I've uploaded the result of "adserver.pandora.com" to tricorder: 8ltrbt03hl
edit: Oh, the result list was shorter than I expected:
At 16:40:17 and 16:40:47 dnsmasq was restarted, but only the second time did it read gravity.list
Thanks. Looking at your uploaded snippet (or the screenshot you just ninja-edited in) I see no problem with FTL anymore. It displayed correctly that your dnsmasq is forwarding one single query ... did you had, by any chance, the Pi-hole disabled around that time?
There is a 30 second disable option on the web interface. I think this may have been what caused the one unblocked query:
I wouldn't have intentionally disabled the PiHole around that time. This is for a company and happened around midnight, which is well past my working hours. As Mcat12 points out, it seems like the dnsmasq was restarted. How often does it do that?
Never (at least not like this). It was disables and re-enabled exactly 30 seconds later. That smells very much like that @Mcat12 mentioned:
I'm about 99% certain that this is what you did 
Alternatively, what someone else on the network did (if they have the web interface password)
Is there ANY way it could have happened without me explicitly using the disable for 30s feature? As I said, this happened way beyond my working hours.
I'm literally the only person with access to the PiHoles.
Not that I'm aware of anything.
You can trigger it
- via the Pi-hole dashboard, or
- via the terminal (
pihole disable 30s)
Spooky. What do we do now? Is there a ouija board command so we can ask the spirits why they disabled the PiHole for 30s?
Even accounting for the 5 hour difference of the pi / PiHole dashboard, that would still have been at 6:40pm or 5:40am (I forgot which way it goes) and trust me, I'm out the door by 5pm.
You could check the access log of lighttpd: /var/log/lighttpd/access.log
What a wild ride! Another massive file... can I grep something specific in that?
Search for api.php?disable or just disable
That IP address at that time 1502296816 (timestamp, probably UTC) disabled the Pi-hole for 30 seconds.
That's the Pi's IP. Does that mean it came from a bash command or would it also have that IP if it came from the dashboard?
I don't know how to make sense of that timestamp.
That was from the web interface because it gives the token parameter (a CSRF token only used when disabling via the web interface). So someone was on the web interface via the Pi.
Use this site to find out the time in your timezone when that request was made: http://www.unixtimestamp.com/
Edit: This site will give you the local time: https://www.epochconverter.com/
Then the Query Log is correctly translating, and this did in fact happen at 11:40am local time. When I was in a meeting... in other words I'm 99% certain I did not trigger a disable.
Does the IP address in the access log tell us anything about whether this was performed from the dashboard or bash?
There would be no entry in the access log if it was done from bash, because the PHP actually calls the bash function (bash does not interact with the API via PHP, rather the other way around).
If you mean if it was curl-ed or sent via a web browser, it was most likely sent via browser because of the token. That token is only valid for the session, and is only available in the page HTML when logged in.