Is there a way to log all DNS requests? somehow build a table of
www.example.com 192.168.0.25 1/11/2016 13:56
the IP should be the IP of the client that requested it
Re: DNS logging
You will have to do that on an external system. It would be possible to copy all DNS requests
to an external system using a Firewall Mangle rule with "sniff-tzsp" action.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle
Then on that external system you can display and/or save the requests using wireshark.
to an external system using a Firewall Mangle rule with "sniff-tzsp" action.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle
Then on that external system you can display and/or save the requests using wireshark.
Re: DNS logging
Well, now it works... at least with 6.37.4. Found out accidentally the other day while trying to send everything but debug to remote log server.
Results with:
Code: Select all
system logging add action=memory target=dns20:15:47 dns local query: #33347 cloud.mikrotik.com. A
20:15:47 dns done query: #33347 cloud.mikrotik.com 91.188.51.139
...
-
-
genesispro
Member Candidate
- Posts: 283
- Joined:
Re: DNS logging
Nice one but this approach does not include the client IP that requested it unfortunatelly
Well, now it works... at least with 6.37.4. Found out accidentally the other day while trying to send everything but debug to remote log server.
Results with:Code: Select allsystem logging add action=memory target=dns20:15:47 dns local query: #33347 cloud.mikrotik.com. A
20:15:47 dns done query: #33347 cloud.mikrotik.com 91.188.51.139
...
Re: DNS logging
Firstly, remeber not to include debug, as it will fill the logs,
Secondly, it does tell the src ip address :
dns query from 172.16.94.157: #22433118 www.google.com. A
Secondly, it does tell the src ip address :
dns query from 172.16.94.157: #22433118 www.google.com. A
Re: DNS logging
Actually, now it logs more information than I need:
But if you're logging to a proper remote log server and don't have to worry about "filling the logs" you can do something like this:
That's what I meant with "everything but debug" - it works ok with graylog for example, but I wouldn't mind if it were a bit more RFC5424 compliant.
Blacklisting debug still gets you started with lots of logs on a busy router, so once you figure out what you need you can disable additional topics (!debug,!snmp, etc.) or switch to whitelisting.
So at home I've been using it like this (logs only bold lines in the above log):08:16:23 dns,packet --- got query from 192.168.0.100:34308:
08:16:23 dns,packet id:dd0 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY 'no error' 2
08:16:23 dns,packet question: http://www.mikrotik.com:A:IN
08:16:23 dns,packet additional:
08:16:23 dns,packet <:UNKNOWN (41):0=rawbytes:0>
08:16:23 dns query from 192.168.0.100: #62620 http://www.mikrotik.com. A
08:16:23 dns done query: #62620 dns name exists, but no appropriate record
08:16:23 dns,packet --- sending reply to 192.168.0.100:34308:
08:16:23 dns,packet id:dd0 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY 'no error'
08:16:23 dns,packet question: http://www.mikrotik.com:A:IN
08:16:23 dns,packet answer:
08:16:23 dns,packet <www.mikrotik.com:A:6181=159.148.147.196>
Code: Select all
system logging add action=memory target=dns,!packetCode: Select all
/system logging action set 3 bsd-syslog=yes remote=<syslog-server> remote-port=<syslog-port> syslog-facility=syslog
/system logging add action=remote topics=!debug
Blacklisting debug still gets you started with lots of logs on a busy router, so once you figure out what you need you can disable additional topics (!debug,!snmp, etc.) or switch to whitelisting.