I would like to block any traffic from one client with the exception of 3 whitelisted domains, i.e. the client shall be allowed to access only these 3 domains. How do I accomplish this?
In Group Management => Groups, I have - besides Default - the groups Kiosk and Block.
In Clients, I have Device A with the groups Default, Kiosk, and Block under Group assignment.
In Domains, I have 3 whitelisted domains with the groups Kiosk and Block (not Default, though) under Group assignment.
In Domains, I have the RegEx (\.|^)*$ blacklist with the group Block (only group) under Group assignment.
This does not work, i.e. the client Device A has access to any domain.
What am I overseeing? Thanks for sharing your thoughts and helping me a bit.
PS1:
I know the examples there but they do not seem to apply to my use case, or I simply misunderstand them.
PS2:
I saw several similar questions from 2018 and older, where the answer was "not possible". If this is still the case today, please also let me know. Thank you.
Please upload a debug log and post just the token URL that is generated after the log is uploaded by running the following command from the Pi-hole host terminal:
pihole -d
or do it through the Web interface:
Tools > Generate Debug Log
This will show us all your groups and domain blocks.
I do not want to share the whitelisted domains and other private data. Is there a way to trim the log down and still provide it via URL and token? Or via some other way? Sorry that I am so cumbersome, while expecting help. If you cannot help me further because of my reluctance, I understand it.
Hm, I did that - in fact even left away the 3 whitelisted domains from group Kiosk and assigned Device A only to group Kiosk (which only has the RegEx blacklist (\.|^)*$). I expected that Device A would not have access to any domain, but it does. The query log shows for a domain I could access from that device:
OK, answered by localhost#5335
INSECURE
I need to explain that I run unbound on the same pihole with port 5335 and custom (IPv4) Upstream DNS server 127.0.0.1#5335. These advanced settings are enabled:
Never forward non-FQDN A and AAAA queries
Never forward reverse lookups for private IP ranges
Use DNSSEC
Use Conditional Forwarding
Local network in [CIDR notation]: 192.168.178.0/24
IP address of your DHCP server (router): 192.168.178.1
Local domain name (optional): fritz.box
Unbound works, as far as I can see, but that was not my concern. I only mention this to be sure that I provide the full picture (which would, admittedly, be better when providing the log, sorry).
You probably should start by creating a debug log without uploading it.
Then take a closer look at /var/log/pihole_debug.log and decide whether you'd be willing to share it with the Pi-hole team (for 48 hours before it gets auto-deleted).
If you upload a debug log and send us the token, only a few members of the Pi-hole team have access to the log, and it auto-expires in 48 hours. It is not available publicly.
This does not look like a valid regular expression.
You specify that there may be any number of "." characters or beginning of lines. Note that "any number of beginning of lines" isn't meaningful and disqualifies the entire regular expression.
For your case, simply use
.
. is the regex wildcard character and will always match any non-empty string. * is a multiplier and has a different meaning. See Tutorial - Pi-hole documentation and especially the cheatsheet at the end of the document.
Nice. Thanks for the info. I'm getting a new router and it doesn't have the capability of my old one with "Parental Controls" and I was looking for something similar and this looks to do the job. Kid's use their school laptops to browse the internet so I blocked them from everything other than what the school uses.
If you cannot help me further because of my reluctance, I understand it.
