I set up pi-hole recently after hearing about it for years. I was kind of surprised at a lack of really basic features (imo):
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.
> It's also not possible (or not clear) how to have different behavior for different clients
There's a menu item for that: Clients. You create a group, add a client to that group, and configure blocking for that group. To have what you want, you create a group that has just one client in it.
It's slightly more complicated. What you are suggesting works if (1) you are using Pi-hole as a DHCP server or (2) all your devices are individually configured to use the Pi-hole IP address for DNS resolution. What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
> What's more likely though is that you just point your router's DNS setting to Pi-hole, and in that case there is only one client on the Pi-hole dashboard - your router.
That depends entirely on what capabilities your router has.
Many routers have a setting for the DNS info they give to clients via DHCP, which would mean every client is indeed using PiHole directly for DNS resolution.
Other less capable routers, only have a setting for which upstream DNS server(s) the router should use, which of course isn't going to allow you to do anything with PiHole's group stuff.
But an easy solution is simply to disable the DHCP server on the router, and simply use what is built-in to PiHole. It uses dnsmasq behind the scenes, and as DHCP servers go, it's pretty capable and configurable. This is how I use PiHole on my own network, and have done for years now (with some customised dnsmasq config, because I have strong preferences about my network setup and services).
Most routers do nothing particularly special regarding DHCP anyhow, so no big deal to just turn it off, and use PiHole's stuff.
FWIW, and tangent to these specific points, my upgrade to the new PiHole 6 earlier today was pretty smooth — with the exception of it defaulting to having its dashboard on port 8080 instead of my previous 80. Plus I had to tweak a couple of settings to ensure it loads my custom dnsmasq config. But no deal breakers at all.
And if your gateway device is configurable enough you can ban or redirect port 53 requests (DNS) to whatever machine you would like to use to serve up resolution.
DNS doesn't have redirection like HTTP has, so what you describe can only be implemented using port forwarding (or SSH tunnelling, but I've never seen a router with the ability to tunnel DNS in this fashion?).
Port forwarding used like this, won't enable one to use the 'groups' functionality on PiHole — which was the (g)parent thread here — because all requests arriving at the PiHole will come from the same client, i.e. the router. Because port forwarding is more like a proxy than a redirect (to use HTTP terms).
The correct solution here if one wishes to use PiHole's groups — and not have a janky network configuration like you describe here (an extra unnecessary hop for local DNS) — is to either (a) use the router's DHCP settings to tell the clients to use the PiHole IP for their DNS, or (b) disable the router's DHCP and simply use the DHCP that PiHole provides, which is at least as good as what most routers provide (and more configurable than most routers also, should one need to)
Erm, it's not redirection, because, like I said: DNS has no redirection — not in the sense that HTTP does.
If you don't understand this, then you are perhaps lacking some knowledge as to how HTTP redirects work, and/or how DNS lookups work, and/or how they are quite different concepts.
HTTP has redirects. DNS doesn't - but sure, it can be intercepted / hijacked.
> It's that time again got to read the man page
No need for the snark, this is HN, not Reddit.
But I'm already well aware of the feature you describe (after all, PiHole/similar relies on exactly this kind of interception) — but it isn't actually new at all, dnsmasq has had this since the the very beginning, literally day one.
It's still not redirection like HTTP though, it's interception: serving an IP number from a conf file when a matching ___domain is requested instead of querying upstream. Very similar to adding an entry in your local hosts file.
Redirect isn't a term that is really ever used in DNS configuration. Except in the context of NXDOMAIN responses. And that's certainly not the topic of this thread.
With HTTP redirection, the server responds with 'moved' and the URL of the new ___location of the requested content. But all one can do with DNS requests, is to respond: this is the IP for the ___domain A/CNAME you requested (or respond no-such-___domain). In HTTP, that kind of inline interception can only be done with a proxy (transparent or otherwise) — and that's not the same as a the HTTP redirect mechanism at all.
Some folk might argue that this is only a semantic difference. But it's not at all: they're quite different mechanisms, different traffic-flow / communication patterns. And the distinction is quite important to anyone who manages both DNS and HTTP, at a certain level.
But if you want to call it DNS redirection, then good for you. But the old-timers will call it out nearly every time, because it's not actually redirection. — DNS doesn't have redirection like HTTP. Not in the same sense as HTTP at all. Anyone who claims otherwise, really just needs to brush up on their DNS knowledge / terminology.
> That doesn’t correct the situation in which the device is ignoring DHCP DNS requests.
That's the first time such a thing has been mentioned in this thread.
But I now get what you're trying to say in your comment above.
Sure, one can use e.g. iptables, to forward all outbound traffic on some port to some local IP. If your router has such capabilities.
But your rules won't be as simple as forward all port 53 traffic: you'll need to ensure that you exclude the PiHole from any rules like that (otherwise it would create an infinite loop) - or ensure the rule is specific for the device(s) in question.
And of course it wouldn't work if the device is using DoH.
But the issue you've introduced here, a device with hard-coded DNS, isn't really what this thread is about — the topic here was ~about wanting to group clients in PiHole, and different ways to configure the router to achieve this, without only seeing a single requesting client IP at the PiHole.
The question and assessment is around how your dhcp device can control DNS behavior (usually by broadcasting the name server IP). And I pointed out many devices that do DHCP often also act as the gateway device and internal firewall.
It’s not meant to answer your direct question, but pointing out what’s possible. Because yes, there are a lot of IoT and other devices that misbehave on a network.
And it’s incredibly trivial to port ban or port forward a selection of IPs and not affect the behavior of your Pi-hole. Packets carry last hop ip and source ip. I do it all the time on my gateway device.
DoH is a completely different story. Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.
Yes. And that's why, in the context of misbehaving devices, carrying their own methods of doing DNS, I mentioned it.
> Now you are talking about browser based DNS systems, apple private relay and other related 443 based solutions.
No, not at all. Anything can use DoH. Doesn't need to be browser-based, nor using Apple private relay, nor anything of the kind. A device simply needs to be coded to make its DNS queries over HTTP. In a similar fashion to how it might have a hard-coded value for its DNS lookups, the developer can simply include a small library to do DoH instead. And that's not going to be so easily filterable by a rule for outgoing traffic / port forwarding.
I have all of my PiHole DNS lookups going over DoH. Have done for years now. Because when I originally setup my secure DNS, DoH was a better choice that DoT, because DoT was very much still in flux. And by comparison, DNS over an existing standardised transport is pretty much a known quantity. So that was my choice. And it works great.
So all of my network's DNS lookup go out over DoH... there's lots of DNS providers that provide DoH nowadays, including plenty of very big providers. My secure DNS proxy cycles between different servers.
DoH functionality is even just built-in to Bind these days.
In reality, DoH isn't in any way restricted just to the services you describe here. Far from it. It can be used anywhere. It's just a protocol. With plenty of destination endpoint support, out there in the real-world.
And if some device wants to control its DNS to that kind of level, then, beyond simply having a hard-coded DNS server value, using DoH is pretty easy.
No browsers needed, no Apple Private Relay needed.
The better option is to configure DHCP to hand out the Pi-hole as your DNS server. If your router cannot do that, but you want to go deep enough to configure your home network with a Pi-hole, you should probably also invest in either a better router or OpenWRT on your current one to get a few more features.
Ideally, you do not run DNS on your router at all, and you also block outbound to 0.0.0.0:53 from anything _except_ the Pi-hole, so that there's no convenient way to get to an unblocked DNS by bypassing it.
DNS-over-HTTP is a bit harder to block, and of course malware could have an IP baked in and so bypass this entirely.
It works for me and I don't use Pi-Hole as a DHCP server or have any of my devices individually configured. I have my router acting as a DHCP server and have it tell clients to use my Pi-hole for DNS. Some routers' default firmwares don't let you do this, but most OpenWRT and Tomato and the like should.
Using clients and groups works fine for me. I'm able to block youtube on my kids' devices, but allow it on others. I have pihole running in a container without being my dhcp server.
Not OP but we can assume when he's talking about blocking Youtube, he's in fact blocking youtube for his kids, not Youtube ads. Pi-hole can't block Youtube ads as they are delivered by the same servers as content. Then you can't block one without blocking the other.
Just go to PiHole's "Domains" page, in the box labelled Domain, type youtube.com, enable the checkbox for Add ___domain as wildcard, then click the button labelled Add to denied domains.
Now youtube.com and all of its subdomains are blocked, for all clients.
If you wish for it to only be blocked for some clients, then assign your clients to groups, and set the setting appropriately on the domains page.
I think you would need to explain your definition of 'best' here — I mean: explain why you think it is better.
> making regex blocks are appropriate.
I guess here you actually mean inappropriate?
Perhaps. But I think you misunderstand what I am doing, and how that then works in PiHole.
The method I describe, uses the Domains tab on the Domain Management page — and not the RegEx Filter tab.
The distinction is somewhat of importance, because the implementation of PiHole uses a different code path for exact-match denies/accepts, vs regex denies/accepts. (Type 0 and 1, vs type 2 and 3, detailed here[1]). Adding a ___domain the way I describe, creates an exact-match type entry in that table, not a regex match type.
But even if it were still using regex, the cost of that isn't as high as one might imagine, due to the fact that subsequent repeat queries to the same ___domain, do not get checked against regexes again: the result is cached.
As described here [2]: "Our implementation is light and fast as each ___domain is only checked once for a match. When you query google.com, it will be checked against your RegEx. Any subsequent query to the same ___domain will not be checked again until you restart pihole-FTL."
In summary: adding a ___domain the way I describe doesn't create a regex filter anyhow. But PiHole's regex matching isn't a naive implementation, it caches the results, so that it only actually performs the regex matching on first query to a ___domain not seen before (since last restart).
So really it makes no difference at all if one blocks a ___domain the way I describe, or the way you describe. They both end up doing the same thing: they insert an exact-match filter entry into the database.
In which case, it's simply down to one's own preference: do you prefer looking through the query log to find the site to block... or do you prefer just typing in a ___domain name.
Previously, PiHole used /etc/dnsmasq.d/ with best practice being to put one's own additional config, or overrides, in separate file(s) in that folder.
PiHole v6 appears to have most of that config built-in, and upgrading to v6 removes all of the previous standard config files, leaving only user-created / user-edited files in /etc/dnsmasq.d/ - and PiHole v6 by default no longer imports anything from this folder (to prevent possible incompatibilities).
But it's just a setting, and toggling it brings back the original functionality of importing config from files in that folder. And for me, my custom dnsmasq config worked just the same as it previously did.
One of the most values I get out of a SaaS service is NextDNS [0]. There are competitors like ControlD [1] that are also very good. At the end of the day they both check all the boxes for me.
But, the piece that really got me with NextDNS when I started using it was the unlimited number of profiles. This allows me to target any device, no matter where it is (this is fantastic for mobile devices) and keep my filtering lists in place. I selfhost a lot but still find the annual cost of NextDNS more than fair.
I think I'll never buy a smart TV what an ultimate ahole move to put ads in there. It's like the Kindles where you have to read these ads before you can open your book (of course you can pay a 1-time fee). Like buying a movie on YouTube and having to watch ads in it or can't see full res unless you're on an allowed device. If UBO actually stops working on Chrome I'll either leave or use pihole.
My cheap android phone installs games by itself eg. candy crush ugh. My own fault I get it buy a $2K phone instead of $160
Most non-smart 4K screens are more expensive than 4k-smart tv screens though. Really weird, because there's less stuff in it. I just want a nice 50" 4k screen with hdmi and display ports. I don't use all the other junk anyway, since i watch tv via a computer and sounds goes to a surround set.
I've had a little insight into this world. To make the BOM costs work at the retail prices they charge for things like common set-top streaming boxes (e.g. Roku) and, now, TVs themselves since they incorporate the same stuff, they have to be selling data. Otherwise they're selling at a loss, once you factor in middleman margins and such.
You can try to compete by charging a reasonable amount for your hardware and software, but you'll be competing against economy of scale and wrestling for shelf-space with products that are (don't forget retail percentage mark-up) at least 30% cheaper than yours, which means your units don't move, which means you don't get (or keep) shelf space, and hello death spiral. Also if you somehow manage to make it despite that, as soon as an MBA gets in charge you'll just switch to selling data, too.
I only didn’t mention that because I’m not sure how much spying they do. I’d bet it’s a lot less, but probably still too much.
But yes, that’s what I have, two of them in fact. Tried a Shield, sucked, should have just gone straight for Apple TV instead of trying to pinch pennies.
A follow up question is, what does the transaction look like. Bulk DB dump or JSON files per person, spreadsheet, that would be interesting like race, interests, budget...
Looking at Vizio's financial records[0], the numbers make it clear.
They seperate everything into 2 distinct businesses, Device and Platform+.
Device represents their hardware business of selling physical TVs and soundbars. Platform+ covers all of their other "software-related" business, mainly consisting of ad delivery and selling user data to third parties.
2019:
- Device Net Revenue = $1.7 billion
- Device Gross Profit = $125 million
- Platform+ Net Revenue = $63 million
- Platform+ Gross Profit = $40 million
2023:
- Device Net Revenue = $1.0 billion
- Device Gross Profit = -($8.6 million)
- Platform+ Net Revenue = $598 million
- Platform+ Gross Profit = $364 million
So over the course of just 4 years:
- hardware revenue is down 40% and is actually losing money (confirms they are indeed selling the TVs at a loss)
- Ad/user data revenue, however, is up almost ten-fold (+949%)
- total gross profits of the two combined are up over 54%
No, not weird. The extra stuff is there to show you ads and/or track your behavior, which generates a stream of revenue for the TV maker. W/o the extra stuff, the only revenue comes from the one-time purchase.
Is there an equivalent of DDWRT/OpenWRT but for TVs?
Most often those are some embedded linux board running some Android fork, shouldn't there be some TV models on the market that are a good hardware/price deal with firmware that can be replaced?
Even something that just permanently shows HDMI input with no popup overlays would be good, but AOSP + VLC/Jellyfin would be even nicer.
> Is there an equivalent of DDWRT/OpenWRT but for TVs?
Get a used mini-pc, install Linux on it, and don't allow the TV to connect to any networks. This is a 50-75 dollar solution. Good if you are on a budget and are not interested in any wiz-bang features like HDR.
There are a few TV-dedicated Linux systems out there, like libreElEC.
Or get a more powerful system with a AMD GPU and install Bazzite on it. That way you get something like "SteamOS for your TV". Pairs nicely with controllers like 8BitDo.
It would be nice to have TVs as open as PCs, but the manufacturers and media companies are ran by dirtbags and would rather have victims then customers.
As someone who tried that route I'd strongly recommend against it for anyone who isn't core HN audience or just loves tinkering. You're much better off with an Apple TV or an Nvidia Shield unless you really want the "beefy gaming media center".
I walked the mini-PC/RPi road and they came up short every time even for me, let alone the rest of the family. Even when I put in place the perfectly optimized initial setup I was still left with a bad compromise of performance, power consumption, noise, boot time, ergonomics, and the constant trickle of things breaking down or needing tweaking because of some update.
When trying to watch a movie with the family the last thing I want is to troubleshoot random issues.
I just use an old macbook air with a bluetooth keyboard that also has a touchpad. The thing is in sleep mode when not needed, so it wakes up fast and does not need a lot of energy. With that setup I can access whatever media I want, have a solid adblocker and a browser with a real keyboard.
> with a bluetooth keyboard that also has a touchpad
Different strokes for different folks, having to use a keyboard to control my TV is for me one of those usability compromises I preferred to avoid. It's probably related to how I use the TV, things like browsing the web were never on the list of requirements. I'll have a phone, tablet, or laptop at hand for that.
I've had a MSI Trident functioning as a gaming/HTPC computer for years and the family loves it. They know how to browse the various streaming services and use Steam and Kodi.
This is diverging quite a bit from "a smart TV replacement". Especially if Steam is a requirement.
The gaming PC you have there is probably exactly the combination you want. But for most others it's the compromise to avoid I mentioned above. It delivers the console and TV/media center experience but with the full PC power consumption, noise, boot times, maintenance effort, and inconvenient controls.
The cheapest Trident I can find on eBay costs more (by 2-5x) than an Xbox and an Apple TV together. And these 2 deliver their respective experiences with far fewer compromises.
> They know how to browse the various streaming services
Knowing how to use it is just the bare minimum requirement. With an Apple TV for example you can do the same with almost instant startup time, 0 noise, 0 maintenance, ~1-2W streaming, and a small remote control. And probably has less ads than the average Windows computer :). I found the "right tool for the job" more appropriate for my use case but that might not work for everyone or all the time.
Things just happened that lead to that optimised state of using one device for alll (The MSI). Nevertheless the main question was about a nice 4k screen. :)
Because just like virtually everything in the embedded SoC ecosystem outside of the RPi competitor SBC crowd, the TV embedded board likely has a chip with little or no doc (with or without NDA), and unlike a Pi-ish SCB there's probably not even an unsupported, outdated kernel linked with a ton of opaque proprietary blobs hidden on an obscure Chinese language web site to try out.
Maybe there are smart TVs out there with a SoC that's been reverse engineered enough to do something with. If there is, that should be shouted from the rafters. But I kinda doubt it.
One difference between Monitors and TV used to be that Monitors used RGB Subpixel-Layout and TVs used BGR. (i.e. TV panels are upside down)
Configuring subpixel-layout per monitor is something that most OS won't allow.
So if you use several monitors, you usually have to mount the BGR-ones upside down. (Otherwise fonts will be blurry...)
For some time now there are really cheap 4K Monitors with BGR-layout available. If you mount those upside down you're fine... (I use LG 4K Monitors mounted upside down in combination with other screens)
Subpixel hinting isn't that useful at high DPIs though. Apple has ditched it entirely in macOS, regardless of monitor DPI, and gone back to standard anti-aliasing.
Bare in mind I went down this hole years ago, so these could be solved problems, but in my experience Monitors speak a set of more useful modes (Resolution and refresh rate combos) and tv's often need to be trammed in a bit, the default screen position not being properly centered in all cases.
Yeah exactly, as also others point out in the thread, if you want "TV-sized monitor" you will pay more than for a TV, and probably get worse panel, lower brightness, etc. Hence it would be useful to buy "smart" TV and turn it into a monitor instead.
Would be fun if some could hack those os'es indeed.
It could make a nice CrowdSupply project, except for the cheap distribution of the huge packages. Sounds not that hard though: Just get some nice 50" 4k smart tv's and remove all the junk. Cool features like DP daisy chain or something and one could have a nice project. But i'm guessing there is (too) much money to be made in user info and ads. :(
I have a 'smart tv'. I don't allow it to connect to any network.
The only really annoying thing about it is that noises from tv shows or the house sometimes triggers the voice recognition, which fails, and then you have to click through the error message.
I just have never connected my Samsung TV to the Internet. My streaming all goes through my Roku. When the TV turns on it displays a splash screen asking me to connect to the network, which disappears after about 15 seconds and never comes back until I turn the TV back on.
I know there are TVs far more obnoxious than this, but I have no complaints and the Internet doesn't know a thing about my TV.
If you use an Android device, you have the potential to live an ad-free life:
- Use Firefox with Ublock Origin and BypassPaywallsClean to avoid ads and Paywalls.
- Use ReVanced to patch your YouTube APK to disable ads, add SponsorBlock to avoid in-video ads, etc. ReVanced can also patch all major social media apps to remove all ads.
- Use OSS apps to avoid ads or get extra functionality. I use OuterTune for free music, Aliucord/Revenge for a better Discord client, etc.
Yes, those are the "smart" features. Just plug in a Raspberry Pi and don't touch the TV after its initial setup. I'm still using the same Raspberry Pi 2 I've been using for more than 5 years now. Beats "smart" TVs that you can buy today.
It only has a 100Mbps Ethernet jack, yes, but so do both of my TVs.
I don’t have any HEVC media so I’m not sure there, but the lack of 4K output would be a big stopper for me.
I’m also not sure about the streaming services it would support, but chances are if your running off of a Pi2, you’re sailing the seven seas for media. Will that thing even play YouTube in a browser at this point?
Nah, I used to have a YouTube plugin that worked years ago but don't any more. I don't use it for "TV" purposes, though, it's more of a home cinema device. I don't have background screens in my house.
But my point wasn't literally to use a Raspberry Pi 2, just that you can get cheap low power devices that beat "smart TV" crap. You can of course get much more recent ARM-based boards that support all the latest HD standards etc. I don't do the hedonic treadmill, though, so I'm still happy with 1080p Blu-ray.
Can't disagree with that. If it's still fulfilling it's purpose, why change?
Smart TVs really aren't very smart and a nicely ripped 1080p Blu-ray often looks better than what the streaming services will stream you anyway.
I don't think I'd even have a TV if it were just me. Wife and kids seem to need one though, so simplicity counts. What would they do if they couldn't watch people who watch people play games?
I let one of my cheap smart TVs update for this reason (and not the other two identical ones I have) and now that one crashes and lags all the time, despite none of them being on the internet.
Embedded device software development quality is usually even worse than webapp software development quality.
My tv after a recent update has begun randomly crashing with audio looping for a few seconds before rebooting. When an update comes through for that you can he damned sure I’ll be disabling all future updates.
Is a DNS blackhole the right way to restrict your TV from doing bad things? The software running on the device might not even use DNS lookups to connect to hosts as it pleases. Your router is probably the better place to add guardrails.
I recommend putting all these things on their own VLANs with strict routing rules.
For example my STB is on a VLAN that has WAN access (otherwise it won't do anything), but that makes it untrustworthy so it is completely isolated from rest of LAN.
On the other hand some "smart"/IoT devices are on a VLAN that has no WAN access so that they can't phone home, become a botnet, or download firmware updates that remove functionality in favor of subscription services. Only a VM running homeassistant can talk to them.
This will work until amazon sidewalk / built-in LTE modems become too frequent, at that point I'll have to start ripping out the radio modules from things I buy.
Call me pessimistic, but as the sidewalk pattern becomes more common for IoT, I wouldn’t be surprised if a “malfunctioning radio” just results in the device not working properly.
Smart/iot devices using DoH (or other encrypted DNS) is a headache that would need to be solved at the router (mitming/redirecting to your preferred provider? or straight up blocking) with a big blocklist. Unfortunate what a double-edged sword DoH is becoming.
It’s a start for sure, a TV that’s really out to track you might well be able to circumvent these blocks, but most TVs (and indeed most tracking technologies on the web) to my understanding are not so sophisticated. For the average person who wants to enjoy some of the smart features of their TV this is a good compromise.
And I’m not sure what you mean by the router being the better place to add guardrails. What sort of guardrails can you possibly add outside of blocking internet access outright to the TV? It would be near impossible to distinguish between legitimate traffic and ad/tracking traffic without resorting to something like SNI sniffing which again can be bypassed.
Thanks for giving my glib comment the credibility it didn't deserve.
Less flippantly, I'm worried it will be sooner rather than later that someone figures out how to route the telemetry and ads over the same TLS endpoint as the bona fide services. At that point it's game over, and I don't think it needs much "sophistication". Just a different path on the same HTTPS endpoint...
I think [1] is quite irrelevant to be honest. Blocking DNS isn't a destructive operation. I've been using pi-hole for years and I simply block everything and cherry-pick a few exceptions here and there when something breaks. I only had to really troubleshoot maybe 3-4 times in years, and half of that were related to the fact I worked for companies that had domains blocked.
The only times I have seen this happen is when the remote devices were communicating with something on blacklist (which should be concerning anyway, but also a quick fix if not) or doing something naughty like not using the DNS server broadcast by DHCP.
I think log-don't-enforce and per-client block profiles are probably basic to people who work with networking regularly, but are probably pretty far out of reach for the average home user who are probably needing to expand their networking knowledge just to distribute custom DNS via DHCP.
So, I agree that those would be lovely features but are, I think, a ways beyond what I would assume the p90 of pihole users would need or be able to use.
You can definitely set client groups, either based on CIDR, MAC (if on the same network segment) or individual IP. From there, you can assign different domains and list to the specific groups.
The way I handled this issue for my family and devices is just by having two SSIDs - one with pihole blocking and one without. If it’s interfering with something me or my wife can just switch to the unblocked network temporarily.
You'd be hard pressed to find that an auditing mode would be helpful. Even once you hit that big red button, depending on the blocklists you use you will come across false positives that cause issues.
There isn't any kind of "dry run" or "phantom" mode, where requests are not actually blocked, but appear marked in the log UI as "would be blocked". This is super important because I want to see all the things my home network is doing that would be blocked before I actually hit the big red button. I want to fix up the allow/denylist before going live.
It's also not possible (or not clear) how to have different behavior for different clients. For my "smart tv" which I begrudgingly have to allow on my network occasionally for software updates, I want to treat it with the strictest possible list. But for my phone, I don't want that same list. There's a concept of "groups" so perhaps this is user error on my part, but the UI does not make this clear.