When a user requests a www page from DNS(mikrotik running as a dns server/proxy). That the user request can be sent to the log(so it can be sent off to a syslog server). Info in log should include the IP of the request, the resoveled/returned DNS name and a time/datestamp of the request. Would also like in the log, the MAC address of the user who does the requst(nice to have!).
I do not want to log similar data from the webproxy. Thus this request.
Cheers.
you could add web proxy (w/o caching) and log page requests there. That would be correct way to log “www” traffic. Since there are a lot of other services, that will resolve domain names.
use packet sniffer or calea function for this if you want udp/53 streams.
TL;DR: Second request.
The option of logging DNS queries is an important one. It helps with Incident Response. Currently, in my setup I have all my clients requesting DNS through my Mikrotik, this allows me to manage one off DNS changes in the Mikrotik. It passes off the DNS queries to an offload bind9 server which goes out to the internet and does real lookups - not relying on my ISP to do the work for me. This does two things - Caches locally on the Mikrotik, but I clean clean results using direct DNS requests.
Problem becomes, I log all my DNS queries on the Bind9 server, but all the queries are from the Mikrotik (expected since the Mikrotik is requesting on behalf of the client).
Downside is, If a client makes a request to a weird DNS name (example being a IP over DNS tunnel) I’d be able to detect it, but not which client it is. Second, almost everything on the internet uses DNS, thus my proxy servers do catch all my web traffic and I can see it - however, if say malware was in the environment and it didn’t use web to communicate out, I’d like to be able to not only detect it, but also see the DNS queries and where the queries came from.