Hi guys,
What about the following idea:
Pi-hole collects (source IP for people who use hosted Pi-hole) and IPs that are called frequently but are not shown in white- or blacklists and sends out a warning message by email if an unknown/new domain is called X times in a specific time range (could also be finetuned, eg. this only applies to domains that contain specific key words).
Example: I have bought a new device or downloaded a new app that sends a lot of statistical data to the server located in China (eg. router-a0-push.leancloud.cn). If I donĀ“t go though the logs frequently this will never been recognized. If I would get a warning message that my new device/app called an unknown (not white- or blacklisted) domain 30 times within 24 hours I can check the domain and block it in Pi-hole manually. Additonally those domains could be shown in an extra windows on the Pi-hole GUI so I can select which ones I want to blacklist or reject (reject could be another filter list so it does not mix with the whitelist).
This might be an interesting security feature in Pi-hole and might be even considered as kind of IoC (Indicator of Compromise).
Thoughts?