Sneaky Query... how did this happen?

Do you have any suspicions what might have happened? Is this an issue with the current FTL?

I'm now convinced something must be wrong with the Query Log or FTL (I'm not sure how FTL works but Mcat12 gave me the impression it's involved here). How could a user produce all these queries at the exact same second?

The actual list is much longer, but I couldn't fit it. Here are all the queries from 10.139.12.100 at 01:17:27

2017-08-11 01:17:27 IPv4 rad.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 c.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 rad.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 c.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 www.bing.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 www.msn.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 a-0001.a-msedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 www.msn.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 www.myhomemsn.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 support.microsoft.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 outlook.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 clk.tradedoubler.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 clk.tradedoubler.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 e3843.g.akamaiedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 outlook.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 www.skype.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 redirect.viglink.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 redirect.viglink.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 01:17:27 IPv4 onedrive.live.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 bing.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 livecmseastus.cloudapp.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 bing.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 a-0014.a-msedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 www.facebook.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 static-entertainment-eus-s-msn-com.akamaized.net 10.139.12.100 OK (forwarded)
2017-08-11 01:17:27 IPv4 static-entertainment-eus-s-msn-com.akamaized.net 10.139.12.100 OK (forwarded)
2017-08-11 01:17:27 IPv4 www.onenote.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 star-mini.c10r.facebook.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 twitter.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 go.microsoft.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 twitter.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 e11290.dspg.akamaiedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 www.fool.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 www.autotrader.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 evcert.motleyfool.map.fastly.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 prod-na.reverseproxy-onenote.com.akadns.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 zone.msn.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 www.match.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 01:17:27 IPv4 cggameszone.cloudapp.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 01:17:27 IPv4 e8175.a.akamaiedge.net 10.139.12.100 OK (cached) Blacklist

It's perfectly normal for several queries to happen at the same time (a website requests many different domains, the OS batches requests, or just random chance). We're looking into why this might be happening, so it would be helpful if you uploaded the corresponding pihole.log log snippet so we can try to reproduce this.

You want just a chunk of the pihole.log or should I pihole -d? If you want a chunk, please let me know how much of it and a recommendation for the command.

edit: I know that many queries can happen at the same time, but looking at the queries specifically raises some flags for me. For example, I doubt any site is trying to grab information from autotrader.com, facebook.com, and match.com simultaneously, in addition to all the rest.

Thanks

Give a chunk of the query log at a certain time and the corresponding chunk from pihole.log (using grep). The command should look like the one you used previously (either pihole.log or pihole.log.1 depending on the time of the query):

sudo cat /var/log/pihole.log | grep "11:40"

You can send this output to use in the same manner as the debug log is sent:

The amount and variety of those same-second queries is interesting, so we might find that that is a bug as well.

Ummm... it's not showing up in the pihole.log...

I ran sudo cat /var/log/pihole.log | grep "01:17:"

edit: For clarity sake, I wanted to point out that this thread contains 2 similar issues but on 2 different PiHoles at 2 different facilities.

Try finding when the behavior starts and stops in the log and share the chunk in between those times.

I've found another chunk, but looking at the pihole.log seems normal until you see the corresponding query log that doesn't match at all. Here is another instance (I'm not sure how to grep a range of time and what good it would do without the query log):

and here is the rest of the query log for 00:54:08

2017-08-11 00:54:08 IPv4 otf.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 otf.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 www.myhomemsn.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 rad.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 rad.msn.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 support.microsoft.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 outlook.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 e3843.g.akamaiedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 clk.tradedoubler.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 clk.tradedoubler.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 www.skype.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 redirect.viglink.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 redirect.viglink.com 10.139.12.100 Pi-holed Whitelist
2017-08-11 00:54:08 IPv4 outlook.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 onedrive.live.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 livecmseastus.cloudapp.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 www.facebook.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 a-0014.a-msedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 www.onenote.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 star-mini.c10r.facebook.com 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 go.microsoft.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 e11290.dspg.akamaiedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 www.fool.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 www.autotrader.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 static-entertainment-eus-s-msn-com.akamaized.net 10.139.12.100 OK (forwarded)
2017-08-11 00:54:08 IPv4 static-entertainment-eus-s-msn-com.akamaized.net 10.139.12.100 OK (forwarded)
2017-08-11 00:54:08 IPv4 prod-na.reverseproxy-onenote.com.akadns.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 zone.msn.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 e8175.a.akamaiedge.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 www.match.com 10.139.12.100 OK (forwarded) Blacklist
2017-08-11 00:54:08 IPv4 evcert.motleyfool.map.fastly.net 10.139.12.100 OK (cached) Blacklist
2017-08-11 00:54:08 IPv4 flights.msn.com 10.139.12.100 OK (forwarded) Blacklist

edit: the queries in the query log are extremely similar to the previous instance. I've ran MalwareBytes, CCCleaner, and our AV scanner on 10.139.12.100 with nothing out of the ordinary popping up.

Try uploading your pihole.log, pihole.log.1, and the output of http://pi.hole/admin/api.php?getAllQueries to Tricorder:

/var/log/pihole.log -> 2ulh347mu9
/var/log/pihole.log.1 -> 708i49i1k1

what command should I use for http://pi.hole/admin/api.php?getAllQueries before piping it?

edit: I used curl and the entire output was: []
I double checked with my browser:

[]

is the response if there is (a) no data at all (unlikely) or (b) if you are not authorized to get this data. You have to be logged into your Pi-hole dashboard and you will get the data only in the very same browser. Even on the same computer, curl is not authorized to get the data and hence will still see [].

You are correct. I logged into the PiHole dashboard, opened another tab with the api.php URL and it did indeed pull the information. So, how can I pass credentials for the api.php with curl on the PiHole?

I tried curl -u pi:[password] but that still got me []. Isn't that the username that is passed on the dashboard?

Use something like

curl http://pi.hole/admin/api.php?getAllQueries\&auth=183c1b634da0078fcf5b0af84bdcbb3e817708c3f22b329be84165f4bad1ae58

as described here

You can get the auth key from your /etc/pihole/setupVars.conf file (see WEBPASSWORD=).

Another success brings another failure:

not sure if you got that tricorder upload or not, I'm not familiar with the curl error that occurred.

Yes, it uploaded partially. We apply a certain (not too high) limit on the amount of data users can put to our Tricorder server to protect ourselves from a few possible attack vectors. Hence, your data was cut off at some point and this is how curl reacted to this.

I'll now look at your data. Can you please also send a screenshot of your Query Log (possibly the last or second to last page you can see)?

I hope this is what you're looking for. I went to query log, enabled Show All, then went to the last page available.

Let me know if you need anything else, I'm standing by.

Thanks. What I can see here matches your uploaded API data perfectly. Any chance that you see somewhere the problem you have?

If the api.php?getAllQueries is showing exactly what the Query Log shows, then I have an example above (00:54:08)

Okay, sorry, I should have been clearer on this. The uploaded data is, unfortunately, not sufficient for seeing data from today.

One other odd thing is, though, that your screenshot shows a domain e3843.g.akamaiedge.net which does not seem to exist in either of your uploaded files (pihole.log / pihole.log.1). It is possible that it was cut off during upload.

Could you please run

grep 'e3843' /var/log/pihole.log
grep 'e3843' /var/log/pihole.log.1