Any way to log all DNS lookups from users?

captainkev · November 3, 2018, 4:54pm

Hi All,

I’ve spent most of today trying to work this out. I’d like to log all DNS queries to a file, preferably on my NAS (QNAP TS253A).

I thought it should just be a case of setting up a Log Rule for DNS and setting it to log remotely. However, while something is going into the log, it’s clearly not all DNS requests from users. If anything, it seems to be only DNS requests initiated by the router itself. For example:

<14>1 2018-11-03T13:18:28+00:00 MikroTik DNS - - - DNS DNS: <qcloud-pr-backend-390510218.us-east-1.elb.amazonaws.com60=34.192.55.125>

Has anyone been able to log DNS requests sent by actual users? I had thought about creating a ‘permit’ firewall rule for DNS messages coming in from the LAN, but that doesn’t seem to send anything to my remote log file.

Any ideas and help gratefully received!

Kevin

xvo · November 3, 2018, 5:05pm

To make firewall logging work you need not only to set log=yes in the rule but also add logging for the firewall topic (or a part of it):

/system logging
add action=remote topics=firewall

(Of course you need to get a syslog server running on your NAS beforehand).

captainkev · November 3, 2018, 5:31pm

Thanks - hadn’t spotted that. Now got that enabled, and getting some DNS info in the syslog file. It’s not very useful info though:

<14>1 2018-11-03T17:27:46+00:00 MikroTik forward - - - forward: in:bridge1_LAN out:EE Broadband, src-mac 24:5e:be:1d:09:9f, proto UDP, 192.168.1.98:54957->8.8.8.8:53, NAT (192.168.1.98:54957->109.181.182.132:54957)->8.8.8.8:53, len 71

I’d ideally like to see which IPs are resolving which URLs. Is there another way of achieving this other than setting up port mirroring?

K

xvo · November 3, 2018, 5:44pm

You can redirect all DNS requests to your router, I guess this way you will see all of them in DNS log.

captainkev · November 3, 2018, 7:45pm

Is there a separate DNS log?

The router is already configured as the DNS server for all local devices - with Google DNS configured as the upstream DNS service. Not sure what you mean by redirect DNS to the router?

K

xvo · November 3, 2018, 8:27pm

Not separate, the “dns” topic in logging section.

I meant that you can use action=redirect in /ip firewall nat for DNS requests - that will force the use of your DNS even if a client attempts to connect to any other DNS server.

msatter · November 3, 2018, 9:07pm

You are talking about different things.

If you put a dedicated DNS server like dnsmasq/unbound/pihole then you can log requests and even control resolved requests.

I am using Pi-hole for that.

Jotne · November 4, 2018, 7:33am

You can see in my Splunk for MikroTik how I do log all DNS request to a tool that can easy analyze all DNS request.
http://forum.mikrotik.com/t/tool-using-splunk-to-analyse-mikrotik-logs-3-3-graphing-everything/121810/1
'Whit drop down list, you can select a singel user and see for a given time all DNS request.
Remember that a visit to just one web site may log 10-20 DNS request to get all advertising, tracker, plugins +++

captainkev · November 5, 2018, 1:34pm

Wow Jotne! That looks awsome. I’ve been wanting to learn about Splunk for a while, as I think we might start using it at work for our SIEM, so it will be good to have a shot at home first. If I get get those sorts of graphs working, I’d be extremely happy!

What do you use to collect the script outputs from the router? Do you have a PC/server that’s left on all day and night?

K

Jotne · November 5, 2018, 3:05pm

I have a Linux server ( highly recommend Linux, but can be done with Windows server)
Do not need to be a big server for this, just som old PC would do.
Running 24/7