Pi-Hole has revealed that two domains are being accessed every 2 minutes by my Win7 PC.
Happens even when my browsers are closed.
I previously visited these domains using Chrome incognito mode so I thought they infected my PC.
Malwarebytes and Avira find nothing. There are no suspicious add-ons to my browsers.
No process on my computer is accessing these domains. I used netstat and similar checks searching with both the domain names and the ip addresses. Nothing shows up.
Wireshark running on my PC shows these two domains being accessed but lists the ip address as the same internal ip address of my pi-hole.
Is it possible that the pi-hole is somehow labeling itself with these domain names?
There was a previous version which had a bug where the Pi-hole would be given the hostname of the last blacklisted domain. Have you tried updating Pi-hole?
I saw that old bug. Might be related but my install is relatively recent.
Updated anyway just to be sure (console -> pihole -up).
My core was up-to-date. FTL was updated.
Restarted DNS (console -> pihole restartdns) and restarted the pi-hole.
No change.
Also added a new domain to the blacklist to see if it would start showing up but it didn't.
Tried shutting down PC and accessing web and pi-hole from another computer and playing with the Blacklist. Cannot reproduce the issue. Restarted my main PC and those two domains show up in the pihole query before I open any program on the main PC.
Been working on this for days and not sure if my PC is compromised or my pi-hole is broken. Afraid to do any web purchases on my PC until I resolve this.
You can review the code of Pi-hole at https://github.com/pi-hole/pi-hole but I can't come up with any idea as to why the Pi-hole itself would pick two random domains and try to resolve them. Has the Pi-hole device been exposed to the internet in any way?
Thanks for helping me. I'm not a programmer so looking at the code won't help me.
The domains were not fully random, I had previously visited them using Chrome incognito mode and added them to my pihole Blacklist once I saw they were being accessed every 2 mins.
The pihole is connected to my router but not sure what you mean when you ask if it was exposed to the internet.
I noticed some stuff in the debug log under
*** [ DIAGNOSING ]: contents of /var/log/lighttpd
PHP Warning: preg_split(): Delimiter must not be alphanumeric or backslash in /var/www/html/admin/scripts/pi-hole/php/auth.php on line 122
There were a bunch of those but I don't know what it means or if it's relevant.
I only have a 4GB SD card in my pi. Could it be that it's too small or somehow corrupt?
Been working on this for days now and 99% sure it's a bug with the pihole. That 1% chance of it being spyware is keeping me up at nights.
Someone posted about a similar issue and said "Try switching the gravity.list and local.list lines in /etc/dnsmasq.d/01-pi-hole.conf"
I tried using Putty to SSH into my pihole but I could not edit the 01-pi-hole.conf file. Do I need to take the pihole offline, remove the SD card and edit the file in my Windows PC?
Open to any and all suggestions. Even replaced the power supply to make sure it was getting enough juice.
In Wireshark, the destination IP Address for the bad domains also list a MAC address. That MAC address matches the pihole's MAC address. The IP Address is also the same.
Maybe I just need to nuke the pihole and do a fresh re-install on a different SD Card....
EDIT - I unblocked both sites and went there while running WireShark. It showed actual access to the websites using the MAC address of my Router and the actual IP Address of each site.
The pihole filters all of the blackllsted stuff to itself, so wouldn't it make sense that wireshark reports the pihole mac address as the destination?
And once you unblocked them, since they were no longer filtered by the pihole, the IP and mac as reported by wireshark reverted back to the router from where they came in the first place.
If I'm right, the pihole is doing fine, doing its job quite well in fact by blocking what you asked it to. So the question would then be where are those requests coming from if not the pihole?
I've never used wireshark, so it could be I'm misunderstanding those results.
PC using Pi-Hole for DNS (nothing on Blacklist):
Pi-Hole shows my PC accessing the primewire and 123netflix domains every 2 minutes even when my web browsers are closed. This made me think malware was responsible.
WireShark is a packet analyzer. It lets you see all traffic to and from your network interface.
Wireshark running on my PC also shows access to primewire and 123netflix but lists the IP Address as the Pi-Hole. It seems that Wireshark is recording more frequent access to these domains than listed on the Pi-Hole but I need to double check this.
When I use my browser to intentionally access primewire and 123netflix domains then WireShark info is different - It shows the IP Address as the actual IP Addresses of these domains, NOT the IP Address of my Pi-Hole.
PC bypassing Pi-Hole for DNS on my PC and using WireShark shows no connections to the primewire and 123netflix domains after 4 minutes of monitoring.
This leads me to believe the repeated access to these domains every 2 minutes is my PC accessing the Pi-Hole but labelling it (both internally and on the Pi-Hole) with the wrong domain names of primewire and 123netflix.
This leads me to believe the DNS info is corrupted.
I'm going to nuke my Pi-Hole by doing a complete re-install with a different MicroSD Card, flushing my PC DNS cache and then checking the Dashboard for domain access before adding anything to the Blacklist.
@smokingwheels - Why do you think a Cryptomining address might be relevant?
pi@raspberrypi:~ $ pihole -v
Pi-hole version is v3.2.1 (Latest: v3.2.1)
AdminLTE version is v3.2.1 (Latest: v3.2.1)
FTL version is v2.13.2 (Latest: v2.13.2)
pi@raspberrypi:~ $ cat /etc/dnsmasq.d/01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2015, 2016 by Jacob Salmela
# Network-wide ad blocking via your Raspberry Pi
# http://pi-hole.net
# dnsmasq config for Pi-hole
#
# Pi-hole is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: #
# /etc/pihole/setupVars.conf #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPERATE CONFIG FILE #
# OR IN /etc/dnsmasq.conf #
###############################################################################
addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list
localise-queries
no-resolv
cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async
server=8.8.8.8
server=8.8.4.4
interface=eth0
pi@raspberrypi:~ $
Sorry, I was away from Discourse for a few days. It looks like you're clear of the previous hostname issue. Can you find the log lines in /var/log/pihole.log where dnsmasq resolves those domains?