Hello,
I have an Asus RT-AC86U router and it has a feature that forces all devices to use the specified DNS server. In this case, it's pihole.
All devices connected are forced to use pihole even if you change the dns server on that device, it will still use the router's.. except Safari browser.
If I change the DNS on the iPhone, to let's say 1.1.1.1, every Internet browser on that iPhone is forced to use pihole's DNS...except Safari... no matter what I try, Safari will bypass pihole if I manually set a different dns server that's not the Pihole... I've tried deleting cache and history, opening reopening Safari..nothing works.
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
It's a service offered with an iCloud+ subscription which routes your Safari lookups and traffic through Apple's servers. This stops your ISP – but also Pi-hole – from seeing it. If you subscribe to iCloud+ you'll find it on your iPhone in Settings > YouriCloudNameAtTheTop > iCloud > Private Relay.
No, I don't have it. The option I get is to subscribe, so that means I don't have it.
I wouldn't get anything like that anyway, specially if I have to pay.
I also have a couple of adlists "DoH-IP-blocklists/master/doh-domains" that is supposed to prevent bypassing pihole.. does this adlists supposed to prevent this from iOS happening?
Ok, I found something more detailed. It seems it bypasses pihole if I choose Private Browsing Mode. If I use the regular browser mode, it's fine.. what would cause Private Mode to bypass Pihole?
Are you saying that other apps, and the iPhone itself is using Pi-hole, but Safari specifically is not? Or are you using Safari to mean the iPhone in general and you don't believe it's using Pi-hole at all for anything?
How are you determining that Safari is not using Pi-hole?
By default the iPhone hides its Apple identity and device name from the network, so if it was using Pi-hole, you would only see the sites being looked up and the IP in Pi-hole's Query Log. You can disable this hiding on a per-network basis in the iPhone if desired.
All other apps use Pihole because I use a test site to see if the ads are blocked or not. Also, Google and Bing have SafeSearch enforced no matter which browser I use.. FireFox, Brave.. you name it. Only when Using Safari and specially using it's Private Mode, it bypasses Pihole because Bing stops using SafeSearch therefore displaying adult photos... whereas when it's using Pihole, that is blocked.
When using Bing safesarch, it will not allow to change the setting... once I see I can change the safesarch from Moderate to Strict or None, it means it's not using Pihole anymore.
But keep in mind, even if I change the DNS server on the iPhone, and Safari is not using it.. the phone itself is still using Pihole because I don't get any ads on any app.. and when I go to the ad test site on Brave, it is blocked.. the issue is only with Safari.
I've been playing with Safari more.. I thought it was when using Private Mode...but I now realize is when I Clear History and Website Data and go back to Safari, that first instance of using it, that's when it bypasses Pihole.... this is very strange behavior.
I found this mentioned elsewhere too, and on my iPhone it's set to enabled for Private Browsing, but when I test it I still see the domains I'm trying appearing in Pi-hole in normal and private mode. But Fotingo give that a go, does that change the behaviour?
Apple can be annoying at time; these silently introduced "helpful" features can get in the way when using something like Pi-hole.
On your iPhone visit the site https://dnsleaktest.com and press the button for Extended test. That will reveal many or all of the DNS servers you are using.
If the iPhone is using Pi-hole exclusively then you will see just Pi-hole's upstream servers (or servers relating to those organisations).
If you see other servers then this will help you work out what's allowing it to happen.
Yup.. did that.. and it only shows WoodyNet which is Qua9. I am using Quad9 as the Upstream server in Unbound...but, it's bypassing the pihole safesearch.
Let me show you what I mean...
Here is a screenshot of 2 instances of using Safari.. the first one on top, is right after Deleting Data from settings.. the 2nd on the bottom is when I delete the tab and search again which is when Pihole is being enforced with SafeSearch.
This only happens right after I Delete Data and use Safari the first time after that. Once I delete the tab and search again, it goes back to using Pihole.