White list instructions not working for me

Expected Behaviour:

N00b here. Trying to set up Pi-Hole to obviously filter ads as well as block certain websites for specific computer (kids) while creating a secondary "whitelist" of computers for the adults. I can successfully blacklist sights adding them to the Default group. I created a secondary Group 1 (based on other pihole posts) and added my test computer to Group 1.

Actual Behaviour:

Any device i test by placing in Group 1 (White list group) it is still being blocked from blacklisted sights.
I am assuming its something with my configuration, but I cant sem to figure it out. (Additional info, i was expecting my test device to register the pi-hole instance as my DNS when i ran an ipconfig, but it still sees the router which i have made the changes to point at pi-hole. I have had to manually add the DNS pointer on my test computer)

Debug Token:

https://tricorder.pi-hole.net/jczlV5dI/

You have disabled group 1:

*** [ DIAGNOSING ]: Groups
   id    enabled  name                                                date_added           date_modified        description                                       
   ----  -------  --------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   0           1  Default                                             2023-05-14 16:05:07  2023-05-14 21:35:06                                                    
   1        0     Group 1                                             2023-05-14 19:33:21  2023-05-14 21:33:37                                                    

*** [ DIAGNOSING ]: Domainlist (0/1 = exact white-/blacklist, 2/3 = regex white-/blacklist)
   id     type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   -----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   2         3        1  0             (\.|^)tiktok\.com$                                                                                    2023-05-14 19:14:53  2023-05-14 20:31:09                                                    
   4         3        1  0             (\.|^)youtube\.com$                                                                                   2023-05-14 19:28:08  2023-05-14 20:33:24                                                    
   5         3        1  0             (\.|^)onlyfans\.com$                                                                                  2023-05-14 21:09:44  2023-05-14 21:09:44                                                    

*** [ DIAGNOSING ]: Clients
   id    group_ids     ip                                                                                                    date_added           date_modified        comment                                           
   ----  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   4     0             192.168.1.140                                                                                         2023-05-14 20:48:27  2023-05-14 20:48:27                                                    
   5     1             192.168.1.115                                                                                         2023-05-14 20:54:02  2023-05-14 20:54:10                                                    

*** [ DIAGNOSING ]: Adlists
   id     enabled  group_ids     address                                                                                               date_added           date_modified        comment                                           
   -----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   1            1  0             https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts                                      2023-05-14 16:05:09  2023-05-14 16:05:09  Migrated from /etc/pihole/adlists.list            

Your router should be distributing the IP of Pi-hole for DNS, not its own IP:

Here is what your DHCP server is providing:

*** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
   Scanning all your interfaces for DHCP servers
   Timeout: 10 seconds
   
   WARN: Could not sendto() in send_dhcp_discover() (/__w/FTL/FTL/src/dhcp-discover.c:233): Network is unreachable
   * Received 326 bytes from eth0:192.168.1.1
     Offered IP address: 192.168.1.100
     Server IP address: 192.168.1.1
     Relay-agent IP address: N/A
     BOOTP server: ecosystem.home.cisco.com
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: 86400 ( 1d )
      renewal-time: 43200 ( 12h )
      rebinding-time: 75600 ( 21h )
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      domain-name: "removed by moderator"
      hostname: "RaspberryPi"
      dns-server: 192.168.1.1
      router: 192.168.1.1
      --- end of options ---
    
   DHCP packets received on interface lo: 0
   DHCP packets received on interface wlan0: 0
   DHCP packets received on interface eth0: 1

That is 100% my fault. I changed everything back last night and so the log file doesnt actually provide you with anything useful for troubleshooting.

Here is a new one.

https://tricorder.pi-hole.net/jczlV5dI/

Your new debug log shows the same issues previously reported:

  1. You have disabled "group 1" (Look at the enabled column below):

    *** [ DIAGNOSING ]: Groups
       id    enabled  name                                                date_added           date_modified        description                                       
       ----  -------  --------------------------------------------------  -------------------  -------------------  --------------------------------------------------
       0           1  Default                                             2023-05-14 16:05:07  2023-05-14 21:35:06                                                    
       1        0     Group 1                                             2023-05-14 19:33:21  2023-05-14 21:33:37                                                    
    
  2. Your router is still distributing its own IP as DNS server (you should use Pi-hole's IP):

    *** [ DIAGNOSING ]: Discovering active DHCP servers (takes 10 seconds)
          ...
    
          dns-server: 192.168.1.1
          router: 192.168.1.1
          --- end of options ---
    

I dont know what to tell you. Its been set up correctly based on everything I have read. I am not sure if the screenshot will attach but its of the router DNS settings local network. Both groups are enabled. In my last debug i may have not re-enabled the Group1 but I was pretty sure i had. This newest dump was this morning and i double checked everything.

Router DNS setting are pointing at 192.168.1.100
Both groups are enabled
Test machine still shows router as DNS but everything is blocked

https://tricorder.pi-hole.net/5RxSSHJz/

Yes, now both are enabled.

Strangely, the new debug log (5RxSSHJz) still shows the same dns-server: 192.168.1.1:

   * Received 326 bytes from eth0:192.168.1.1
     Offered IP address: 192.168.1.100
     Server IP address: 192.168.1.1
     Relay-agent IP address: N/A
     BOOTP server: ecosystem.home.cisco.com
     BOOTP file: (empty)
     DHCP options:
      Message type: DHCPOFFER (2)
      server-identifier: 192.168.1.1
      lease-time: 86400 ( 1d )
      renewal-time: 43200 ( 12h )
      rebinding-time: 75600 ( 21h )
      netmask: 255.255.255.0
      broadcast: 192.168.1.255
      domain-name: "hsd1.ca.comcast.net"
      hostname: "RaspberryPi"
      dns-server: 192.168.1.1
      router: 192.168.1.1
      --- end of options ---

Did you renew the DHCP leases?

Yes multiple times. I am testing the whitelist group on my laptop so I tried it over WiFi as well as hardwired.

I talked with a networking guy at work and he says my laptop is not seeing the DNS because its connecting to my router and my router is then passing it to the pi-hole DNS. I was going to start just putting the IP in some devices but now i cant seem to figure out what I should be inputting in my phone for the Private DNS settings. Doesn't like anything

I am at my whits end. This shouldn't be this complicated.

Run from a client, what is the output of:

nslookup pi.hole
nslookup flurry.com

Without manual DNS input into ethernet settings
image

With manual DNS input into ethernet settings
image

The first lookup for pi.hole shows that your router at 192.168.1.1 is used for that DNS request.
As it supplies the correct IP for pi.hole, your router has to be using Pi-hole as one of its upstream DNS servers. This is further confirmed by the second lookup for flurry.com showing up as 0.0.0.0, i.e. it was blocked by Pi-hole.

So clients in your network talk to your router for DNS, and your router aggregates DNS traffic of all its DHCP clients and forwards it to Pi-hole.

That is a valid configuration, but Pi-hole thus would see all DNS requests as originating from your router, making client-specific filtering impossible.

For Pi-hole's group management to be effective for specific clients, those clients have to talk DNS to Pi-hole directly.

You'd have to change your router's configuration to distribute Pi-hole as local DNS server instead of itself.
Alternatively, you could point clients manually to use Pi-hole for DNS, as you've done for the client's second set of nslookups:

The output for those show that Pi-hole didn't block flurry.com for that client.

If your client configuration from your previous debug log would have been still effective at the time you ran that nslookup, this would imply that you ran that command from the only client that was assigned to Group 1:

And your debug log showed Group 1 to be void of any filtering.

Thank you for that in depth explanation. Make sense to me now.

That being said I have a couple last questions.

  1. This whole project was more to block the access to certain websites (youtube, tiktok, porn) from my younger kids devices, with the added benefit of blocking ads (which i know is the primary function of PH). My list of blocked devices is shorter then the devices I want white listed (wife, myself, older kids). Several of the devices white listed are phones and Chromebooks which does not appear to allow you to enter the PH host name, so from that perspective PH wont work on my network. Can PH be used to do this without manually entering the DNS IP on every device? Seems like I would have to you the DHCP portion to make it work?

  2. If I cant use PH, what are your suggestions?

Thanks again.

I want to start with a note:

Pi-hole is not a Parental Control system. It is a DNS filter/black-hole.
As you said, Pi-hole main goal is to block things the user wants to block (like ads and malicious domains), but Pi-hole can be bypassed by users if they want.


If you set Pi-hole IP as DNS server on your router's LAN/DHCP section, you don't need to set devices individually.

You can create Groups to allow different adlists, whitelists and blacklists per device, using the Management Group settings.

Pi-hole has already the Default group.
You can add the less restrictive rules to this group and add the desired devices to this group.
Them you can create a new group ("Kids", as an example), add more restrict adlists/domains and add the kids devices to this group.

But keep in mind:
By-passing Pi-hole is as easy as manually configuring a public DNS server on a device or switching from wifi to mobile network on a tablet or smartphone.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.