Community discussions

 
captainkev
just joined
Topic Author
Posts: 7
Joined: Thu May 03, 2018 10:30 pm
Location: Scotland

Any way to log all DNS lookups from users?

Sat Nov 03, 2018 6:54 pm

Hi All,

I've spent most of today trying to work this out. I'd like to log all DNS queries to a file, preferably on my NAS (QNAP TS253A).

I thought it should just be a case of setting up a Log Rule for DNS and setting it to log remotely. However, while something is going into the log, it's clearly not all DNS requests from users. If anything, it seems to be only DNS requests initiated by the router itself. For example:

<14>1 2018-11-03T13:18:28+00:00 MikroTik DNS - - - DNS DNS: <qcloud-pr-backend-390510218.us-east-1.elb.amazonaws.com:A:60=34.192.55.125>

Has anyone been able to log DNS requests sent by actual users? I had thought about creating a 'permit' firewall rule for DNS messages coming in from the LAN, but that doesn't seem to send anything to my remote log file.

Any ideas and help gratefully received!

Kevin
 
User avatar
xvo
Member
Member
Posts: 321
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Any way to log all DNS lookups from users?

Sat Nov 03, 2018 7:05 pm

To make firewall logging work you need not only to set log=yes in the rule but also add logging for the firewall topic (or a part of it):
/system logging
add action=remote topics=firewall
(Of course you need to get a syslog server running on your NAS beforehand).
 
captainkev
just joined
Topic Author
Posts: 7
Joined: Thu May 03, 2018 10:30 pm
Location: Scotland

Re: Any way to log all DNS lookups from users?

Sat Nov 03, 2018 7:31 pm

Thanks - hadn't spotted that. Now got that enabled, and getting some DNS info in the syslog file. It's not very useful info though:

<14>1 2018-11-03T17:27:46+00:00 MikroTik forward - - - forward: in:bridge1_LAN out:EE Broadband, src-mac 24:5e:be:1d:09:9f, proto UDP, 192.168.1.98:54957->8.8.8.8:53, NAT (192.168.1.98:54957->109.181.182.132:54957)->8.8.8.8:53, len 71

I'd ideally like to see which IPs are resolving which URLs. Is there another way of achieving this other than setting up port mirroring?

K
 
User avatar
xvo
Member
Member
Posts: 321
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Any way to log all DNS lookups from users?

Sat Nov 03, 2018 7:44 pm

Thanks - hadn't spotted that. Now got that enabled, and getting some DNS info in the syslog file. It's not very useful info though:

<14>1 2018-11-03T17:27:46+00:00 MikroTik forward - - - forward: in:bridge1_LAN out:EE Broadband, src-mac 24:5e:be:1d:09:9f, proto UDP, 192.168.1.98:54957->8.8.8.8:53, NAT (192.168.1.98:54957->109.181.182.132:54957)->8.8.8.8:53, len 71

I'd ideally like to see which IPs are resolving which URLs. Is there another way of achieving this other than setting up port mirroring?

K
You can redirect all DNS requests to your router, I guess this way you will see all of them in DNS log.
 
captainkev
just joined
Topic Author
Posts: 7
Joined: Thu May 03, 2018 10:30 pm
Location: Scotland

Re: Any way to log all DNS lookups from users?

Sat Nov 03, 2018 9:45 pm

Is there a separate DNS log?

The router is already configured as the DNS server for all local devices - with Google DNS configured as the upstream DNS service. Not sure what you mean by redirect DNS to the router?

K
 
User avatar
xvo
Member
Member
Posts: 321
Joined: Sat Mar 03, 2018 1:12 am
Location: Moscow, Russia

Re: Any way to log all DNS lookups from users?

Sat Nov 03, 2018 10:27 pm

Not separate, the "dns" topic in logging section.

I meant that you can use action=redirect in /ip firewall nat for DNS requests - that will force the use of your DNS even if a client attempts to connect to any other DNS server.
 
msatter
Forum Guru
Forum Guru
Posts: 1113
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

Re: Any way to log all DNS lookups from users?

Sat Nov 03, 2018 11:07 pm

You are talking about different things.

If you put a dedicated DNS server like dnsmasq/unbound/pihole then you can log requests and even control resolved requests.

I am using Pi-hole for that.
Two RB760iGS (hEX S) in series. One does PPPoE/IKEv2 and the other does the rest of the tasks.
Running:
RouterOS 6.46Beta / Winbox 3.19 / MikroTik APP 1.2.6
Having an Android device, use https://github.com/M66B/NetGuard/releases (no root required)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1127
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Any way to log all DNS lookups from users?

Sun Nov 04, 2018 9:33 am

You can see in my Splunk for MikroTik how I do log all DNS request to a tool that can easy analyze all DNS request.
viewtopic.php?t=137338
'Whit drop down list, you can select a singel user and see for a given time all DNS request.
Remember that a visit to just one web site may log 10-20 DNS request to get all advertising, tracker, plugins +++
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
 
captainkev
just joined
Topic Author
Posts: 7
Joined: Thu May 03, 2018 10:30 pm
Location: Scotland

Re: Any way to log all DNS lookups from users?

Mon Nov 05, 2018 3:34 pm

Wow Jotne! That looks awsome. I've been wanting to learn about Splunk for a while, as I think we might start using it at work for our SIEM, so it will be good to have a shot at home first. If I get get those sorts of graphs working, I'd be extremely happy!

What do you use to collect the script outputs from the router? Do you have a PC/server that's left on all day and night?

K
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1127
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Any way to log all DNS lookups from users?

Mon Nov 05, 2018 5:05 pm

I have a Linux server ( highly recommend Linux, but can be done with Windows server)
Do not need to be a big server for this, just som old PC would do.
Running 24/7
 
How to use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 

Who is online

Users browsing this forum: No registered users and 57 guests