log DNS query

jancici · November 9, 2011, 9:12pm

Hi

We have small wifi network here in our village, We have cca 50 PC in net.
We are using several RB750 and one of them is main. We are using /ip dns cache on each one.
The main rb750 is using opendns, and others are using main rb750.

OpenDNS dashboard is reporting that some malware is in our network because someone is trying ask IP for domains which are marked as malware.

To find out which PC is infected is very hard.
My idea is that I will log dns query. Well, that will be a lot of information. BUT I know the domains names so I can check dns query and if the name is “marked as malware” the I will log {or send email} and of course I know source IP and MAC of PC.

what do you think?
is it possible?
how can I do that? where to start?
thanks for help and tips.

fewi · November 10, 2011, 1:21am

You can’t log based on log message content on RouterOS. You only know the content after it has been logged.

Maybe log to an external log server, you can then filter there, or just grep through the files (or use whatever search method your preferred external log server allows for).

CCDKP · November 10, 2011, 3:18pm

If openDNS is telling you the offending DNS requests, then this is pretty simple.

Step 1) Set Mikrotik DNS to use OpenDNS and capture all DNS queries:

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=208.67.222.222,208.67.220.220
/ip firewall nat
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=udp to-ports=53
add action=redirect chain=dstnat comment="Capture DNS" disabled=no dst-port=53 protocol=tcp to-ports=53

Step 2) “Poison” the bad DNS entries with an invalid IP address

/ip dns static
add address=203.0.113.111 disabled=no name=Scarybadguys.com ttl=1d
add address=203.0.113.111 disabled=no name=malwareRus.com ttl=1d

Step 3) Detect and log attempts to contact the invalid DNS. Address Lists are handy for this.

/ip firewall filter
add action=log chain=forward disabled=no dst-address=203.0.113.111 log-prefix=MALWARE-DNS
add action=add-src-to-address-list address-list=MALWARE chain=forward comment="Poisoned DNS" disabled=no dst-address=203.0.113.111

Because you are detecting based on connection attempts instead of just DNS queries, this lets you find infected hosts that might be using an internal DNS server, such as a windows domain controller.

Edit: I fail at copy and paste.

jancici · November 10, 2011, 7:11pm

thanks for help
it is working