If you want to go through logs and meticulously look for which broke what. There are a lot of things that happen in the background when you visit a webpage(cdn.example.com, cf.example.com...) and *.example.com white-list is pretty stupid(ads.example.com)
this post was submitted on 22 Mar 2025
18 points (100.0% liked)
Pi-hole
509 readers
1 users here now
The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content without installing any client-side software.
founded 2 years ago
MODERATORS
Untrusted devices should really be on their own VLAN. You will have much better control over them and their ability to reach out to the net, or gather info on your network and other devices. Some IoT devices have their DNS hardcoded, so they will ignore your Pihole anyway - you will need to redirect the DNS with outbound NAT to combat this.
More reading for me to do then, thanks!
My use case is untrustworthy devices that I don't want phoning home but which might change their IP address.
If you're using DHCP, you might be able to tell your router to assign a specific IP to the MAC address.
Alternatively, if you have a few trusted devices on your network, can you add them to an allow list and deny traffic to every other IP?
If you're using DHCP, you might be able to tell your router to assign a specific IP to the MAC address.
Hopefully, seems pretty unlikely that the untrusted devices will bother spoofing their MAC addresses
can you add them to an allow list and deny traffic to every other IP?
Yeah that's what I meant by manually adding trusted devices to a group with a normal block list
That's not a terrible idea; though it means extra configuration everytime anything new connects to the network. Friends using your wifi for example.
I just manually assign DHCP reservations for the MAC of each known device. Then they always have the same IP (without requiring static ip config on the devices themselves)
For a bunch of blocklists: https://firebog.net/
Yeah that was going to be my plan, I think I can set that on my router but its UI isn't particularly clear!
Not very practical. Find a few curated lists, then start blocking domains 1 by 1. Sounds inefficient, but it's ironically faster in the long run than blocking the whole WWW then backpedaling
The trouble is that I don't want an untrusted device to be able to call out at all, and I won't know where it's trying to reach until I connect it
Isolate a wlan, then deny it access past the router
Think you meant VLAN and autoincorrect got you.
Can you explain this a bit more to a networking beginner?
most routers allow dual wireless networks now, you should be able to set one that's exclusively for IoT. So you have MyWifi and WifiForThings.
You can then set the WifiForThings to have no actual internet access. This will mean that any apps etc won't work though, so be aware.
Ah, sadly not something mine can do
You could get a second, inexpensive wifi router, and use it for the untrusted devices.
Any idea how I go about setting up a second sub(?)network? I've got a load of old routers but I've always assumed they're too locked down to be of any use.
You could explore openwrt if you were inclined - you should be able to set a static ip assignation for the device and then just block that off
I've seen it mentioned a lot over the years, ultimately I think I'd just be making a rod for my own back by giving myself another device to support! I have considered it before but I just feel I'm going to spend a load of time tinkering every time I move house or change ISP, and paying for the privilege of buying my own hardware while I'm at it.
Eh? Not really. It's router firmware that means you have more in depth control. It's no different from any byo modem router deal
I mean that buying a new device (which I guess I then might have to replace in X years) and configuring it to use openwrt is going to take some time and effort, and ultimately I might end up in a worse situation (than my current "working OK" setup). Maybe if I had infinite time but there's only so many hours in the day!
I'm still using 15 year old consumer WIFI routers for stuff. Like this.
Hell, my main router is over 5 years old now.
I'm literally running it on a tplink n600 i flashed :). Bought that in 2009.
Alright, alright, I'll add it to the todo list!
I tried that once, pihole blocks stuff coming in and not going out. Many “smart” devices will freak out if they can send things out to the internet but cannot receive things back.
Pihole doesn't block inbound traffic, it has nothing to do with it (as you mention in your later comment, DNS is about address lookups, not routing IP addresses).
PiHole is a DNS server, all it will do is resolve addresses for clients that use it.
Does it? I don't know much about networking but I thought for a device to even send something out it still needs to go through DNS first.
No it does not go through a DNS on the way out. A DNS, or domain name server, is like a phonebook so people can put in whatever.whereever and get the IP address back.
Yeah, so to reach out does it not need to use DNS to know where it's reaching out to?
No it can just send stuff to an IP
If you're willing to deal with the massive pain in the ass that is, I don't see a reason not to. Maybe write a note next to your computer to check the block list if something isn't working right.
Just add a bunch of block lists until you get the level of blockage you want.