Overview
The Pi-hole DNS App for Splunk enables network defenders and homelab operators to monitor DNS filtering activity from Pi-hole inside Splunk. Pi-hole is a popular DNS sinkhole that blocks ads and malicious domains at the network level. This app transforms Pi-hole's query logs into a searchable, visual dataset — making it possible to spot unusual DNS activity, identify devices making suspicious queries, and track blocked domain trends over time.
DNS is one of the most informative data sources for detecting threats. Malware command-and-control, data exfiltration, and phishing all leave traces in DNS. The Pi-hole DNS App makes that intelligence accessible to anyone already using Splunk, from enterprise analysts to home network defenders.
How It Works
The app ingests Pi-hole's FTL (Faster Than Light) DNS logs via Splunk's universal forwarder or a syslog input. A companion add-on normalizes query records to Splunk's CIM DNS data model — client IP, queried domain, query type, and block status are all extracted and tagged correctly. Pre-built dashboards show query volume by device, top queried domains, top blocked domains, and allow/block ratio trends over time. Full setup documentation is available at the project site.