A standalone Bash Pi-hole helper script, to check Pi-hole FTL-DB and DNS logs for a list of given domains/IPs, in order to determine if they have ever been queried by Pi-hole system. This is notably useful to investigate on (or check for) possible compromise, based on a list of network indicators of compromise (IOCs).
This script was initially proposed as a Pi-hole CLI addition, to be used as pihole checklogs, but maintainers did not deemed such functionality to be in scope. It is provided as a standalone script.
A fully working Pi-hole environment (host), with Bash 4+, GNU grep and zcat.
Just download a copy of the script from the latest release, and put it somewhere in your Pi-hole host. Get sure the script is executable then (chmod +x /path/to/pihole-checklogs.sh).
In order to be able to run the script as a binary from anywhere in your host without specifying a full path, you can link the script in a repository from your Bash $PATH, e.g.: sudo ln -s /path/to/pihole-checklogs.sh /usr/local/bin/pihole-checklogs.
Just check /path/to/pihole-checklogs.sh --help:
Usage: pihole-checklogs.sh {--help|-h, <IOCs list> (--nosubs) (--results) (--info)}
Check Pi-hole FTL-DB and DNS logs for a list of given domains/IPs, in order to
determine if they have ever been queried by Pi-hole systems.
This is notably useful to investigate on (or check for) possible compromise, based
on a list of network indicators of compromise (IOCs).
-h, --help: shows command-line usage info.
<IOCs list>: a path to a file containing FQDNs, domains or IPv4/6 (one per line)
with optional [.] defanging.
The script will first search domains/FQDNs (and their subdomains by
default) in Pi-hole's long term data (FTL DB). If matches are found, they
are then searched in Pi-hole's DNS queries log (which is generated by
dnsmasq by default) to obtain the queries' dates, clients and resolved
IPs. IPv4/6 are searched as resolutions in the DNS logs directly.
--nosubs: optional flag. If set, subdomains of the given domains/FQDNs are not
searched.
--results: optional flag. Show detailed results without prompting the user.
--info: optional flag. Show more info messages.