5mo ago

How practical is it to block everything by default?

I've just set up my pihole and I'm considering the best way to configure it. Is it a good idea to set the default group to block (almost) all domains and then manually add trusted devices to another group with a "normal" block list? My use case is untrustworthy devices that I don't want phoning home but which might change their IP address.

31 comments

Not very practical. Find a few curated lists, then start blocking domains 1 by 1. Sounds inefficient, but it's ironically faster in the long run than blocking the whole WWW then backpedaling
- The trouble is that I don't want an untrusted device to be able to call out at all, and I won't know where it's trying to reach until I connect it
  
  Isolate a wlan, then deny it access past the router
Untrusted devices should really be on their own VLAN. You will have much better control over them and their ability to reach out to the net, or gather info on your network and other devices. Some IoT devices have their DNS hardcoded, so they will ignore your Pihole anyway - you will need to redirect the DNS with outbound NAT to combat this.
- More reading for me to do then, thanks!
If you're willing to deal with the massive pain in the ass that is, I don't see a reason not to. Maybe write a note next to your computer to check the block list if something isn't working right.
That's not a terrible idea; though it means extra configuration everytime anything new connects to the network. Friends using your wifi for example.
I just manually assign DHCP reservations for the MAC of each known device. Then they always have the same IP (without requiring static ip config on the devices themselves)
For a bunch of blocklists: https://firebog.net/
- Yeah that was going to be my plan, I think I can set that on my router but its UI isn't particularly clear!
If you want to go through logs and meticulously look for which broke what. There are a lot of things that happen in the background when you visit a webpage(cdn.example.com, cf.example.com...) and *.example.com white-list is pretty stupid(ads.example.com)
My use case is untrustworthy devices that I don't want phoning home but which might change their IP address.
If you're using DHCP, you might be able to tell your router to assign a specific IP to the MAC address.
Alternatively, if you have a few trusted devices on your network, can you add them to an allow list and deny traffic to every other IP?
- If you're using DHCP, you might be able to tell your router to assign a specific IP to the MAC address.
  Hopefully, seems pretty unlikely that the untrusted devices will bother spoofing their MAC addresses
  can you add them to an allow list and deny traffic to every other IP?
  Yeah that's what I meant by manually adding trusted devices to a group with a normal block list
Just add a bunch of block lists until you get the level of blockage you want.
I tried that once, pihole blocks stuff coming in and not going out. Many “smart” devices will freak out if they can send things out to the internet but cannot receive things back.
- Pihole doesn't block inbound traffic, it has nothing to do with it (as you mention in your later comment, DNS is about address lookups, not routing IP addresses).
  PiHole is a DNS server, all it will do is resolve addresses for clients that use it.
- Does it? I don't know much about networking but I thought for a device to even send something out it still needs to go through DNS first.
  
  No it does not go through a DNS on the way out. A DNS, or domain name server, is like a phonebook so people can put in whatever.whereever and get the IP address back.

31 comments