Pihole Checking for Compromise
Recently, DNS lookups for websites when I'm browsing have been returning "unsecured" domains I never requested e.g. on bluesky I would click an external link, and hit a "privacy error" (Chrome), the URL is correct in the address bar, but when I check the cert for the page there's a random domain cert there.
π 1. Inspect Container Behaviorβ
β Check for unexpected changes in the containerβ
docker ps -a
docker inspect <pihole_container_id>
Look for:
- New volumes or mounts not configured by you
- Exposed ports that you didnβt set
- Unexpected environment variables
β Audit running processes inside the containerβ
docker exec -it <pihole_container> ps aux
Look for unexpected or non-Pi-hole processes like reverse shells, cryptominers, or Python scripts.
β Check for modified binaries or injected scriptsβ
docker exec -it <pihole_container> find / -type f -name "*.sh" -o -name "*.py" -exec ls -l {} \;
Scan for recently modified or unusual files.
π΅οΈββοΈ 2. Network & DNS Traffic Auditingβ
β Check Pi-hole query logs for anomaliesβ
docker exec -it <pihole_container> cat /var/log/pihole.log | less
Look for:
- High-frequency queries to unknown domains
- Outbound domains that arenβt related to your known network activity
- Sudden requests to TLDs like
.onion
,.xyz
,.top
, etc.
β Review Unbound logs (if logging enabled)β
Unbound logging is usually minimal by default. Add verbose logging to unbound.conf
:
logfile: "/var/log/unbound/unbound.log"
verbosity: 3
Then tail the logs:
docker exec -it <unbound_container> tail -f /var/log/unbound/unbound.log
Look for:
- Excessive or repeated lookups to obscure domains
- High failure rates or DNS poisoning patterns
π 3. File System & Image Integrityβ
β Check for modified files inside the containerβ
docker diff <pihole_container>
Shows which files were added/modified/deleted compared to the original image.
β Check image hash integrityβ
Compare the current container image ID against the known trusted version.
docker images | grep pihole
Then cross-reference with the official Docker Hub repo or trusted mirror.
π§± 4. Host-Level Monitoringβ
β Check for suspicious outbound traffic on hostβ
sudo lsof -i -nP | grep ESTABLISHED
sudo netstat -tulnp
Look for:
- Unexpected IP destinations
- Connections from the Pi-hole container going outbound (especially non-DNS ports)
β Run a rootkit or malware scanner on hostβ
Use tools like:
chkrootkit
rkhunter
clamav
(can scan for known malware signatures)
π¦ 5. Container Security Best Practicesβ
- Ensure you're using read-only volumes where possible
- Use
--read-only
flag on container if you donβt need writes - Use a non-root user inside the container if Pi-hole supports it
- Set up AppArmor/SELinux profiles for container restrictions
- If you use Docker Compose, pin to known image hashes:
image: pihole/pihole@sha256:abc123...
π§ͺ Optional: Threat Hunting with Falco or Wazuhβ
Install runtime security tools on the host:
- Falco: Monitors container behavior and alerts on anomalies (e.g., shell inside container)
- Wazuh: Full SIEM agent capable of monitoring Docker activity + file integrity
π Final Tipsβ
- Regularly update both Pi-hole and Unbound images
- Isolate the container in a dedicated Docker network with restricted egress
- Avoid exposing your admin interface externally, or use VPN/bastion access
- Enable Pi-hole audit logs:
auditlog.list
is useful to track manually allowed/blocked domains
This documentation was AI-assisted i.e. generated by AI, checked, tested working and updated by me.