You can assign different blocking rules to different devices on your network without needing separate Pi-hole instances.
Let’s see Pi-hole’s client groups in action. Imagine you have a smart TV that insists on phoning home to dozens of ad servers, but you don’t want to block your work laptop’s access to certain internal development tools. Pi-hole client groups let you manage this granularly.
Here’s a typical dnsmasq configuration snippet you might see on a Pi-hole that’s handling DNS for multiple devices:
# Default group (all clients)
addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/local.list
addn-hosts=/etc/pihole/dnsmasq.d/01-pihole.conf
# Specific group for the "SmartTV"
server=/doubleclick.net/127.0.0.1#5335
server=/adservice.google.com/127.0.0.1#5335
addn-hosts=/etc/pihole/dnsmasq.d/smarttv-blocklist.conf
# Specific group for "WorkLaptop"
# No explicit blocklists here, but we might have upstream DNS defined differently
# upstream-dns=/8.8.8.8
# upstream-dns=/8.8.4.4
# Specific group for "KidsTablet"
server=/tiktok.com/127.0.0.1#5335
server=/snapchat.com/127.0.0.1#5335
addn-hosts=/etc/pihole/dnsmasq.d/kids-blocklist.conf
This setup demonstrates how dnsmasq, the DNS server Pi-hole uses under the hood, can be configured to apply different rules based on the client’s IP address or MAC address. Pi-hole’s web interface simplifies this by allowing you to create "Client Groups" and assign devices (identified by IP or MAC) to those groups. Once a device is assigned, the specific dnsmasq configurations associated with that group are dynamically loaded, overriding or supplementing the default rules.
The core problem Pi-hole client groups solve is the "one-size-fits-all" issue of network-wide ad blocking. Without groups, if you wanted to block a specific domain for one device but not another, you’d have to maintain separate DNS servers or complex firewall rules. Client groups bring this level of control directly into Pi-hole.
Internally, when a DNS query arrives, Pi-hole (specifically dnsmasq) checks the source IP address of the query. It then consults its internal mapping of IP addresses to client groups. Based on the group membership, it applies the relevant configurations. This means that for a query from 192.168.1.100 (assigned to the "SmartTV" group), doubleclick.net will be blocked. But for a query from 192.168.1.101 (assigned to the "WorkLaptop" group), doubleclick.net might be allowed to resolve normally, depending on the "WorkLaptop" group’s configuration.
The primary levers you control are:
- Client Identification: How Pi-hole recognizes a device. This is typically done by its IP address, or more reliably, its MAC address.
- Group Creation: Naming and defining your custom groups (e.g., "Kids Devices," "Work Machines," "Smart Home").
- List Management per Group: Associating specific domain lists (from Pi-hole’s web interface) with each group. These lists can be curated manually or pulled from external sources.
- Upstream DNS per Group: While less common, you can even direct different groups to use different upstream DNS providers.
A common misconception is that client groups require a complex understanding of dnsmasq configuration files. While that’s the engine under the hood, Pi-hole’s GUI abstracts this away. You simply go to "Groups," create a new group, assign your desired blocklists and whitelists to it, and then go to "Clients," select the device, and assign it to your newly created group. Pi-hole handles generating the necessary dnsmasq rules automatically.
The next step after mastering client groups is often dealing with the complexities of DNS over HTTPS (DoH) or DNS over TLS (DoT) requests from clients, which bypass Pi-hole’s traditional DNS interception.