Hi there, I'm a bit worried that my pi-hole has been compromised. This morning I updated to v4.2 (pihole -up) which went without a hitch. Now when I look at the dashboard I see thousands of client requests from a 'client' dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru (see screen shot), this 'client' isn't in the top clients list nor can I find any reference in the long term logs. Note the low level of query's so it doesn't look like the pihole is actually resolving these requests.
The pihole is on a local network and connects to a vpn/vps to serve DNS to my mobile, etc...
Hi jfb, thanks for your suggestion I did try that but no entries for ertelecom.ru were returned. It's really strange that this 'client' is showing on the pi-hole dashboard but not in the logs, I can't understand how that's possible. Further when I rebooted the pi-hole these entries disappeared from the dashboard. I tried a tcpdump (tcpdump -w ru.pcap -n host dynamicip-89-235-188-0.pppoe.lipetsk.ertelecom.ru) but it couldn't find the host name...
The pihole.log is rotated nightly at midnight, so the log that contains this information may be one of the older logs (they are located in /var/log ). You can search the gz logs with zgrep.
-rw-r--r-- 1 pihole pihole 130K Feb 5 08:43 pihole.log
-rw-r--r-- 1 pihole pihole 411K Feb 5 00:00 pihole.log.1
-rw-r--r-- 1 pihole pihole 70K Feb 4 00:00 pihole.log.2.gz
-rw-r--r-- 1 pihole pihole 70K Feb 3 00:00 pihole.log.3.gz
-rw-r--r-- 1 pihole pihole 71K Feb 2 00:00 pihole.log.4.gz
-rw-r--r-- 1 pihole pihole 96K Feb 1 00:00 pihole.log.5.gz
These queries are not from that client. They are queries looking for the IP of that domain. The IP address 127.0.0.1 (the Pi-Hole host) is asking for that domain. This doesn't indicate that you have been hacked, it indicates that some software on your network is looking for that domain. It is likely related to your VPN if you use a dynamic IP service to keep an IP for your VPN.
The format for a zgrep is the same as for grep. This command will find all instances of the word microsoft in a gz formatted file.
sudo zgrep microsoft /var/log/pihole.log.3.gz
Feb 2 00:00:03 dnsmasq[31962]: query[A] mobile.pipe.aria.microsoft.com from 192.168.0.135
Feb 2 00:00:03 dnsmasq[31962]: /etc/pihole/black.list mobile.pipe.aria.microsoft.com is 0.0.0.0
I don't use a dynamic IP service on the VPN or knowingly anywhere on the local network. Makes sense this is not the client, how can I find out what's requesting this address?
Hi, I have my upstream DNS configured only to Cloudflare and I'm seeing similar, concerning entries where Pihole appears to be suddenly fowarding DNS queries from localhost to a pppoe.lipetsk.ertelecom.ru domain as the upstream DNS. I haven't had a chance to comb through the entire log to see when the began, but I look at the Pihole web console fairly frequently, and I'd never seen this before today.
When I run the command suggested above by @jfb to search the log (sudo grep ertelecom.ru /var/log/pihole.log), here's several examples that come back, from just this morning. I've obviously never configured this ertelecom.ru as an upstream DNS:
I've checked both DNS settings in the web console, as well as these .conf files below, as well, and both only contain entries for Cloudflare (1.1.1.1 and 1.0.0.1) as the upstream DNS:
/etc/pihole/setupVars.conf
/etc/dnsmasq.d/01-pihole.conf
Any ideas? Nuke this pihole install from orbit? Could these be coming from something else on my network, even though they appear to be from localhost?
Thanks - looking a query history in the Web Console, I did see that these appear to be PTR requests - please help me out here, as a relative Pihole novice - does that mean it's instead receiving the request from an ertelecom.ru IP? My pihole is behind a router firewall and shouldn't be open to this query, and while I certainly can't rule out operator error, this being possible would be a shock to me.
What makes me worry that my upstream DNS had been hijacked somehow, though, is that two of these ertelecom.ru addreses show up in the "Forward Destinations" chart on the Dashboard. I see Cached, Blocklist, and 1.1.1.1 as you'd expect, but then also these two .ru addresses as forward destinations.