N00b here. Trying to set up Pi-Hole to obviously filter ads as well as block certain websites for specific computer (kids) while creating a secondary "whitelist" of computers for the adults. I can successfully blacklist sights adding them to the Default group. I created a secondary Group 1 (based on other pihole posts) and added my test computer to Group 1.
Actual Behaviour:
Any device i test by placing in Group 1 (White list group) it is still being blocked from blacklisted sights.
I am assuming its something with my configuration, but I cant sem to figure it out. (Additional info, i was expecting my test device to register the pi-hole instance as my DNS when i ran an ipconfig, but it still sees the router which i have made the changes to point at pi-hole. I have had to manually add the DNS pointer on my test computer)
I dont know what to tell you. Its been set up correctly based on everything I have read. I am not sure if the screenshot will attach but its of the router DNS settings local network. Both groups are enabled. In my last debug i may have not re-enabled the Group1 but I was pretty sure i had. This newest dump was this morning and i double checked everything.
Router DNS setting are pointing at 192.168.1.100
Both groups are enabled
Test machine still shows router as DNS but everything is blocked
Yes multiple times. I am testing the whitelist group on my laptop so I tried it over WiFi as well as hardwired.
I talked with a networking guy at work and he says my laptop is not seeing the DNS because its connecting to my router and my router is then passing it to the pi-hole DNS. I was going to start just putting the IP in some devices but now i cant seem to figure out what I should be inputting in my phone for the Private DNS settings. Doesn't like anything
I am at my whits end. This shouldn't be this complicated.
The first lookup for pi.hole shows that your router at 192.168.1.1 is used for that DNS request.
As it supplies the correct IP for pi.hole, your router has to be using Pi-hole as one of its upstream DNS servers. This is further confirmed by the second lookup for flurry.com showing up as 0.0.0.0, i.e. it was blocked by Pi-hole.
So clients in your network talk to your router for DNS, and your router aggregates DNS traffic of all its DHCP clients and forwards it to Pi-hole.
That is a valid configuration, but Pi-hole thus would see all DNS requests as originating from your router, making client-specific filtering impossible.
For Pi-hole's group management to be effective for specific clients, those clients have to talk DNS to Pi-hole directly.
You'd have to change your router's configuration to distribute Pi-hole as local DNS server instead of itself.
Alternatively, you could point clients manually to use Pi-hole for DNS, as you've done for the client's second set of nslookups:
The output for those show that Pi-hole didn't block flurry.com for that client.
If your client configuration from your previous debug log would have been still effective at the time you ran that nslookup, this would imply that you ran that command from the only client that was assigned to Group 1:
And your debug log showed Group 1 to be void of any filtering.
Thank you for that in depth explanation. Make sense to me now.
That being said I have a couple last questions.
This whole project was more to block the access to certain websites (youtube, tiktok, porn) from my younger kids devices, with the added benefit of blocking ads (which i know is the primary function of PH). My list of blocked devices is shorter then the devices I want white listed (wife, myself, older kids). Several of the devices white listed are phones and Chromebooks which does not appear to allow you to enter the PH host name, so from that perspective PH wont work on my network. Can PH be used to do this without manually entering the DNS IP on every device? Seems like I would have to you the DHCP portion to make it work?
Pi-hole is not a Parental Control system. It is a DNS filter/black-hole.
As you said, Pi-hole main goal is to block things the user wants to block (like ads and malicious domains), but Pi-hole can be bypassed by users if they want.
If you set Pi-hole IP as DNS server on your router's LAN/DHCP section, you don't need to set devices individually.
You can create Groups to allow different adlists, whitelists and blacklists per device, using the Management Group settings.
Pi-hole has already the Default group.
You can add the less restrictive rules to this group and add the desired devices to this group.
Them you can create a new group ("Kids", as an example), add more restrict adlists/domains and add the kids devices to this group.
But keep in mind:
By-passing Pi-hole is as easy as manually configuring a public DNS server on a device or switching from wifi to mobile network on a tablet or smartphone.