Pi-hole Compromise Detection — Investigating Suspicious DNS Behaviour
Recently, DNS lookups for websites when I'm browsing have been returning "unsecured" domains I never requested e.g. on bluesky I would click an external link, and hit a "privacy error" (Chrome), the URL is correct in the address bar, but when I check the cert for the page there's a random domain cert there.
🔍 1. Inspect Container Behavior
✅ Check for unexpected changes in the container
docker ps -a
docker inspect <pihole_container_id />
Look for:
- New volumes or mounts not configured by you
- Exposed ports that you didn’t set
- Unexpected environment variables
✅ Audit running processes inside the container
docker exec -it <pihole_container /> ps aux
Look for unexpected or non-Pi-hole processes like reverse shells, cryptominers, or Python scripts.
✅ Check for modified binaries or injected scripts
docker exec -it <pihole_container /> find / -type f -name "*.sh" -o -name "*.py" -exec ls -l {} \;
Scan for recently modified or unusual files.
🕵️♂️ 2. Network & DNS Traffic Auditing
✅ Check Pi-hole query logs for anomalies
docker exec -it <pihole_container /> cat /var/log/pihole.log | less
Look for:
- High-frequency queries to unknown domains
- Outbound domains that aren’t related to your known network activity
- Sudden requests to TLDs like
.onion,.xyz,.top, etc.
✅ Review Unbound logs (if logging enabled)
Unbound logging is usually minimal by default. Add verbose logging to unbound.conf:
logfile: "/var/log/unbound/unbound.log"
verbosity: 3
Then tail the logs:
docker exec -it <unbound_container /> tail -f /var/log/unbound/unbound.log
Look for:
- Excessive or repeated lookups to obscure domains
- High failure rates or DNS poisoning patterns
🔐 3. File System & Image Integrity
✅ Check for modified files inside the container
docker diff <pihole_container />
Shows which files were added/modified/deleted compared to the original image.
✅ Check image hash integrity
Compare the current container image ID against the known trusted version.
docker images | grep pihole
Then cross-reference with the official Docker Hub repo or trusted mirror.
🧱 4. Host-Level Monitoring
✅ Check for suspicious outbound traffic on host
sudo lsof -i -nP | grep ESTABLISHED
sudo netstat -tulnp
Look for:
- Unexpected IP destinations
- Connections from the Pi-hole container going outbound (especially non-DNS ports)
✅ Run a rootkit or malware scanner on host
Use tools like:
chkrootkitrkhunterclamav(can scan for known malware signatures)
📦 5. Container Security Best Practices
- Ensure you're using read-only volumes where possible
- Use
--read-onlyflag on container if you don’t need writes - Use a non-root user inside the container if Pi-hole supports it
- Set up AppArmor/SELinux profiles for container restrictions
- If you use Docker Compose, pin to known image hashes:
image: pihole/pihole@sha256:abc123...