Skip to main content

Pi-hole Compromise Detection — Investigating Suspicious DNS Behaviour

Compromise?

Recently, DNS lookups for websites when I'm browsing have been returning "unsecured" domains I never requested e.g. on bluesky I would click an external link, and hit a "privacy error" (Chrome), the URL is correct in the address bar, but when I check the cert for the page there's a random domain cert there.


🔍 1. Inspect Container Behavior

Check for unexpected changes in the container

docker ps -a
docker inspect <pihole_container_id />

Look for:

  • New volumes or mounts not configured by you
  • Exposed ports that you didn’t set
  • Unexpected environment variables

Audit running processes inside the container

docker exec -it <pihole_container /> ps aux

Look for unexpected or non-Pi-hole processes like reverse shells, cryptominers, or Python scripts.

Check for modified binaries or injected scripts

docker exec -it <pihole_container /> find / -type f -name "*.sh" -o -name "*.py" -exec ls -l {} \;

Scan for recently modified or unusual files.


🕵️‍♂️ 2. Network & DNS Traffic Auditing

Check Pi-hole query logs for anomalies

docker exec -it <pihole_container /> cat /var/log/pihole.log | less

Look for:

  • High-frequency queries to unknown domains
  • Outbound domains that aren’t related to your known network activity
  • Sudden requests to TLDs like .onion, .xyz, .top, etc.

Review Unbound logs (if logging enabled)

Unbound logging is usually minimal by default. Add verbose logging to unbound.conf:

logfile: "/var/log/unbound/unbound.log"
verbosity: 3

Then tail the logs:

docker exec -it <unbound_container /> tail -f /var/log/unbound/unbound.log

Look for:

  • Excessive or repeated lookups to obscure domains
  • High failure rates or DNS poisoning patterns

🔐 3. File System & Image Integrity

Check for modified files inside the container

docker diff <pihole_container />

Shows which files were added/modified/deleted compared to the original image.

Check image hash integrity

Compare the current container image ID against the known trusted version.

docker images | grep pihole

Then cross-reference with the official Docker Hub repo or trusted mirror.


🧱 4. Host-Level Monitoring

Check for suspicious outbound traffic on host

sudo lsof -i -nP | grep ESTABLISHED
sudo netstat -tulnp

Look for:

  • Unexpected IP destinations
  • Connections from the Pi-hole container going outbound (especially non-DNS ports)

Run a rootkit or malware scanner on host

Use tools like:

  • chkrootkit
  • rkhunter
  • clamav (can scan for known malware signatures)

📦 5. Container Security Best Practices

  • Ensure you're using read-only volumes where possible
  • Use --read-only flag on container if you don’t need writes
  • Use a non-root user inside the container if Pi-hole supports it
  • Set up AppArmor/SELinux profiles for container restrictions
  • If you use Docker Compose, pin to known image hashes:
image: pihole/pihole@sha256:abc123...

🧪 Optional: Threat Hunting with Falco or Wazuh

Install runtime security tools on the host:

  • Falco: Monitors container behavior and alerts on anomalies (e.g., shell inside container)
  • Wazuh: Full SIEM agent capable of monitoring Docker activity + file integrity

📌 Final Tips

  • Regularly update both Pi-hole and Unbound images
  • Isolate the container in a dedicated Docker network with restricted egress
  • Avoid exposing your admin interface externally, or use VPN/bastion access
  • Enable Pi-hole audit logs: auditlog.list is useful to track manually allowed/blocked domains

Disclaimer

This documentation was AI-assisted i.e. generated by AI, checked, tested working and updated by me.

Enjoying the docs? Good.

The docs are the how. The newsletter is the what... as in, what the f*** — AI, power, Big Tech and the tech industry, through a Pasifika lens, from an engineer who's spent twenty-plus years working inside the machine. Fortnightly. No filter.

Leave whenever.

Get the newsletter →