I have installed two pihole servers using the docker install method and my firewall forwards all dns requests to my piholes. The setup works flawlessly. However, I've realized there is a HUGE privacy issue since now I see the browsing history of my whole family and that is NOT okay. However, I can't find any way to properly address the issue.
Expected Behaviour:
There should be a way to disable logging by default and only log devices specifically wanted. As a secondary solution, log all by default but allow disabling of logging from specific devices.
Actual Behaviour:
When I go to "Query Log" I see all the pages my wife or kids has visited. And this violates their right badly, but there is little for me to do if I want to somehow still be able to see where my IoT-devices are calling.
Am I missing something here? I've tried creating groups and clients, but can't figure out how to disable logging from them. There must be a way right?
I suppose if the query log could be filtered by group name, this might provide a semi-solution, perhaps not ideal to your aims, though. But based on the current version’s query log filtering, this does not seem possible.
Personally, if I am the network admin, and you want to use my network, you have to accept that I could, should I really want to, see the domains you visited. I don’t, and no intentions to do so.
A possible solution would be to have a second Pi-hole instance for your IoT devices, and enable the logging on that Pi-hole instance.
I know that ultimately it boils down to trust when inside family since anyone capable of running tcpdump can get the same info.
But the problem is that with pihole, its given you without any action from yourside. So I can accidentally learn what sites my family members are visiting. Having a group filter would probably do the trick by preventing accidents.
Seems a lot like my setup and I am not going to spend another day trying to setup additional dnsmasq instances. So it seems my experiments with pihole end here for now.
The only way to show only your devices and, at the same time, not log your family members devices is to configure your devices to use Pi-hole and the other users will use another DNS server.
Yeah, I think I will as a last attempt try to fix the firewall rules so that using the router as the firewall also works and then provide it as the dns for selected devices. That way all IoT keeps using piholes and if they have hardcoded dns servers set, they are still forwarded to piholes and I can see that. But all family members keep using the old dns server from the router. I think that should be doable.
Also just realized right after posting my previous post that I definelety should not set tailscale dns in split dns on pihole. Those names won't work anyways without active tailscale and when it's active, those resolv requests go trough vpn so my firewall can not block and redirect them to piholes. So tailscale shouldn't be an issue.
I know that a vnet for IoT and family would be the best solution, but that could be really difficult to handle with my current hardware. If not impossible.
