I am searching for exactly the same topic but for different reasons. I want to see what data would have been transferred to a pi-holed domain. Since Pi Hole is responding with a minimal picture the whole request should be known to the Pi hole instance (including the request body).
This might blow up the access log enormously but should be possible. Possibly this could be restricted to certain hosts or just for the next five minutes.
Another usefull feature in this context would be to look out in these requests for configurable key words and notify the user that he was protected by Pi Hole
Thanks for the hint. Found the log-file /var/log/lighttpd/access.log and it is really worth looking at it.
It gets clear that Pi Hole when using the default configuration prevents updating of Amazon FireTV appliances. Update informations seem to be stored at "aax-eu.amazon-adsystem.com" (at least for Germany) and this domain is on several blacklists.
The access log looks like this:
1509259146|aax-eu.amazon-adsystem.com|GET /s/api3/update_dev_info?app=firetvblackbird&appId=6ca99247d0c04edea1baaa73fbd52f5a&aud=amazon.de&dinfo={%22make%22:%22Amazon%22,%22model%22:%22AFTS%22,%22os%22:%22Android%22,%22osVersion%22:%225.1.1%22}&dt=android&idfa=137e933b-fbaf-40ea-xxxx-xxxxxxxxxxx&oo=0 HTTP/1.1|200|179
(IDFA param masked by me)
Still an interesting feature to have this access log supervised for key words. I will create a cronjob for me now and add "amazon-adsystem.com" to the whitelist.
