I would like to restrict the access to YouTube in my network e.g. for Kids.
I found out that with a CNAME of www.youtube.com, m.youtube.com, youtubei.googleapis.com, youtube.googleapis.com and www.youtube-nocookie.com to restrict.youtube.com that you enforce that only safe content is shown and also that the comments are disabled.
Can such an feature be added?
I have had good luck using Cleanbrowsing's family resolvers in my pihole's upstream DNS settings. Check them out here: IPv4 and IPv6 Anycast DNS Firewall, DNS Filter and Public Resolver
Thank you for your answers. Very interesting, however I would like to change the result for a given subnet and not for all. Is there a way to give adult and kids dns responses (e.g. limited YT vs. full YT) based on the IP?
Can I use this with the 4.x branch or do I need to use the 5.x branch? I'm not really sure how I can setup that
I'm not sure if that is an real option, but based on the comment of iith096 I could also change the upstream dns server for that group I have in mind. So I don't need to setup CNAME entries.
That looks very interesting, is there a upgrade guide for testing 5.x?
Well I directly found an issue.
Error, something went wrong!
While executing: attempt to write a readonly database
I need to check if there is already an bug report
After checking what the actual server response it I tried it some more times and it started working very strange. Maybe caching. Who knows...
It seems that my computer prefers to select my ipv6 dns server of my router. I need to check my dhcp settings that I advertise the ip of my pi for ipv6 too.
Might be an idea for a new feature to allow parent control with pi hole.
Why should anyone see something else? Whitelisting just means: Do not block. As in: Do not reply with 0.0.0.0
You specified
cname=youtube.com,restrict.youtube.com
This is valid for all, how should it get skipped for one group?
I am able to force restricted YouTube in my network when I setup in my router the pihole also as IPv6 DNS server and I also need to add the IPv6 address in the config file file as here:
host-record=restrict.youtube.com,216.239.38.120,2001:4860:4802:32::78,2
What would be a good choose of the TTL? 2 seconds is a bit high isn't it?
The good part is this even works on the YouTube app on my phone.
Just wondering can we create something like a load balancer based on the client requester IP? So that the cname points so an "internal load balancer" which decide which IP addresses will be resolved?
Sounds like a plan. I'm not familiar with that config files so I cannot try it myself. However that subnet thing should be easy. Let's say you have a normal class c network e.g. 192.168.0.0/24 then you can create e.g. 4 virtual subnets e.g. 192.168.0.0/22, 192.168.0.64/22, 192.168.0.128/22 and 192.168.0.192/22 which you can use for e.g. shared resources (like printers, NAS, ...), the parent equipment (like computer, smartphones, ...), the kids devices and might be a guest wifi.
Then the resolver can choose the right IP based on the subnet, while the other subnet is untouched aka uncensored regarding the parent control.
As long the devices keep via DHCP their /24 subnet mask everything should work as expected.
Yeah, you should rather investigate already available (and tested!) dnsmasq options for this. Implementing CNAME handling in a separate level on top of what dnsmasq already does would be a very complex task. Interconnecting with groups will not make this easier to do. It's definitely not something that could at all be considered for v5.0, I don't even think it has a realistic chance to become reality in any future release as I do not see any tractable implementation that would avoid tons of code duplication inside dnsmasq (where we want to stay out as much as possible to ensure upstream compatibility!).
Can you explain why this is nothing which can be done with pi hole? I mean when I understand it correctly pi hole configures dnsmasq on demand, why should pi hole not be able to generate the configuration and just restart the service as required?
You said that you don't see any traceable implementation, what do you mean with that? Do you mean the statistics for the graph?
Might be stupid, but as long the groups are not too many separate IPs you could also use the /32 subnet to create a subnet with a single IP.
Groups is something much more interactive and challenging than anything dnsmasq delivers ready-to-use. It is much more than just configuring dnsmasq correctly, it adds something you cannot do with dnsmasq alone.