Skip to main content

Pihole Checking for Compromise

Compromise?

Recently, DNS lookups for websites when I'm browsing have been returning "unsecured" domains I never requested e.g. on bluesky I would click an external link, and hit a "privacy error" (Chrome), the URL is correct in the address bar, but when I check the cert for the page there's a random domain cert there.


πŸ” 1. Inspect Container Behavior​

βœ… Check for unexpected changes in the container​

docker ps -a
docker inspect <pihole_container_id>

Look for:

  • New volumes or mounts not configured by you
  • Exposed ports that you didn’t set
  • Unexpected environment variables

βœ… Audit running processes inside the container​

docker exec -it <pihole_container> ps aux

Look for unexpected or non-Pi-hole processes like reverse shells, cryptominers, or Python scripts.

βœ… Check for modified binaries or injected scripts​

docker exec -it <pihole_container> find / -type f -name "*.sh" -o -name "*.py" -exec ls -l {} \;

Scan for recently modified or unusual files.


πŸ•΅οΈβ€β™‚οΈ 2. Network & DNS Traffic Auditing​

βœ… Check Pi-hole query logs for anomalies​

docker exec -it <pihole_container> cat /var/log/pihole.log | less

Look for:

  • High-frequency queries to unknown domains
  • Outbound domains that aren’t related to your known network activity
  • Sudden requests to TLDs like .onion, .xyz, .top, etc.

βœ… Review Unbound logs (if logging enabled)​

Unbound logging is usually minimal by default. Add verbose logging to unbound.conf:

logfile: "/var/log/unbound/unbound.log"
verbosity: 3

Then tail the logs:

docker exec -it <unbound_container> tail -f /var/log/unbound/unbound.log

Look for:

  • Excessive or repeated lookups to obscure domains
  • High failure rates or DNS poisoning patterns

πŸ” 3. File System & Image Integrity​

βœ… Check for modified files inside the container​

docker diff <pihole_container>

Shows which files were added/modified/deleted compared to the original image.

βœ… Check image hash integrity​

Compare the current container image ID against the known trusted version.

docker images | grep pihole

Then cross-reference with the official Docker Hub repo or trusted mirror.


🧱 4. Host-Level Monitoring​

βœ… Check for suspicious outbound traffic on host​

sudo lsof -i -nP | grep ESTABLISHED
sudo netstat -tulnp

Look for:

  • Unexpected IP destinations
  • Connections from the Pi-hole container going outbound (especially non-DNS ports)

βœ… Run a rootkit or malware scanner on host​

Use tools like:

  • chkrootkit
  • rkhunter
  • clamav (can scan for known malware signatures)

πŸ“¦ 5. Container Security Best Practices​

  • Ensure you're using read-only volumes where possible
  • Use --read-only flag on container if you don’t need writes
  • Use a non-root user inside the container if Pi-hole supports it
  • Set up AppArmor/SELinux profiles for container restrictions
  • If you use Docker Compose, pin to known image hashes:
image: pihole/pihole@sha256:abc123...

πŸ§ͺ Optional: Threat Hunting with Falco or Wazuh​

Install runtime security tools on the host:

  • Falco: Monitors container behavior and alerts on anomalies (e.g., shell inside container)
  • Wazuh: Full SIEM agent capable of monitoring Docker activity + file integrity

πŸ“Œ Final Tips​

  • Regularly update both Pi-hole and Unbound images
  • Isolate the container in a dedicated Docker network with restricted egress
  • Avoid exposing your admin interface externally, or use VPN/bastion access
  • Enable Pi-hole audit logs: auditlog.list is useful to track manually allowed/blocked domains

Disclaimer

This documentation was AI-assisted i.e. generated by AI, checked, tested working and updated by me.