Not just blocking

wiso · April 27, 2025, 11:21pm

Can pihole do something else than just blocking?

Scenarios:

Don't block but collect statistics about blacklisted queries
Redirect
Notify

PA3DSS · April 28, 2025, 7:41am

disable blocking

wiso · April 28, 2025, 8:30am

@PA3DSS , yes this is a solution, but I would like something more sophisticated. For example, I would like to block everything in one list but don't block what is in a second list. I would have the logs of both.
For example, I am happy with the default blocking list, and I want everything in that list to be blocked. At the same time, I want to test a second list, in this case, I would like to have a log for each time someone tried to resolve a name in second list, but without blocking it.

DanSchaper · April 29, 2025, 7:30pm

The default configuration logs all queries and actions so you can parse the log output to do just about anything you'd like.

There is no way for a DNS server to redirect, DNS doesn't know what protocol the client is using and why it needs to resolve a domain name. If you assume that it is for web traffic then you're still limited by the fact that impersonating an https endpoint is essentially impossible now.

wiso · April 30, 2025, 8:01am

@DanSchaper yes, I can parse the log, but it seems I am redoing what the pihole already did: check if a domain name is inside a list. Redoing what has been already done seems to me a waste of time.

For sure I am naive, but in my mind pihole is something like

log(request)
if request matches list:
   block
else:
   resolve

in my mind the needed change is

log(request)
if request matches list:
   do_something
else:
   resolve

DanSchaper · April 30, 2025, 1:40pm

It's the do_something that is the problem. Pi-hole is a DNS server, it's pretty much limited to converting domains to IP addresses.

What is the do_something that you'd like to see?

wiso · April 30, 2025, 2:42pm

do_something, in my case, would be something like = block / log / block and log. Then I can do complicated stuff parsing the logs. Sure, I can parse the full log by myself: but why redoing the filtering pihole already did?
The definition of do_something is linked to a particular group of client and to a particular list
here log is not the usual logging which logs all the requests, but something separate that records only when the domain name is matched to a list.

Let's go back to my first scenario: for some blacklists and some client I want to usual behaviour (do_something=block): block when the domain name hits a blacklist. For other black lists I don't want any change in the DNS behaviour, but I want to log when some device asks to resolve a name into a blacklist (do_something = log).

More specific example: suppose I have some smart devices and I want to know if they are communicating with a specific country's top-level domain, but without blocking them.

DanSchaper · April 30, 2025, 2:45pm

Would you be open to financially sponsoring your request?

wiso · April 30, 2025, 4:04pm

sorry, I don't think so

yubiuser · April 30, 2025, 8:57pm

The easiest solution is to use an SQL query to the long term database to answer this question.