You can review the code of Pi-hole at https://github.com/pi-hole/pi-hole but I can't come up with any idea as to why the Pi-hole itself would pick two random domains and try to resolve them. Has the Pi-hole device been exposed to the internet in any way?
Dan,
Thanks for helping me. I'm not a programmer so looking at the code won't help me.
The domains were not fully random, I had previously visited them using Chrome incognito mode and added them to my pihole Blacklist once I saw they were being accessed every 2 mins.
The pihole is connected to my router but not sure what you mean when you ask if it was exposed to the internet.
I noticed some stuff in the debug log under
*** [ DIAGNOSING ]: contents of /var/log/lighttpd
PHP Warning: preg_split(): Delimiter must not be alphanumeric or backslash in /var/www/html/admin/scripts/pi-hole/php/auth.php on line 122
There were a bunch of those but I don't know what it means or if it's relevant.
I only have a 4GB SD card in my pi. Could it be that it's too small or somehow corrupt?
Been working on this for days now and 99% sure it's a bug with the pihole. That 1% chance of it being spyware is keeping me up at nights.
Someone posted about a similar issue and said "Try switching the gravity.list and local.list lines in /etc/dnsmasq.d/01-pi-hole.conf"
I tried using Putty to SSH into my pihole but I could not edit the 01-pi-hole.conf file. Do I need to take the pihole offline, remove the SD card and edit the file in my Windows PC?
Open to any and all suggestions. Even replaced the power supply to make sure it was getting enough juice.
I think I may have confirmed it is NOT spyware.
In Wireshark, the destination IP Address for the bad domains also list a MAC address. That MAC address matches the pihole's MAC address. The IP Address is also the same.
Maybe I just need to nuke the pihole and do a fresh re-install on a different SD Card....
EDIT - I unblocked both sites and went there while running WireShark. It showed actual access to the websites using the MAC address of my Router and the actual IP Address of each site.
So it must be a glitch/bug...
The pihole filters all of the blackllsted stuff to itself, so wouldn't it make sense that wireshark reports the pihole mac address as the destination?
And once you unblocked them, since they were no longer filtered by the pihole, the IP and mac as reported by wireshark reverted back to the router from where they came in the first place.
If I'm right, the pihole is doing fine, doing its job quite well in fact by blocking what you asked it to. So the question would then be where are those requests coming from if not the pihole?
I've never used wireshark, so it could be I'm misunderstanding those results.
Do your block lists contain any Cryptomining address's.
Try this one it has just been updated from https://twitter.com/smokingwheels/status/958184008025649153
https://smokingwheels.github.io/Pi-hole/allhosts
There is a bigger list if you go thru this post I concatenated every BlockList I could find
Try to start capture with (DNS host or name resolution?) it makes it easier.
@tuba Your issue sounds exactly like this bug. What is the output of pihole -v and cat /etc/dnsmasq.d/01-pihole.conf
Here's what's happening:
PC using Pi-Hole for DNS (nothing on Blacklist):
Pi-Hole shows my PC accessing the primewire and 123netflix domains every 2 minutes even when my web browsers are closed. This made me think malware was responsible.
WireShark is a packet analyzer. It lets you see all traffic to and from your network interface.
Wireshark running on my PC also shows access to primewire and 123netflix but lists the IP Address as the Pi-Hole. It seems that Wireshark is recording more frequent access to these domains than listed on the Pi-Hole but I need to double check this.
When I use my browser to intentionally access primewire and 123netflix domains then WireShark info is different - It shows the IP Address as the actual IP Addresses of these domains, NOT the IP Address of my Pi-Hole.
PC bypassing Pi-Hole for DNS on my PC and using WireShark shows no connections to the primewire and 123netflix domains after 4 minutes of monitoring.
This leads me to believe the repeated access to these domains every 2 minutes is my PC accessing the Pi-Hole but labelling it (both internally and on the Pi-Hole) with the wrong domain names of primewire and 123netflix.
This leads me to believe the DNS info is corrupted.
I'm going to nuke my Pi-Hole by doing a complete re-install with a different MicroSD Card, flushing my PC DNS cache and then checking the Dashboard for domain access before adding anything to the Blacklist.
@smokingwheels - Why do you think a Cryptomining address might be relevant?
Mcat12 - Thank you for responding!
I assume '-v' will show the version of my install and cat will show the contents of the 01-pihole.conf file.
I'll run those commands tonight before nuking my install and post back.
Its a bit of a problem some sites use your hardware and resources for bitcoin mining to put in there own pockets.
Ah, I see. Yes, I'm aware of that.
But I really think it's a glitch in the pi-hole and not actual malware (or implanted mining software).
1 Like
Here you go:
pi@raspberrypi:~ $ pihole -v
Pi-hole version is v3.2.1 (Latest: v3.2.1)
AdminLTE version is v3.2.1 (Latest: v3.2.1)
FTL version is v2.13.2 (Latest: v2.13.2)
pi@raspberrypi:~ $ cat /etc/dnsmasq.d/01-pihole.conf
# Pi-hole: A black hole for Internet advertisements
# (c) 2015, 2016 by Jacob Salmela
# Network-wide ad blocking via your Raspberry Pi
# http://pi-hole.net
# dnsmasq config for Pi-hole
#
# Pi-hole is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.
###############################################################################
# FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE. #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
# #
# IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN: #
# /etc/pihole/setupVars.conf #
# #
# ANY OTHER CHANGES SHOULD BE MADE IN A SEPERATE CONFIG FILE #
# OR IN /etc/dnsmasq.conf #
###############################################################################
addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list
localise-queries
no-resolv
cache-size=10000
log-queries
log-facility=/var/log/pihole.log
local-ttl=2
log-async
server=8.8.8.8
server=8.8.4.4
interface=eth0
pi@raspberrypi:~ $Sorry, I was away from Discourse for a few days. It looks like you're clear of the previous hostname issue. Can you find the log lines in /var/log/pihole.log where dnsmasq resolves those domains?
No worries. I'm not one to complain about free tech support on free software!
Do I just 'cat' that file and look for the domains at issue and copy/post the results here?
You can run pihole -t or tail -F /var/log/pihole.log to follow the log as it's written to. More info here:
I pulled the old 4GB microSD card and installed Raspbian and pihole on a brand new 32GB microSD card. Still seeing primewire and 123netflix every 2 mins.
Pulled 32GB card, reformatted, flushed DNS, cleared cookies and everything else from all browsers. Installed Raspbian and pihole. Still seeing primewire and 123netflix every 2 mins.
Here is the log info:
Feb 4 00:12:00 dnsmasq[9095]: query[A] primewire.ag from 192.168.1.15
Feb 4 00:12:00 dnsmasq[9095]: cached primewire.ag is 104.31.17.3
Feb 4 00:12:00 dnsmasq[9095]: cached primewire.ag is 104.31.16.3
Feb 4 00:12:00 dnsmasq[9095]: query[A] 123netflix.com from 192.168.1.15
Feb 4 00:12:00 dnsmasq[9095]: cached 123netflix.com is 104.25.84.57
Feb 4 00:12:00 dnsmasq[9095]: cached 123netflix.com is 104.25.83.57
I'm really at a loss right now. 
If it helps, I have an Asus RT-N66U Router with stock firmware. LAN DNS set to my pihole's IP address.
WAN DNS Server1 set to pihole's IP address and DNS Server2 set to 8.8.8.8.
Win7 PC that continues to access primewire and 123netflix every 2 mins has a static IP address, hardwired ethernet cable to my router and adapter IPv4 Preferred DNS Server set to the pihole's IP address.
EDIT: I noticed the log time is 5 hours ahead. My PCs are set to the correct date, time and timezone. Checked it with browsers on 2 different computers. Odd.
EDIT 2: Fixed the time issue by going into 'sudo raspi-config' and setting the proper timezone.
I'm not sure what might be causing the PC to access those domains so often, but I think there are tools to find which programs are making DNS requests on Windows.
Might/looks be some infection on your pc.
Just add the domains to the blacklist and clean your pc.
That's where I started 2 weeks ago. But I tried it again and made some headway.
I kept track of when the Pi-Hole showed access to the two domains from my PC every 2 minutes.
Ran Process Monitor (to show Network Activity) and Wireshark both as Admin. Opened Windows Powershell as Admin and typed:
tasklist /svc /fi "imagename eq svchost.exe"
Then I waited and clicked enter on the command exactly when my PC was accessing those 2 domains.
Checked Wireshark for the same time and found the packets being sent to the pi-hole to check the DNS of those two domains.
Double clicked the packets and scrolled down to find the Source Port numbers:
57098 and 65208
Switched to Process Monitor and located the processes captured during the same time that was using those same Source Port numbers.
Double clicked and now I had:
- the PID (1576),
- the Path (C:\Windows\system32),
- the Command Line parameters (-k NetworkService) and
- the process name (svchost.exe)
Unfortunately, it’s the ubiquitous svchost.exe
Switch to Windows Powershell and checked out the results from when I ran the tasklist command.
PS C:\Users\MyPC> tasklist /svc /fi "imagename eq svchost.exe"
Image Name PID Services
========================= ======== ============================================
svchost.exe 1576 CryptSvc, Dnscache, LanmanWorkstation,
NlaSvc
Now I have the Services behind svchost.exe.
Then I went into the Registry and found the Registry Entries for each of the 4 Services and that gave me the DLL files and the file paths. They’re all under %SystemRoot%\System32:
CryptSvc = cryptsvc.dll
Dnscache = dnsapi.dll
LanmanWorkstation = wkssvc.dll
NlaSvc = nlasvc.dll
Ran system filechecker with command
sfc /scannow
Windows Resource Protection did not find any integrity violations.
Scanned each file with MalwareBytes and Avira.
Nothing found.
Decided to check each service’s Display Name and Description:
CryptSvc = Cryptographic Services = Provides four management services: Catalog Database Service, which confirms the signatures of Windows files and allows new programs to be installed; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update and enable scenarios such as SSL; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
Dnscache = DNS Client = The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start.
LanmanWorkstation = Server = Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
NlaSvc = Network Location Awareness = Collects and stores configuration information for the network and notifies programs when this information is modified. If this service is stopped, configuration information might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Now I'm stumped. Do I stop each service and see if it stops access? Or bypass Pi-Hole and see if my PC is still accessing these domains every minute?