The pihole.log is rotated nightly at midnight, so the log that contains this information may be one of the older logs (they are located in /var/log ). You can search the gz logs with zgrep.
-rw-r--r-- 1 pihole pihole 130K Feb 5 08:43 pihole.log
-rw-r--r-- 1 pihole pihole 411K Feb 5 00:00 pihole.log.1
-rw-r--r-- 1 pihole pihole 70K Feb 4 00:00 pihole.log.2.gz
-rw-r--r-- 1 pihole pihole 70K Feb 3 00:00 pihole.log.3.gz
-rw-r--r-- 1 pihole pihole 71K Feb 2 00:00 pihole.log.4.gz
-rw-r--r-- 1 pihole pihole 96K Feb 1 00:00 pihole.log.5.gz
These queries are not from that client. They are queries looking for the IP of that domain. The IP address 127.0.0.1 (the Pi-Hole host) is asking for that domain. This doesn't indicate that you have been hacked, it indicates that some software on your network is looking for that domain. It is likely related to your VPN if you use a dynamic IP service to keep an IP for your VPN.
The format for a zgrep is the same as for grep. This command will find all instances of the word microsoft in a gz formatted file.
sudo zgrep microsoft /var/log/pihole.log.3.gz
Feb 2 00:00:03 dnsmasq[31962]: query[A] mobile.pipe.aria.microsoft.com from 192.168.0.135
Feb 2 00:00:03 dnsmasq[31962]: /etc/pihole/black.list mobile.pipe.aria.microsoft.com is 0.0.0.0
I don't use a dynamic IP service on the VPN or knowingly anywhere on the local network. Makes sense this is not the client, how can I find out what's requesting this address?
Hi, I have my upstream DNS configured only to Cloudflare and I'm seeing similar, concerning entries where Pihole appears to be suddenly fowarding DNS queries from localhost to a pppoe.lipetsk.ertelecom.ru domain as the upstream DNS. I haven't had a chance to comb through the entire log to see when the began, but I look at the Pihole web console fairly frequently, and I'd never seen this before today.
When I run the command suggested above by @jfb to search the log (sudo grep ertelecom.ru /var/log/pihole.log), here's several examples that come back, from just this morning. I've obviously never configured this ertelecom.ru as an upstream DNS:
I've checked both DNS settings in the web console, as well as these .conf files below, as well, and both only contain entries for Cloudflare (1.1.1.1 and 1.0.0.1) as the upstream DNS:
/etc/pihole/setupVars.conf
/etc/dnsmasq.d/01-pihole.conf
Any ideas? Nuke this pihole install from orbit? Could these be coming from something else on my network, even though they appear to be from localhost?
Thanks - looking a query history in the Web Console, I did see that these appear to be PTR requests - please help me out here, as a relative Pihole novice - does that mean it's instead receiving the request from an ertelecom.ru IP? My pihole is behind a router firewall and shouldn't be open to this query, and while I certainly can't rule out operator error, this being possible would be a shock to me.
What makes me worry that my upstream DNS had been hijacked somehow, though, is that two of these ertelecom.ru addreses show up in the "Forward Destinations" chart on the Dashboard. I see Cached, Blocklist, and 1.1.1.1 as you'd expect, but then also these two .ru addresses as forward destinations.
Sorry for the delay in responding - I've been away from my home network until now. Here's an example of what is happening every hour, on the hour, when Pihole does a PTR request, first for the gateway (192.168.1.1) and then for the DNS providers:
Mar 5 01:00:00 dnsmasq[16412]: query[PTR] 1.1.168.192.in-addr.arpa from 127.0.0.1
Mar 5 01:00:00 dnsmasq[16412]: config 192.168.1.1 is NXDOMAIN Mar 5 01:00:00 dnsmasq[16412]: query[PTR] 0.92.235.188.in-addr.arpa from 127.0.0.1 Mar 5 01:00:00 dnsmasq[16412]: forwarded 0.92.235.188.in-addr.arpa to 1.1.1.1 Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DS] 235.188.in-addr.arpa to 1.1.1.1 Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DNSKEY] 188.in-addr.arpa to 1.1.1.1 Mar 5 01:00:01 dnsmasq[16412]: reply 188.in-addr.arpa is DNSKEY keytag 29744, algo 8 Mar 5 01:00:01 dnsmasq[16412]: reply 188.in-addr.arpa is DNSKEY keytag 32904, algo 8 Mar 5 01:00:01 dnsmasq[16412]: reply 235.188.in-addr.arpa is no DS Mar 5 01:00:01 dnsmasq[16412]: dnssec-query[DS] 92.235.188.in-addr.arpa to 1.1.1.1 Mar 5 01:00:01 dnsmasq[16412]: reply 92.235.188.in-addr.arpa is no DS Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE Mar 5 01:00:01 dnsmasq[16412]: reply 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 0.92.235.188.in-addr.arpa from 127.0.0.1 Mar 5 01:00:01 dnsmasq[16412]: cached 188.235.92.0 is dynamicip-92-235-188-0.pppoe.lipetsk.ertelecom.ru
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 1.0.0.1.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: forwarded 1.0.0.1.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 1.0.0.1 is one.one.one.one
Mar 5 01:00:01 dnsmasq[16412]: query[PTR] 1.1.1.1.in-addr.arpa from 127.0.0.1
Mar 5 01:00:01 dnsmasq[16412]: forwarded 1.1.1.1.in-addr.arpa to 1.1.1.1
Mar 5 01:00:01 dnsmasq[16412]: validation result is INSECURE
Mar 5 01:00:01 dnsmasq[16412]: reply 1.1.1.1 is one.one.one.one
When I grep the log for 188.235.92.0, it only has entries for these PTR requests coming from the pihole itself. I'm not running DHCP on Pihole, and my router is the type that forwards the DNS requests to Pihole from every device as if they're coming from the gateway itself. Even still, if a PTR request were coming from another device, this would show up as coming from 192.168.1.1.
While I can't add a solution to this thread, I would ask the O.P. "do you live in ru" or "is your isp based in .ru?" As posted, it is hard to know if .ru is considered evidence of a hack, or just a basic bit of information found in the log files and pi-hole output.
Also, there are numerous threads here about very similar chains of logged info featuring wpad and wpad.re1.state.company.net paired with 127.0.0.1.
Reading thru those may shed some light. (And the above has shed light on my understanding of the wpad problem).