I am using opendns to filter traffic and I have blocked the use of outside DNS servers with the following rules
/ip firewall nat
add action=redirect chain=dstnat comment=“proxy dns” dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
What I want to do is monitor who hits the opendns blocked sites. I have the following based on an address list that contains block.opendns.com and phish.opendns.com. This gives me a list but it doesn’t give me anything about how many times an IP has hit the block page. I tried forwarding the blocked traffic to the web proxy but the opendns pages are HTTPS and it doesn’t seem to want to forward those.
/ip firewall filter
add action=log chain=forward disabled=yes dst-address-list=Blocked log=yes log-prefix=OPENDNS_BLOCK-
add action=add-src-to-address-list address-list=“Machines blocked” address-list-timeout=0s chain=forward dst-address-list=Blocked tcp-flags=“”
Since most of the users are wireless and they login to RADIUS to be on the network anyway I would like to tie a blocked sites counter to their username.