The most surprising thing about Pi-hole’s streaming whitelist is that it doesn’t actually whitelist anything in the traditional sense; instead, it disables Pi-hole’s blocking for specific domains.
Let’s see it in action. Imagine you’ve just set up Pi-hole and everything is humming along, blocking ads beautifully. Then you try to stream Netflix, and it buffers endlessly or refuses to connect. Or Spotify grinds to a halt. You check your Pi-hole query log and see a flood of requests to domains like netflix.com, netflix.net, spotify.com, and spotify.net being blocked.
Here’s a typical scenario:
- The Problem: You notice intermittent or complete failure of streaming services like Netflix, Spotify, Disney+, etc., after enabling Pi-hole.
- The Observation: Checking the Pi-hole query log (via the web interface, usually
http://pi.hole/admin/queries.php) shows that domains related to these services are being blocked. For example, you might seenetflix.comorspotify.comlisted with aBlocked (gravity)status. - The Cause: Pi-hole’s default blocklists, curated to catch advertising and tracking domains, sometimes inadvertently include domains that legitimate streaming services use for content delivery, authentication, or DRM. These aren’t ads; they’re essential for the service to function.
To fix this, you need to tell Pi-hole not to block these specific domains. This is where the "streaming whitelist" comes in, though it’s more accurately a list of exemptions from blocking.
How to Add Streaming Exemptions:
You can do this via the Pi-hole web interface:
- Navigate to Settings.
- Select the Blocklists tab.
- Scroll down to the Whitelist section.
- In the "Domain" field, enter a domain that is being blocked and is essential for your streaming service.
- Click the Add to Whitelist button.
Crucial Domains to Consider:
- Netflix:
netflix.com,netflix.net,nflxext.com,nflximg.com,nflxso.net - Spotify:
spotify.com,spotify.net,spoti.fi - Disney+:
disneyplus.com,disney.com - Amazon Prime Video:
primevideo.com,amazon.com - Hulu:
hulu.com - YouTube: While often less problematic,
youtube.comandgooglevideo.commight sometimes need to be whitelisted if you experience issues.
Why This Works:
When you add a domain to the whitelist, Pi-hole marks it internally. Any subsequent DNS queries for that specific domain will bypass the blocklists entirely and be forwarded directly to your upstream DNS server. This ensures that the streaming service’s essential infrastructure is accessible, while Pi-hole continues to block ads and trackers on other sites.
A More Granular Approach: Regular Expressions
Sometimes, blocking specific subdomains can cause issues. For example, a service might use api.streaming-service.com for essential calls, but ads.streaming-service.com for ads. If streaming-service.com itself is blocked, it might break everything. Pi-hole’s regex filtering offers a powerful way to manage this.
Instead of just whitelisting streaming-service.com, you can use a regex to only block specific patterns. For example, to block all subdomains of example.com except for api.example.com and content.example.com, you would add the following regex to your blocklist:
(^|\.)(?!api\.|\bcontent\b)example\.com$
This regex says: "Match example.com if it’s at the start of a domain (^) or preceded by a dot (.), but only if it’s NOT followed by api. or the word content."
However, for the streaming whitelist use case, it’s often simpler to whitelist the problematic parent domain. The direct domain whitelist is usually sufficient.
The "One Thing" Most People Don’t Know:
The REGEX option in the blocklist section is incredibly powerful. While the whitelist section is for domains you want to allow, the blocklist section also accepts regex patterns. You can use regex here to exclude certain patterns from being blocked even if their parent domain is on a blocklist. For instance, if a broad list blocks *.cdn.example.com, but partner-api.cdn.example.com is critical for a service, you can add (^|\.)partner-api\.cdn\.example\.com$ to your blocklist with the REGEX option selected. This tells Pi-hole to never block that specific regex pattern, effectively overriding any broader blocklist entry that might otherwise catch it. It’s the inverse of a whitelist, applied to your blocklists.
After applying these whitelists, restart the affected application (Netflix, Spotify, etc.) or even your client device. Your streaming services should now function correctly while Pi-hole continues its ad-blocking duties elsewhere.
The next common issue you might encounter is your smart TV or streaming device not getting an IP address from your DHCP server.