Can you please generate another one, upload it and copy/paste the token?
Thanks for checking this out, here's a new one https://tricorder.pi-hole.net/YanAdPhw/
Your router is the DHCP server and continues to give itself (the router) out to clients as the DNS server to use. Any device using the router for DNS will bypass Pi-hole. Have a look in the Nest router at the DHCP section and see if you can change the DNS server being given out from the router to the Pi-hole. Hopefully it has such a capability.
* Received 300 bytes from eth0:192.168.86.1
DHCP options:
router: 192.168.86.1
dns-server: 192.168.86.1
Regarding your groups, you have the Default group and a custom group. Your adlists are all allocated to the Default group, and you have some blacklisted domains allocated to both groups.
However 5 of your 6 configured client devices are only members of your custom group. That means they will get those blacklist domains also in that group, but not the ones in the Default group, and nor will they get blocking from any of your adlists. While that doesn't directly relate to your question, it means that those devices will actually avoid most of the blocking that everyone else there has.
The fix for that is easy, just edit each client entry and ensure it is in both the Default group and your custom group. With that done, all the other devices will have the standard blocking from your adlists and some of your blacklist entries, and the 6 devices in question will get all that plus the additional blocking from your additional blacklist entries.
This makes a lot of sense. The group part I didn’t even realize this. Thanks. I guess the google nest router assigns itself as secondary DNS server when because this is my current configuration
Try to set Pi-hole IP in both fields.
Usually routers will show Pi-hole IP twice (that's what we want)... some routers will still add itself as a third DNS server. Let's see what happens.
I've tried that, it won't allow dupes
Maybe you can try other IPs:
0.0.0.0- another unused or unreachable IP (
192.168.86.254, 192.168.100.1, etc.)
Your debug log, however, doesn't shows your router DHCP server giving out this Pi-hole address as a DNS server. It just gives out itself. So I'm not sure why that screenshot would show your Pi-hole as having been given out to that device. Is the screenshot from a different time to when the debug log was created when the config might have been different? I'm interpreting the word "Automatic" as showing that this address was obtained automatically, but perhaps the interface isn't clear from the screenshot and this address was entered manually?
Screenshot of router setting is what it has been since I setup my pihole.
New debug token after I made your suggested changes. Assigned all clients to both group but still not blocking blacklisted sites
https://tricorder.pi-hole.net/wvSyxv1Y/
Attaching more screenshots of my router settings, google really doesn't make this easy. There is a LAN setting, and my new DNS settings with 0.0.0.0 as secondary DNS, also a screenshot of DHCP IP reservations on the router
Should I be using piholes DHCP reservation table as opposed to the nest router?
I read this on reddit and this seems to be what I'm having issues with https://www.reddit.com/r/GoogleWiFi/comments/11n4854/nest_wifi_and_pihole_dns/
So I have setup my google router to only hand out one IP and that is for the pi hole. Pi hole is now enabled for DHCP. DHCP ip range does not overlap with pi hole. Blocked domains are still not blocked.
Here is a new debug token
https://tricorder.pi-hole.net/UnTaJSWp/
That should work, as long as you have restricted your router's DHCP range to just that one IP, and that IP is not in your Pi-hole's DHCP range.
Your debug log now shows two DHCP servers, your router and your Pi-hole.
According to the debug log, your router's DHCP lease time was one day.
Note that clients will pick up their lease through Pi-hole only once their current one is about to expire, or on rejoining the network.
You may force a new DHCP negotiation by dis- and reconnecting devices, or by power-cycling them or your router.
On a device that is using Pi-hole, nslookup pi.hole should succeed, and it should show your .250 as the server.
