Query Log Reply Answer

numark · August 13, 2024, 3:11am

I apologize if this is answered anywhere. Between google and internal search I couldn't find much of anything.

Pi-Hole seems to be working great for 5.18 but in the Query Log, how do I see the actual reply answer?

For example, domain might say Google, Status OK, and Reply of IP.

How do I view the specific IPs that were returned to the client for that specific lookup? Outside of the actual pihole.log file, I can't seem to find resolver information which is pretty helpful.

This is important for matching up firewall logs back to DNS queries.

Bucking_Horn · August 13, 2024, 4:28am

IPs from the firewall logs should be readily grepable from /var/log/pihole/pihole.log*, for which a live view is available via Tools | Tail pihole.log.

The resolver that Pi-hole has been using for a request is also listed in the Status column of Pi-hole's Query Log UI, as a bracketed entry like

OK (answered by
unbound#5335)
INSECURE

numark · August 13, 2024, 5:12am

grepping a local log file might be OK if the user who is using the web UI has access to the CLI which in our case they will not. Why make it more difficult than it needs to be?

This should be built into the UI and would be extremely helpful. For most, this would solve the need to look at the local log file

rdwebdesign · August 13, 2024, 5:32pm

This already exists.

Also, the reply above was updated to include exactly what you are asking:

numark · August 13, 2024, 6:23pm

Tail pihole.log works perfectly for real time diagnostics. Im not suggesting that be removed or that is what we are looking for.

If we are investigating why a system on the network contacted 3 random russian IP addresses at 3AM, that would be nice for a user, like a security analyst, who wouldnt have access to the CLI of the DNS system generally, to open the Query log in the UI and search for that IP to see if there was a DNS query that was performed by that PC which would help potentially link the forensic trail to other things. All newer DNS systems include this for this reason. This probably wasnt much of a need in 2005 but in 2024, this is a base security requirement of any security team of anyone looking for a DNS platform. This could be performed by watching the pighole.log file and constantly sending to a SIEM as well but again, this is basic functionality in 2024. This should be included in 6.0 if it is not already. Very valuable historical data

system · September 3, 2024, 6:24pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.