{this is probably basic; perhaps I’ve just not found the correct search terms / jargon}
AFAIK, Pi-hole currently logs in the text log, but does not store in a database^:
- the IP address returned to a client in response to a request for an A or AAAA record.
Also, while the web interface allows a ‘tail’ view of the logs, AFAIK there is no search function in that interface that would allow searching those logs by the IP address that was returned to a client in response to a DNS RR request (or for any other arbitrary text).
A. Is any of the above incorrect?
B. Has anyone found a solution (using Pi-hole or other software) for the following use case?
(^ maybe some data is stored in a RAM-based ‘cache’ database by the Dnsmasq-based ‘pihole-ftl’?)
Scenario: an outbound connection attempt is allowed (or blocked) by a router or a connection to an IP address is noticed either in a router connection list or on an individual end user device (e.g. via ‘netstat’ or a “Little Snitch”-style alert). Let’s say it’s a port 3329 TCP connection to 1.2.3.4.
-
A user^^ sees this and wishes to type “1.2.3.4” somewhere (e.g. a web form field) to determine what DNS requests may have provided that IP address to a client (and when).
(bonus points if the request was the result of a CNAME query, and the search shows the whole ‘CNAME query tree’: leading back to the original client request; this can be especially relevant when load-balancers or CDNs are involved) -
Assuming 1.2.3.4 doesn’t have a normal reverse DNS entry (shared hosting, inadvertently or intentionally omitted, etc.), how could this user most easilyuse the stored data on the Pi-hole to determine that ‘a client received 1.2.3.4 in response to a query for “sneakytracker.eviladtechbros.ru” at 0821 UTC today’?
-
If there is a way for a user to determine this with a simple search, presumably most competent programmers could then write a simple API allowing this sort of request to be made from a variety of methods (e.g. a command-line tool, batch-processing a .csv, or even a custom function for MS Excel), right?
(^^ This is already manually possible when a terminal shell on the Pi-hole machine itself by filtering the log file using ‘grep’ or ‘tail’; double-bonus points if this user can successfully complete this task using an iPhone or random web browser, and double-super-dog-bonus points if they are your non-technical boss or auntie)
Am I just re-hashing old stuff with new words here?