Longtime home user, currently on 6.0.6/FTL 6.1, running as a CEntOS VM in MS HyperV.
I use the standard gravity list, plus 19 custom rules:
- One regex allow
- Eight exact deny
- Ten regex deny
Periodically, one of my regex deny rules will flip itself to regex allow. When it happens, it's always the same one, the second-to-last rule in the overall list.
I haven't been able to locate any admin audit log for pihole that would show if/when/who made any changes to the domain rules, but I'm the only person with access to the install and I've changed the password to something that lives only in my head.
Debug Token
Is it the gaming domain?
id type enabled group_ids domain date_added date_modified comment
----- ---- ------- ------------ ---------------------------------------------------------------------------------------------------- ------------------- ------------------- --------------------------------------------------
24 3 1 0 (\.|^)_REDACTED_$ 2024-11-22 23:20:30 2025-04-09 14:16:59
My off the cuff guess is that someone really wants to play their game and has a way to get around your setup.
2025-04-09 14:16:59.956 PDT [551001/T551021] INFO: Compiled 1 allow and 10 deny regex for 4 clients in 2.8 msec
-rw-r-----. 1 pihole pihole 90 Apr 9 14:16 /var/log/pihole/webserver.log
-----head of webserver.log------
[2025-04-09 14:16:42.793 PDT 551001] Authentication required, redirecting to /admin/login
Do you know what system is at 192.168.15.2?
Apr 9 00:00:05 dnsmasq[551001]: query[A] friends.REDACT.com from 192.168.15.2
Yep, it's that godawful gaming platform. I suspected someone might be using the saved creds in my browser to access the pihole webadmin, even though I'm pretty diligent about locking my screen, so I changed the PW. It's also why I was looking for an audit log of admin/config changes. It was a longshot, though, because none of my kiddos are tech savvy. Didn't make any difference, I still saw the rule flip from deny to allow.
The webserver redirect is because the saved link in my browser points to the 5.x endpoint, which has been changed in 6.x, so that's just me accessing it.
That 15.2 ip address is our mesh wifi router. My network is setup with our internet connection feeding into a wired router. The only two devices connected to it are my PC (which hosts pihole) and the mesh router. All other clients in the house are wifi, and the mesh runs in a different network segment (192.168.86.x). So really the only way to access pihole itself is from my PC, AFAIK.
You wouldn't have scheduled a cron job to automatically enable domains during certain hours?
I hadn't thought about that, but no:
[root@pihole ~]# crontab -l
no crontab for root
[root@pihole ~]# crontab -lu pihole
no crontab for pihole
You haven't checked system-wide cron jobs, as stored in /etc/crontab and in the /etc/cron.*/ directories. You could grep pihole in those.
Nothing in /etc/crontab, and the stuff in /etc/cron.d/pihole looks to be standard housekeeping tasks (I've never touched it).
[root@pihole etc]# cat cron.d/pihole |grep -v \#
46 3 * * 7 root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updateGravity >/var/log/pihole/pihole_updateGravity.log || cat /var/log/pihole/pihole_updateGravity.log
00 00 * * * root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole flush once quiet
@reboot root /usr/sbin/logrotate --state /var/lib/logrotate/pihole /etc/pihole/logrotate
55 15 * * * root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker
@reboot root PATH="$PATH:/usr/sbin:/usr/local/bin/" pihole updatechecker reboot
What's the (regular?) period?
If the rule or its containing group has been disabled via Pi-hole's UI, you'd see a line similar to INFO: Compiled 1 allow and 8 deny regex for 1 client in 19.7 msec in /var/log/pihole/FTL.log, but note that line may also get logged upon certain other events, e.g. if pihole-FTL is restarted.
It's happened three times since mid- to late-January. Not frequent enough that I can readily identify a pattern or correlate it to some event, but enough that I know there's something fishy happening.
My setup is pretty vanilla, aside from running unbound as my resolver...just the rules I mentioned, no groups even. I'm running the LCARS web UI, though that shouldn't matter. I've been using it for years, and this behavior only surfaced recently.
The log entry you noted is actually one of the things that tipped me off to a problem - during a gravity update, I noticed it said "2 allow and 9 deny regex..." on restart, and I couldn't recall ever setting up a second allow rule.
Again, it's odd there's no administrative logging. Particularly in multi-admin setups, it seems like you'd want a record of changes being made and by whom.