Exclude client devices with Pi-hole 5

I am a big fan of Pi-hole and I recommend it to everyone. It is an amazing piece of software to get rid of advertisement and tracking on a network level and recently Pi-hole version 5 was released. Check my blogpost here if you want to know how to set it up. That blogpost is based on version 4 of Pi-hole but the same applies for version 5. Just follow the steps there to secure your network and take back your online privacy. Pi-hole 5 has a lot of new features but the one I want to talk about is how to exclude client devices with Pi-hole 5.

Use case

Being able to exclude individual client devices can be extreme useful during troubleshooting. There may be times that you want to bypass the ad-blocking capabilities of Pi-hole like for IoT devices. Many IoT devices are connected to some cloud solution, especially if they are using Apple HomeKit. I’ve had many IoT devices go offline because Pi-hole was blocking them and I did not want to have to whitelist all those domains. My IoT devices are on a separate VLAN and I want them to use my Pi-hole as DNS server but I don’t want anything blocked for them. Pi-hole 5 makes that possible without jumping trough any hoops.

Let’s get started

Excluding client devices with Pi-hole 5 is done using Group Management. After installing Pi-hole a default group is created. Blocklists are now called Adlists and all the adlists you add are added to the default group called Default. Check the screenshot below:

As you can see we can now also add a comment to an adlist :). Very nice for documentation purposes. Mine says Migrated from /etc/pihole/adlists.list because my Pi-hole was upgraded from version 4 to version 5. That comment is automatically added during the upgrade proces.

Create a new Group

The first this we need to do is create a new group. Go to Group Management and click on Group. Enter a name and description and click on Add.

Make sure the List of configured groups show the new group you added:

Check group assignment

Now we have to make sure that the new Exclude_Group group we created does not have adlists assigned to it.

Go to Group Management -> Adlists and check the Group Assigment column. In the above screenshot you can see that I have all my adlists assigned to the Default group. Next we can add client devices to the Exclude_Group group. Every client device added to this group will have no adlists because all our adlists are assigned to the Default group.

Adding client devices

Go to Group Management -> Clients. Find the IP address of the client device on the dropdown menu. You can also enter a custom IP address. My client device has IP address 192.168.100.185. Enter a Comment and then click on Add.

Not that after adding the client device it will automatically be added to the Default group:

Change the group to exclude client device

All we have to do now is change the Group assignment for the client device to the group we created earlier on. It is important to deselect the Default group! We only want the client device with IP address 192.168.100.185 be member of the group Exclude_Group. Rember that the Exclude_Group does not have adlists assigned so any member of that group will still use Pi-hole as DNS server without the blocking functionality.

After you have made sure that the client device is only member of the Exclude_Group click on Apply. Your screen should look something like this:

Do some testing

Now that my client device with IP address 192.168.100.185 is excluded we can do some testing. Opening a browser of my client device and visiting https://www.google.com shows the following in the query log of Pi-hole:

Note that the following DNS request is now allowed: adservice.google.com

I know that my exclusion is working because adservice.google.com is on several adlists I use:

If I change the group of this client device back to Default we will observe the following behaviour:

Well, and that is all there is if you want to exclude client devices with Pi-hole 5 blocking especially if you find that after implementing Pi-hole (or adlists) something broke in your network. Really helpful I’d say.