Whitelisted domain served by alternative upstream dns server

I don't think it's currently possible, but I have this following usecase, which may be easy to do with pihole:

At our school, we want to be able to whitelist sites, independent of e.g. opendns. We have an opendns account, but the whitelist is limited. Also blocking adds would be a useful addition.

Pointing pihole to opendns is ok, but when a site is blacklisted by opendns, it's impossible to whitelist in pihole, as it will ask its ip from opendns and get a blacklist entry back.

Is it easy to use different (instead of opendns by default) upstream dns servers for whitelisted fqdns?



Can you remove the domain from opendns's blacklist?

Sure, the opendns service allows for a small whitelist, but it is limited in size and more importantly, outside our control. (BTW, I'm not the one managing opendns for the school, I'm the sysadmin with kids and an extended hobby at school :wink:

We had the idea to setup pihole to filter ads and also allow whitelisting (or blacklisting) some sites that come along. But then we figured that while opendns works fine in most cases, you may (theoretically) run into a situation where you want to whitelist a site that is blocked by opendns. In that case, it would make sense to have different resolvers for sites that are whitelisted at the pihole level.

I'm sorry for being slightly terse in my first message, it was time to get home :wink:

I was wondering how hard/easy it would be to add this to pihole?



I'm not sure dnsmasq supports having custom upstreams for specific domains. Why are domains blacklisted by opendns, and would you be able to move the task of blacklisting from opendns to Pi-hole?

Edit: This article shows that it might be possible.

Opendns provides a kids-safe type of service, and though it can never be perfect, is working ok.
Some sites are blacklisted by opendns, but should not be for the school. These need to be whitelisted, opendns supports a short whitelist, pihole an unlimited one...

I figure it would be ok if pihole added a line to /etc/dnsmasq.d/pihole.conf looking like:


So every whitelisted domain gets an entry that will lookup using google's resolver (in this example)

I suppose dnsmasq needs to get a HUP signal to reload the new line, every time a site is put on or off the whitelist via pihole.

We're currently investigating some side effects of using server like that. We've implemented wildcard blacklisting, but have been stumped on wildcard whitelisting. We're trying to figure out how well this would work for wildcard whitelisting, if it works at all. So in your situation, yes, that is what you should do. If you want to test, check if the whitelisted domains you add that way also whitelist the subdomains.

Hmm, I can see how it might be possible, but I don't have the time to actually try to hack pihole to do it. I'll keep an eye on it though, perhaps I think of something of find some time to hack on it...
(Besides, priority for this from the school is quite low...)

Closing as duplicate in favor of