Hello, I am pretty new to pi-hole. Love it so far, just trying to figure out how to respect guests privacy. We do host a lot of guests in the house, and sometimes (our family) can come when we are not in the house. Don't want by accident fixing some issue with DNS to find out that our guests browse something that they want to keep private in their life.
At the same time I would love to see various IT devices, what are they doing, and love to see my requests as well.
Currently I have:
Synology Router (wifi is off), just like their way to configure everything in the house. DHCP is there and Traffic Control. It sends Synology NAS IP as a DNS server.
Synology NAS where I also run Pi-Hole.
Deco routers with WiFi 6E. That works only as WiFi.
I am trying to figure out a way to be able to use the DNS for all the known devices in the house, but preferable all new devices should not use the DNS, so by accident I would not sniff devices of our guests.
Any idea what I can do? Is somebody have the same concerns as I am?
That would best call for a VLAN that you won't filter by Pi-hole at all, and that would be accessible via its own WiFi SSID.
Your guests would then connect through that SSID, which also means their login credentials are separate from your other network.
You could further consider to split your IoT devices into a separate VLAN also.
Note that not all consumer grade routers would support VLANs, or they may just offer a preconfigured guest network.
Edit:
You may also try to apply Pi-hole's Group Management, but as we are talking about guests, I'd much prefer to keep their traffic entirely separate by means of a VLAN.
I'd consider it if your router would offer no VLAN options at all.
This is not something you can easily do with a Pi-hole alone.
Pi-hole logs (or doesn't log, depending on your settings) equally for all clients. Log for one client, log for all clients.
Strictly from a Pi-hole standpoint, when you have guests over, turn off all your logging and maximize the privacy level.
Additionally, to avoid having to fix broken sites that may require you to have to examine logs, set all your regular devices up in a new management group. Apply all your current adlists and blocking to that group only (and not the default group as well).
When new clients join the network and start using Pi-hole, they will be in the default group. There will be no blocking and nothing logged for these clients. Your clients will continue to use all your regular Pi-hole blocking.
But, you have no logs for any of your devices.
Outside of Pi-hole, you have a number of options, including:
Set up a guest network that doesn't use Pi-hole for DNS, and put guests on that network.
Set up VLANs, and assign guests to a single VLAN that uses a DNS other than Pi-hole. You can selectively allow guests to access items on your regular network (printers, speakers, TV's, etc.), but they won't use Pi-hole for DNS and you won't see their DNS queries.
Set up your router to distribute some public DNS server (Cloudflare, Quad 9, etc.) to all clients. On the regular clients that you intend to use Pi-hole, manually change their DNS settings to the Pi-hole IP. This may not work on some IOT devices - depends on the device.
Buy a second inexpensive router, put it on a switch connected to your modem (along with your existing router), and make a new network only for guests. On this network use a DNS other than Pi-hole. If guests need a printer or you want to give them a streaming device to use, put them on this separate network as well.
When new clients join the network and start using Pi-hole, they will be in the default group. There will be no blocking and nothing logged for these clients.
So if there is no list in the default group, then nothing is going to be logged in? That would be perfect, I thought logging will be always on, as clients still make requests.
You may want to reconsider your stance. It's indeed honorable to not want to eavesdrop on your guests but you are providing service to them and thus you will be responsible for their actions on your network. Having a trail to verify if any activities occurred or did not occur could be a very valuable tool.