Pi-Hole should see and DNS filter all traffic on the LAN/VLAN.
Actual Behaviour:
It DNS filters on items I enter into the MacBook Terminal, e.g, "Flurry.com," which it resolves to 0.0.0.0 and reports on the Query Log. It does not see or DNS filter traffic through my Firefox browser (using DoH). It does not see or DNS filter traffic on my Amazon Fire Stick, also on the same LAN/VLAN. Console/Network Settings/Network Overview indicates the MacBook is using Pi-Hole (green background), but not the Fire Stick (red background). ssh into Pi works.
If the Firefox browser is using DoH, the DNS queries from that browser go to a DoH server and not to Pi-Hole. You would need to disable the DoH option in Firefox.
Note that your installed version of Pi-hole (4.4) includes the change to provide NXDOMAIN for a specific domain checked by Firefox, which should stop Firefox from operating in DoH mode.
This is likely because the Firestick is using a hard-coded DNS and is not respecting the DNS assigned by your DHCP server. The solution here would be to redirect all DNS traffic from any device other than Pi-hole back to the Pi-hole, but this requires a router or firewall that has that capability.
Thank you. the link states that default DoH users choices will stop the DoH from operating, but those users who have chosen DoH will have their choice respected. I chose to do so when it was still optional, so I'll need to learn how to turn off the choice and back to the default. That's a Firefox and my problem, not Pi-Holes, thanks.
Network settings on the Fire Stick indicate DNS is the LAN's (VLAN) default gateway, i.e., my router's LAN IP address.
In the last week the Fire Stick did work with Pi-Hole, but I had my network so mis-configured I don't know if that's evidence of anything. Is there an alternative solution?
It's working now. I re-installed Pi-Hole on a fresh Raspberry Pi without the firewall, let the device point at the router IP, and manually pointed the DNS on the router to the Raspberry Pi's static IP, did a "forget this network" on the device, hooked it up again, and it's working.