DNS logging

genesispro · November 3, 2016, 8:19am

Is there a way to log all DNS requests? somehow build a table of
www.example.com 192.168.0.25 1/11/2016 13:56
the IP should be the IP of the client that requested it

pe1chl · November 3, 2016, 8:47am

You will have to do that on an external system. It would be possible to copy all DNS requests
to an external system using a Firewall Mangle rule with “sniff-tzsp” action.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Mangle
Then on that external system you can display and/or save the requests using wireshark.

hush · February 15, 2017, 7:29pm

Well, now it works… at least with 6.37.4. Found out accidentally the other day while trying to send everything but debug to remote log server.

system logging add action=memory target=dns

Results with:

20:15:47 dns local query: #33347 cloud.mikrotik.com. A
20:15:47 dns done query: #33347 cloud.mikrotik.com 91.188.51.139
…

genesispro · February 15, 2017, 10:18pm

Nice one but this approach does not include the client IP that requested it unfortunatelly

hush:

Well, now it works… at least with 6.37.4. Found out accidentally the other day while trying to send everything but debug to remote log server.
system logging add action=memory target=dns
Results with:

20:15:47 dns local query: #33347 cloud.mikrotik.com. A
20:15:47 dns done query: #33347 cloud.mikrotik.com 91.188.51.139
…

yogender · February 16, 2017, 7:23am

Firstly, remeber not to include debug, as it will fill the logs,
Secondly, it does tell the src ip address :
dns query from 172.16.94.157: #22433118 www.google.com. A

hush · February 18, 2017, 7:56am

Actually, now it logs more information than I need:

08:16:23 dns,packet — got query from 192.168.0.100:34308:
08:16:23 dns,packet id:dd0 rd:1 tc:0 aa:0 qr:0 ra:0 QUERY ‘no error’ 2
08:16:23 dns,packet question: http://www.mikrotik.comIN
08:16:23 dns,packet additional:
08:16:23 dns,packet <:UNKNOWN (41):0=rawbytes:0>
08:16:23 dns query from 192.168.0.100: #62620 http://www.mikrotik.com. A
08:16:23 dns done query: #62620 dns name exists, but no appropriate record
08:16:23 dns,packet — sending reply to 192.168.0.100:34308:
08:16:23 dns,packet id:dd0 rd:1 tc:0 aa:0 qr:1 ra:1 QUERY ‘no error’
08:16:23 dns,packet question: http://www.mikrotik.comIN
08:16:23 dns,packet answer:
08:16:23 dns,packet www.mikrotik.com:A:6181=159.148.147.196

So at home I’ve been using it like this (logs only bold lines in the above log):

system logging add action=memory target=dns,!packet

But if you’re logging to a proper remote log server and don’t have to worry about “filling the logs” you can do something like this:

/system logging action set 3 bsd-syslog=yes remote=<syslog-server> remote-port=<syslog-port> syslog-facility=syslog
/system logging add action=remote topics=!debug

That’s what I meant with “everything but debug” - it works ok with graylog for example, but I wouldn’t mind if it were a bit more RFC5424 compliant.
Blacklisting debug still gets you started with lots of logs on a busy router, so once you figure out what you need you can disable additional topics (!debug,!snmp, etc.) or switch to whitelisting.