How practical is it to block everything by default?
I've just set up my pihole and I'm considering the best way to configure it. Is it a good idea to set the default group to block (almost) all domains and then manually add trusted devices to another group with a "normal" block list? My use case is untrustworthy devices that I don't want phoning home but which might change their IP address.
Untrusted devices should really be on their own VLAN. You will have much better control over them and their ability to reach out to the net, or gather info on your network and other devices. Some IoT devices have their DNS hardcoded, so they will ignore your Pihole anyway - you will need to redirect the DNS with outbound NAT to combat this.
More reading for me to do then, thanks!
Not very practical. Find a few curated lists, then start blocking domains 1 by 1. Sounds inefficient, but it's ironically faster in the long run than blocking the whole WWW then backpedaling
The trouble is that I don't want an untrusted device to be able to call out at all, and I won't know where it's trying to reach until I connect it
Isolate a wlan, then deny it access past the router
Think you meant VLAN and autoincorrect got you.
Can you explain this a bit more to a networking beginner?
most routers allow dual wireless networks now, you should be able to set one that's exclusively for IoT. So you have MyWifi and WifiForThings.
You can then set the WifiForThings to have no actual internet access. This will mean that any apps etc won't work though, so be aware.
Ah, sadly not something mine can do
You could get a second, inexpensive wifi router, and use it for the untrusted devices.
Any idea how I go about setting up a second sub(?)network? I've got a load of old routers but I've always assumed they're too locked down to be of any use.
You could explore openwrt if you were inclined - you should be able to set a static ip assignation for the device and then just block that off
I've seen it mentioned a lot over the years, ultimately I think I'd just be making a rod for my own back by giving myself another device to support! I have considered it before but I just feel I'm going to spend a load of time tinkering every time I move house or change ISP, and paying for the privilege of buying my own hardware while I'm at it.
If you're willing to deal with the massive pain in the ass that is, I don't see a reason not to. Maybe write a note next to your computer to check the block list if something isn't working right.
Just add a bunch of block lists until you get the level of blockage you want.
If you're using DHCP, you might be able to tell your router to assign a specific IP to the MAC address.
Alternatively, if you have a few trusted devices on your network, can you add them to an allow list and deny traffic to every other IP?
Hopefully, seems pretty unlikely that the untrusted devices will bother spoofing their MAC addresses
Yeah that's what I meant by manually adding trusted devices to a group with a normal block list
That's not a terrible idea; though it means extra configuration everytime anything new connects to the network. Friends using your wifi for example.
I just manually assign DHCP reservations for the MAC of each known device. Then they always have the same IP (without requiring static ip config on the devices themselves)
For a bunch of blocklists: https://firebog.net/
Yeah that was going to be my plan, I think I can set that on my router but its UI isn't particularly clear!
If you want to go through logs and meticulously look for which broke what. There are a lot of things that happen in the background when you visit a webpage(cdn.example.com, cf.example.com...) and
*.example.comwhite-list is pretty stupid(ads.example.com)I tried that once, pihole blocks stuff coming in and not going out. Many “smart” devices will freak out if they can send things out to the internet but cannot receive things back.
Pihole doesn't block inbound traffic, it has nothing to do with it (as you mention in your later comment, DNS is about address lookups, not routing IP addresses).
PiHole is a DNS server, all it will do is resolve addresses for clients that use it.
Does it? I don't know much about networking but I thought for a device to even send something out it still needs to go through DNS first.
No it does not go through a DNS on the way out. A DNS, or domain name server, is like a phonebook so people can put in whatever.whereever and get the IP address back.
Yeah, so to reach out does it not need to use DNS to know where it's reaching out to?
No it can just send stuff to an IP