Restricting YouTube for Subnet

I would like to restrict the access to YouTube in my network e.g. for Kids.

I found out that with a CNAME of,,, and to that you enforce that only safe content is shown and also that the comments are disabled.

Can such an feature be added?

1 Like

I have had good luck using Cleanbrowsing’s family resolvers in my pihole’s upstream DNS settings. Check them out here:

1 Like

Thank you for your answers. Very interesting, however I would like to change the result for a given subnet and not for all. Is there a way to give adult and kids dns responses (e.g. limited YT vs. full YT) based on the IP?

/brainstorm mode on/ Using cnames that are also in the blacklist for your group then you can whitelist the one only for your group. Children would then not get blocked because their group is not on the blacklist and for that cname is used. /brainstorm mode off/

Never tested it but logical it should be possible. Needed is that dnsmasq detect cname the same as a cname from a upstream.

ps. this does not work with exact lists and you have to use wildcard/regEx.


You don’t need an entry in blacklist so exact whitelisting can be used.

Can I use this with the 4.x branch or do I need to use the 5.x branch? I’m not really sure how I can setup that

I will look in that but you should use the new version of Pi-hole which is 5 but there is also a 4.4 version that can do that. If it is wise to go first to 4.4 and wait till 5.0 is final is something others have to answer.

Step one is look for work other have done already:

I’m not sure if that is an real option, but based on the comment of iith096 I could also change the upstream dns server for that group I have in mind. So I don’t need to setup CNAME entries.

That is not possible. You can assign blocklists, blacklists and whitelists but not upstream DNSservers.

Do you want me to look any further into this?

# YouTube cheat-name using groups for Pi-hole 5.x
# Thanks to jpgpi250 (

## ,2 at the end set the TTL to 2 secs like blocked domains by Pi-hole,,2,,2,,,,,,,,

## you can also implement a moderate setting
## replace with,,,,,,,

The above should be written to a file in /etc/dnsmasq.d and name it 70-youtube-safe.conf

Then restart dnsmmasq by going in the Pihole webinterface to Settings and click or press the orange button Restart DNS resolver.

Now add to exact whitelist and set it to your (parents) group.

If the group kids visit then they get redirected to or if want to

There is also a so that needs an extra entry in the whitelist. If you use wilcard the you just enter:

and select wildcard and confirm. You can also attach a comment to it so you know on a later moment why you did it.


I can’t test it here with groups. I can’t get it to work and it look like dnsmasq is always enforcing the cname despite the whitelisting of

Can someone with groups test it if works like I thought it would be?

1 Like

That looks very interesting, is there a upgrade guide for testing 5.x?

Yes, however I can’t force with whitelist to skip the CNAME defined in pihole-FTL/dnsmasq.

So the above is not working!

Well I directly found an issue.

Error, something went wrong!
While executing: attempt to write a readonly database

I need to check if there is already an bug report

After checking what the actual server response it I tried it some more times and it started working very strange. Maybe caching. Who knows…

Does Pi-hole 5.0 now work correctly?

It seems that my computer prefers to select my ipv6 dns server of my router. I need to check my dhcp settings that I advertise the ip of my pi for ipv6 too.

I need to look even deeper into this and underneath I explain why it does not work.

It seems that this is not going to work because whitelisting a does not change the way it is resolved. Having with a Different IP address will applied to both.

Whitelist will only overwrite blacklist/blocklist, but the resolving is still the same.

Might be an idea for a new feature to allow parent control with pi hole.

Why should anyone see something else? Whitelisting just means: Do not block. As in: Do not reply with

You specified,

This is valid for all, how should it get skipped for one group?

I am able to force restricted YouTube in my network when I setup in my router the pihole also as IPv6 DNS server and I also need to add the IPv6 address in the config file file as here:,,2001:4860:4802:32::78,2

What would be a good choose of the TTL? 2 seconds is a bit high isn’t it?

The good part is this even works on the YouTube app on my phone.