DNS-Bypass-Problem with Pihole und Parental Controls

[FWKS]

Situation: I am running a Raspberry Pi connected to the home router. Pihole is running as a filter on the Raspberry. The router serves the Rasp as the local DNS for local devices, let's say 192.168.178.20. The network settings on the Rasp are configured so that search queries to Google and YouTube are mandatorily redirected to the server with the restricted module:

/etc/dnsmasq.d/05-restrict.conf

# YouTube Restricted
cname=www.youtube.com,restrict.youtube.com
cname=m.youtube.com,restrict.youtube.com
cname=youtubei.googleapis.com,restrict.youtube.com
cname=youtube.googleapis.com,restrict.youtube.com
cname=www.youtube-nocookie.com,restrict.youtube.com

# Google SafeSearch
cname=www.google.com,forcesafesearch.google.com
cname=www.google.co.uk,forcesafesearch.google.com

# Bing Family Filter
cname=www.bing.com,strict.bing.com

# DuckDuckGo
cname=www.duckduckgo.com,safe.duckduckgo.com
cname=duckduckgo.com,safe.duckduckgo.com

/etc/hosts
[default entries]

216.239.38.120 restrict.youtube.com
216.239.38.119 restrictmoderate.youtube.com
216.239.38.120 forcesafesearch.google.com
204.79.197.220 strict.bing.com
34.243.144.154 safe.duckduckgo.com

Problem: I want to activate parental controls on my children's smartphones (e/OS, Android 14). As soon as this happens, the DNS entry 192.168.178.20 is overwritten in the phones. The phones use all.dns.mullvad.net as DNS by default. This can't be changed and creates an unwanted bypass around Pihole.

Attempted solution:
Entry in /etc/dnsmasq.d/05-restrict.conf

cname =all.dns.mullvad.net,raspberrypi

in /etc/hosts

192.168.178.20 raspberrypi

In addition, all.dns.mullvad.net is blocked in Pihole.
When I ping all.dns.mullvad.net on a Linux machine in the same network, I get a response from 127.0.0.1
(which surprises me a little, as I would have expected 192.168.178.20).
However, the cell phones show that they cannot contact all.dns.mullvad.net. Therefore, they have no network connection.
I also made the bold attempt to assign the public IPv4 address of all.dns.mullvad.net to the eth0 device of the Raspberry Pi. This is possible, but it does not change anything.

My strategy is probably wrong, or I have misunderstood something. Does anyone have any tips on how I can close the bypass around Pihole and still allow the children's cell phones to connect to the internet? I need to somehow trick the cell phones into thinking they are connecting to all.dns.mullvad.net...
Addition: I could not figure out if the cell phones maybe use the public IPv6-address of all.dns.mullvad.net as static route. This would explain why my attempts didn't work...

 

[Trml]

I don't know what the parental controls on e/OS encompasses, but surely the restriction to the filtered all-dns is part of it. The failure to connect when DNS queries are hijacked is part of the protection you want to achieve with DOH. So, this part appears to be doing the job. Whatever you do, simply turning off wifi on the phone would bring the filter to what the parental controls pre-set DNS allows. Perhaps you require a different DNS filter pre-set for the phones, maybe even one you can use in the pihole as well - that should solve your problem.

As for the pihole dns, stop the hijacking attempts you describe. It will lead to a misconfig with constant adjustments and you achieve the opposite of your intention, leaving the kids' phones with a gap when they connect to a wifi elsewhere. The regular approach is to force DNS entries via dhcp/dhcp6. The DOH IPs are subject to change and there are maintained DOH block lists, equivalent to ad block lists. Maybe these are what you miss in the pihole instead. We use such at home (in the router), and afaik the phones/browsers (without parental controls) respect/use these.

 

[FWKS]

Thank you for your reply! Yes, I had already reversed the attempts described with the redirection to the local DNS because they did not have the intended effect.
Without parental controls, PiHole works as desired.
The problem is that parental controls in e/OS enforce a DNS entry that I cannot influence, rendering Pihole ineffective. e/OS overwrites the information provided by the DHCP. However, the DNS all.dns.mullvad.net is one that also offers a kind of parental control. One advantage of the current situation is that, because e/OS overwrites the DNS entry provided by the DHCP, a certain degree of parental control is still in place even when the children's cell phones are on networks other than our private network: even when they use mobile data, they are forced to use all.dns.mullvad.net. So I may have to accept the situation if I want to use parental controls in e/OS. ..

 

[MzQ1NjExN2]

Using all.dns.mullvad.net is good but it doesn't block everything. If you want complete control you can restrict internet access to the cell phones completey from your router and set up a Linux computer for them and follow my posts in the following thread. I also addressed the DNS bypass issue in the thread and a solution.

Solved Thread 'I decided to quit the internet for as long as possible.'

Jun 18, 2025

just wanted to say thanks for being a nice linux hangout.

if you don't see me for a long time, it will because i'm removing my wifi chip and throwing it away.
i need to try and spend more time outside and doing more creative and health-conscious things like taking long walks into town or whatnot. the internet isn't as fun as it was back in say, 2006 or so, but i still have other hobbies and even some goals. so peace be with y'all and if i show up in the distant future it will be from a public library maybe.
for now, i'm going to lock myself out of my account here so i'm not...

• 909mjolnir
• Replies: 12
• Forum: Off Topic

• 
• 
• 

Its possible you can do something similar with the cell phone but the above solutions are for a Linux based system.

 

[FWKS]

There may be a misunderstanding here: The reason for this thread is that control via the local router with a Linux computer is not possible because the settings made there are bypassed by the fixed DNS settings in the smartphones. That's why “bypass” is in the subject line.

 

[MzQ1NjExN2]

So my understanding was your trying to get pihole to work on your children's smartphones (Android). Correct me if I'm wrong there. The problem with Android and especially the apps is that I find them not to have the same quality as something like Debian or Linux Mint which is they have a immutability where things don't change alot. There are improvements but not much changes. Android OS and Google apps on the other hand change alot and many of the apps are not supported after a while. Not good if your trying to implement security. My suggestion was to have your kids use the internet on a Linux computer where you have complete control rather than on an Android where you have problems like this.

How would you manage the phones once they go outside your home? The only sure solution I see is to get rid of internet access from the phone or get a phone that only has calling capabilties and set up Linux laptops to be used for internet access where you can implement the stuff I posted above and you will have 100% control no matter where the laptop goes.

 

[MzQ1NjExN2]

So my understanding was your trying to get pihole to work on your children's smartphones (Android). Correct me if I'm wrong there. The problem with Android and especially the apps is that I find them not to have the same quality as something like Debian or Linux Mint which is they have a immutability where things don't change alot. There are improvements but not much changes. Android OS and Google apps on the other hand change alot and many of the apps are not supported after a while. Not good if your trying to implement security. My suggestion was to have your kids use the internet on a Linux computer where you have complete control rather than on an Android where you have problems like this.

How would you manage the phones once they go outside your home? The only sure solution I see is to get rid of internet access from the phone or get a phone that only has calling capabilties and set up Linux laptops to be used for internet access where you can implement the stuff I posted above and you will have 100% control no matter where the laptop goes.

Actually reading through your post and looking up e/OS which is what your using its a modified ungoogled Android.

/e/OS - e Foundation - deGoogled unGoogled smartphone operating systems and online services - your data is your data

ECOSYSTEMKEY FEATURESGET /E/OSNEED HELP /e/OS is a complete, fully “deGoogled”, mobile ecosystem /e/OS is an open-source mobile operating system paired with carefully selected applications. They form a privacy-enabled internal system for your smartphone. And it’s not just claims: open-source...

e.foundation