DNS - who made this request ?

piotr007 · March 15, 2014, 9:53am

Mikrotik CCR1036; fv3.10; WinBox 6.10

Routers works as LAN-LAN router (200 PC’s) and LAN-WAN internet filtering gateway.
DNS should be with “allow remote request”.
In LAN’s there are most static DHCP addresses.
Firewall is “on” with few simple rules, web-proxy gives www access to users.

The problem :
/ ip dns cache print
(..)
198 lxfcbzzzh.cn 221.8.69.25 1h59m10s >
199 khhvyhvgoi.cn 221.8.69.25 2h25m31s >
200 nlfuwsubr.cn 221.8.69.25 2h9m45s >
(..)
Hmm, looks like some users have infected PC’s

So I need to know which PC (identyfied eg. by ipaddress) made this queries…
Maybe an alert for admin ?

DNS cache shows no source of query, only resolving result,
Firewall rules shows only growing size in bytes.

TIA

rahulmkhj · March 17, 2014, 12:56pm

You can use firewall rules to match & log source address of matching requests to logging server. Or you can create an address list and add source addresses to them.

piotr007 · March 17, 2014, 8:15pm

Hi.

But how to log …

Ooops, that’s simple, something like this:

21 chain=input action=add-src-to-address-list dst-address=192.168.0.15 address-list=TEST_USERS
address-list-timeout=0s

I shoud do it soon

Thank you