V6.4 Block over Allow on lists

Balenty · March 7, 2026, 3:55pm

I have set up your newest Pi-Hole 6.4 directly through the setup script on a Raspberry Pi 5 with the Raspberry PI OS.
I have subscribed to multiple blacklists and allowlists. One allow list is explicitly allowing facebook.com in an ABP-style domain.

Expected Behaviour:
I expect Facebook to be working, since it is explicitly allowed in a subscribed allowlist.

Actual Behaviour:
I cannot access the page.
When using dig and DNS through HTTPS, I receive this return:

While these subscribed lists are relevant:

However, when I am manually adding “@@||facebook.com^” as an allowed regex domain, facebook.com becomes available. Why doesn’t the subscribed allowlist get prioritized? I would prefer the “Subscribed allowlists” to be working over “Subscribed denylist” as intended (allow over block). Priority is further clarified here: Domain Database - Pi-hole documentation

The relevant subscribed allowlist is processed as follows:

[i] Target: https://raw.githubusercontent.com/PaulSchulze1337/pihole-lists/refs/heads/main/allowlists/facebook_allowlist
[✓] Status: No changes detected
[✓] Parsed 0 exact domains and 44 ABP-style domains (allowing, ignored 0 non-domain entries)

Did I configure something wrong?

Debug Token:

https://tricorder.pi-hole.net/DPSIJ0Et/

Bucking_Horn · March 7, 2026, 4:28pm

Not related to your issue, your screenshots would indicate your Pi-hole's DNS server is publically accessible via port 853, and your debug log could suggest you may run nginx as DNS-over-TLS proxy in front of Pi-hole?

Make sure that port 53 is blocked for inbound public traffic in such a case, or you may risk to run an open resolver.

As to your observation:
Could you please share those lines from your allowlists that are supposed to allow accessing facebook.com?

Balenty · March 7, 2026, 4:31pm

Thanks for the swift response.
The subscribed allowlist, which is supposed to allow facebook.com, is in this file:

https://raw.githubusercontent.com/PaulSchulze1337/pihole-lists/refs/heads/main/allowlists/facebook_allowlist

The first valid line: @@||facebook.com^"

I wish to repeat that facebook.com becomes accessible if I am adding this line manually to my personal allowlist.

Your assumption about Nginx and dns-over-TLS is correct.

rdwebdesign · March 7, 2026, 4:51pm

You are using the Group Management incorrectly.

You renamed the "Default Group" (ID=0) to "Block" and created another group called "Allow":

You also have no Clients assigned to any group.

The issue is:
Pi-hole will use the group with ID=0 and apply it to every client there doesn't have a group explicitly assigned. The other groups will be used only by Clients that are assigned to them (but there is no clients in your group management).

As a result, you Pi-hole is using all lists assigned to group ID=0 (Block), but is not applying the lists assigned to the other group.

If you want your allowlists applied to every client, you need to assign these lists to the group with ID=0.

Note: you should rename that group back to "Default", because adding allowlists to a group called "Block" will create a lot of confusion.

Bucking_Horn · March 7, 2026, 4:57pm

Your debug log shows that you have associated that blocklist with group_id 1:

*** [ DIAGNOSING ]: Adlists
 id    enabled  group_ids  type   address                                                                                               date_added           date_modified        comment                                           
 ----- -------  ---------  -----  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  -------
 (…)
 109   yes      1          Allow  https://raw.githubusercontent.com/PaulSchulze1337/pihole-lists/refs/heads/main/allowlists/facebook_a  2026-03-07 13:10:40  2026-03-07 13:20:31
                                          llowlist

Yet you configured no client to be associated with that group.
And you only ever would have to add specific clients to groups if you'd wanted them to be filtered differently.

In your case, you should probably just re-assign your subscribed allowlists with Pi-hole's Default group (group_id 0), so all your clients would benefit from your allowlists.

Balenty · March 7, 2026, 4:58pm

Thank you for taking your time looking into my issue.
This solution works. I apologize for misinterpreting the group management system.

rdwebdesign · March 7, 2026, 4:58pm

One more observation:

You have a regex, that is not really a regex:

The pattern @@|| is used by AdBlock Plus to exclude some domain, but this is not a valid Regex.

Pi-hole understands this pattern only inside lists, but not on the Domains page.

system · March 28, 2026, 4:59pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.