Regex domain rule switching itself from 'deny' to 'allow'

Roland_Deschain · April 9, 2025, 9:50pm

Longtime home user, currently on 6.0.6/FTL 6.1, running as a CEntOS VM in MS HyperV.

I use the standard gravity list, plus 19 custom rules:

One regex allow
Eight exact deny
Ten regex deny

Periodically, one of my regex deny rules will flip itself to regex allow. When it happens, it's always the same one, the second-to-last rule in the overall list.

I haven't been able to locate any admin audit log for pihole that would show if/when/who made any changes to the domain rules, but I'm the only person with access to the install and I've changed the password to something that lives only in my head.

Debug Token

DanSchaper · April 9, 2025, 10:58pm

Is it the gaming domain?

   id     type  enabled  group_ids     domain                                                                                                date_added           date_modified        comment                                           
   -----  ----  -------  ------------  ----------------------------------------------------------------------------------------------------  -------------------  -------------------  --------------------------------------------------
   24        3        1  0             (\.|^)_REDACTED_$                                                                                    2024-11-22 23:20:30  2025-04-09 14:16:59

My off the cuff guess is that someone really wants to play their game and has a way to get around your setup.

   2025-04-09 14:16:59.956 PDT [551001/T551021] INFO: Compiled 1 allow and 10 deny regex for 4 clients in 2.8 msec

-rw-r-----. 1 pihole pihole 90 Apr  9 14:16 /var/log/pihole/webserver.log
   -----head of webserver.log------
   [2025-04-09 14:16:42.793 PDT 551001] Authentication required, redirecting to /admin/login

Do you know what system is at 192.168.15.2?

   Apr  9 00:00:05 dnsmasq[551001]: query[A] friends.REDACT.com from 192.168.15.2

Roland_Deschain · April 12, 2025, 2:42am

Yep, it's that godawful gaming platform. I suspected someone might be using the saved creds in my browser to access the pihole webadmin, even though I'm pretty diligent about locking my screen, so I changed the PW. It's also why I was looking for an audit log of admin/config changes. It was a longshot, though, because none of my kiddos are tech savvy. Didn't make any difference, I still saw the rule flip from deny to allow.

The webserver redirect is because the saved link in my browser points to the 5.x endpoint, which has been changed in 6.x, so that's just me accessing it.

That 15.2 ip address is our mesh wifi router. My network is setup with our internet connection feeding into a wired router. The only two devices connected to it are my PC (which hosts pihole) and the mesh router. All other clients in the house are wifi, and the mesh runs in a different network segment (192.168.86.x). So really the only way to access pihole itself is from my PC, AFAIK.

Bucking_Horn · April 12, 2025, 9:44am

You wouldn't have scheduled a cron job to automatically enable domains during certain hours?

Roland_Deschain · April 13, 2025, 12:05am

I hadn't thought about that, but no:

[root@pihole ~]# crontab -l
no crontab for root
[root@pihole ~]# crontab -lu pihole
no crontab for pihole

Bucking_Horn · April 13, 2025, 7:25am

You haven't checked system-wide cron jobs, as stored in /etc/crontab and in the /etc/cron.*/ directories. You could grep pihole in those.

Roland_Deschain · April 14, 2025, 1:04am

Nothing in /etc/crontab, and the stuff in /etc/cron.d/pihole looks to be standard housekeeping tasks (I've never touched it).

[root@pihole etc]# cat cron.d/pihole |grep -v \#

46 3   * * 7   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updateGravity >/var/log/pihole/pihole_updateGravity.log || cat /var/log/pihole/pihole_updateGravity.log

00 00   * * *   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole flush once quiet

@reboot root /usr/sbin/logrotate --state /var/lib/logrotate/pihole /etc/pihole/logrotate

55 15  * * *   root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker
@reboot root    PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker reboot

Bucking_Horn · April 14, 2025, 6:31am

What's the (regular?) period?

If the rule or its containing group has been disabled via Pi-hole's UI, you'd see a line similar to INFO: Compiled 1 allow and 8 deny regex for 1 client in 19.7 msec in /var/log/pihole/FTL.log, but note that line may also get logged upon certain other events, e.g. if pihole-FTL is restarted.

Roland_Deschain · April 14, 2025, 10:20pm

It's happened three times since mid- to late-January. Not frequent enough that I can readily identify a pattern or correlate it to some event, but enough that I know there's something fishy happening.

My setup is pretty vanilla, aside from running unbound as my resolver...just the rules I mentioned, no groups even. I'm running the LCARS web UI, though that shouldn't matter. I've been using it for years, and this behavior only surfaced recently.

The log entry you noted is actually one of the things that tipped me off to a problem - during a gravity update, I noticed it said "2 allow and 9 deny regex..." on restart, and I couldn't recall ever setting up a second allow rule.

Again, it's odd there's no administrative logging. Particularly in multi-admin setups, it seems like you'd want a record of changes being made and by whom.

system · May 5, 2025, 10:21pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.