Hello, I have a Pihole, and I was trying to find out some information from a specific date. Long story short I went over my data cap, my ISP was able to pinpoint the dates the notifications went out alerting me to getting close to going over my cap. Those alerts have to be acknowledged before you can continue to browse online. The ISP said the alerts were acknowledged and told me they had been clicked. I work from home and I know those notifications and i never saw one. I wanted to go in Pi-hole history at those dates (march 23rd at 1pm) to see if that even came through or if maybe it got blocked by pi-hole and in being blocked it got acknowledged. A picture attached of the message and how it populates when it does come up is attached. This screenshot is back from Nov. of last year before I had Pi-hole in place.I was wondering if there was a way I could try to view or find this alert in Pi-hole. Any ideas?
You cannot see any content, using pihole, pihole only knows about dns domain names.
You can see is what is(was) blocked / allowed / ... using the admin page:
- goto "long term data" / "query log"
- click on "click to select date and time range", select "custom range", enter your time frame.
It would help if you know the domain the message (popup?) was sent from, in that case, you can just enter the domain name in the search box.
Hello, thank you for replying! I actually looked and did the custom range last night and was able to view around the time frame. The issue is that picture I gave, whatever website I'm currently on when it pops up it literally, just displays like that which means I don't see the domain/url it came from. I looked and found another popup message they had pushed a while back but it had actually had the IP in the URL. In that screenshot, it was HTTP://72.240.24.xx/bg/CableOSUpgrade/index.html....etc. I had searched for a 72.xx IP but that example I just gave was from April of 2021 so I don't even know if that 72.240.x IP would be the same one to look for now or if it would be a different 72.x IP.
I have tried to go back to see if i can find another example of a more current message from the picture but I don't know if it will have an IP in the URL or if it will even say anything about usage.
The thing is I feel like I am getting charged for something I didn't even know I was going over its hard to proof but if I can go back and try ti find information or at least see if maybe it came through on a certain device/when it was acknowledge I would feel better about paying the extra fee. This was one reason why I wanted Pi-hole in place, aside from other numerous reasons.
Is there anyway other way I can find out where the domain pop up message was sent from?
you've masked the IP address, so I cannot do this for you.
the command (on the pi) "dig -x 72.240.24.1" returns "72-240-24-1.telesystem.us." in my region (may be different in your region).
If the page actually opened (not blocked by a browser addon, such as ublock origin), the browser may have issued a DNS query for that domain.
Execute the dig command (-x is reverse lookup), and search the query log for the resulting domain, maybe that helps.
Hello, thank you for replying. Where exactly on the pi do i type dig - x 72.240.24.1" ?
I tried going to long-term data, query log, selected a few dates and then in the search bar near the right, tried the dig -x command but that didn't do anything. Then i typed in telesystem in the search bar for the whole month of March and that did find anything. I think I'm doing something wrong.
you need to enter this in a terminal window, e.g. the method you used to install pihole in the first place.
Thank you! I so appreciate your help and the screenshot. I am new to using the Pi-hole and linux, so still learning. I appreciate all the help. I did what you said, and i looked back at the IP that i had from the OS upgrade example, it was 24.36. Below are my results. Honestly, looking at this, i am not sure what the OPT Pseudosection is. The answer section underneath the OPT Pseudosection, i look at it and think okay the 36.24.240.72.in-addr.arpa. 10800 in, my guess is that specifically means, its the IP it came in on, then the 10800 is the port. Then the PTR 72.240.24.36.telesystem.us. is what it displays as in the query log. Sorry if any of that is confusing. So, I wasn't too sure what to do next but then i searched in Pi-hole around a few of the dates that my ISP said they had sent out the alert and that it got notified (specifically march 23rd and 24th at 1pm) when i searched teles i got nothing, if i searched tele it came up with telemetry.x whatever, if i searched the 36.24.240.72 pic shown in the screen shot i got nothing. if i just put in 36.2 i get nothing, if i just type 36. I get a handful of diff. ips w/36. or 136. etc. so I am not too sure what the next step is. I feel like I am so close but yet so far away. Any ideas?
Below are my screen shots from some of my results.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.