Querying DNS requests by clients

[develox]

Hi,

I have Suricata installed on my RT-AC5300 via opkg/entware. It's logs are forwarded to a box where they're processed by Evebox who in turn then presents them in its GUI. This flow was stopped since december until yesterday, and now that's been reactivated I notice that I'm signalled alerts about suspect DNS queries of 2 types:

1. Level: Warning, "ET DNS Query to a *.top domain - Likely Hostile" (e.g. dgafgadsgkjg.top) or "ET DNS Query to a *.pw domain - Likely Hostile" (e.g. us.bookofstorage.pw)
2. Level: Alert, "ET POLICY Android Adups Firmware DNS Query 2", one example is: bigdata.adsunflower.com (explanation at: www.kryptowire.com/adups_security_analysis.html)

Setting aside for a moment whether they're really relevant or not, that's my question here: both kinds are tracked with source IP being the WAN address of the Asus and dest IP my external firewall (a ZyXEL USG). So from this alone I can't track who, within my private LAN in the Asus, actually needed those DNS queries. Note that for other common DNS queries/answers suricata/evebox correctly record the requesting client within the LAN and whole event. So the first suspect is that it's the router itself for still-to-be-clarified-reasons asking for those domains, but I would like to investigate more.

Asuswrt GUI has a page in the QoS - Web History but it can't be filtered or searched and it usually gets very long to consult (luckily, I prefer to have the data than the contrary).

Is there a way, either by command line or GUI, to ask exactly which client needed an FQDN translated at what time ?

Note that I'm running the latest 386.1_2 fw.

Thanks
Peppe

 

[develox]

Could it be done via dnsmasq itself ?
I've tried this approach:
https://superuser.com/questions/632898/how-to-log-all-dns-requests-made-through-openwrt-router
but though I got the new /tmp/dnsmasq.log file, and it's filled with content, it just miss the very content I'm after. (Should mention that I didn't reboot the router, rather just restarted dnsmasq, but as I got the new log file I assume the new config snippet in the dnsmasq.conf.add was actually parsed and added to the full config).

 

[Jack Yaz]

Could it be done via dnsmasq itself ?
I've tried this approach:
https://superuser.com/questions/632898/how-to-log-all-dns-requests-made-through-openwrt-router
but though I got the new /tmp/dnsmasq.log file, and it's filled with content, it just miss the very content I'm after. (Should mention that I didn't reboot the router, rather just restarted dnsmasq, but as I got the new log file I assume the new config snippet in the dnsmasq.conf.add was actually parsed and added to the full config).

it's probably overkill but if you install Diversion and uiDivStats, uiDivStats collects all dnsmasq queries into a SQLite db. You can then query this yourself. The last 5000 or so queries are displayed in "realtime" on uiDivStat's webpage itself. https://github.com/jackyaz/uiDivStats

Diversion itself isn't strictly needed for the query logging (you just need dnsmasq logging) but as it stands the script itself requires Diversion.

 

[develox]

Oh, thanks ! This looks like what I was asking for (and much more, actually). Can I ask you why you say it'd be an overkill ? Does it imply quite some load on the machine ? (I'd be interested since Suricata is already eating up enough of it ...)

 

[Jack Yaz]

Oh, thanks ! This looks like what I was asking for (and much more, actually). Can I ask you why you say it'd be an overkill ? Does it imply quite some load on the machine ? (I'd be interested since Suricata is already eating up enough of it ...)

overkill that you might not need a router level adblocking solution. if you do, then Diversion is just the ticket!

 

[develox]

I see. New to diversion, I was wondering: can you use diversion without asking it to actually block ads ? I.e. only for my purposes ? (I would hence later test the adblocking as well but I'm in a tight working schedule so I couldn't cope with complaints from the family if something starts to work/load strangely).

 

[dave14305]

I see. New to diversion, I was wondering: can you use diversion without asking it to actually block ads ? I.e. only for my purposes ? (I would hence later test the adblocking as well but I'm in a tight working schedule so I couldn't cope with complaints from the family if something starts to work/load strangely).

Yes, in the diversion menu, choose option a to disable the ad-blocking.

 

[develox]

Ok, thanks. It then certainly deserves a go.

 

[develox]

So I went on installing both Diversion and uiDivStats (actually keeping adBlocking on to start with), via amtm (installed that too). It apparently went well but since yesterday evening, it has not blocked any requests and not logged any DNS query. The command line shell confirms that: 65,222 blocked domains by 1 hosts file(s) 0 t 0 w 0 n ads since Feb 26 05:20
while uDivStats tab in the GUI confirms nothing to report. As the Diversion Statistics area suggests to "If you are seeing this message, it means you don't have a weekly stats file from Diversion present on your router.
Please check that weekly stats are enabled in Diversion, menu options c 2", I've made right away sure to activate the statistics:
2. Diversion stats stats:file,body,save
I've also forced manually compilation of the statistics file a few times (until now) but they're empty as well. I've checked and it seems pixelsrv is running as expected:

pixelserv 31088  nobody    5u  IPv4  999413      0t0  TCP 192.168.1.2:https (LISTEN)
pixelserv 31088  nobody    6u  IPv4  999414      0t0  TCP 192.168.1.2:www (LISTEN)

Have I done something wrong ? Or is it enough that I have DNS-Filtering enabled (OpenDNS Family) ?

Also, I should point out that I don't have a Diversion tab in the LAN section of the GUI as I've seen in some screenshots here on the forum (perhaps is something you install explicitly ?)

 

[Jack Yaz]

So I went on installing both Diversion and uiDivStats (actually keeping adBlocking on to start with), via amtm (installed that too). It apparently went well but since yesterday evening, it has not blocked any requests and not logged any DNS query. The command line shell confirms that: 65,222 blocked domains by 1 hosts file(s) 0 t 0 w 0 n ads since Feb 26 05:20
while uDivStats tab in the GUI confirms nothing to report. As the Diversion Statistics area suggests to "If you are seeing this message, it means you don't have a weekly stats file from Diversion present on your router.
Please check that weekly stats are enabled in Diversion, menu options c 2", I've made right away sure to activate the statistics:
2. Diversion stats stats:file,body,save
I've also forced manually compilation of the statistics file a few times (until now) but they're empty as well. I've checked and it seems pixelsrv is running as expected:

pixelserv 31088  nobody    5u  IPv4  999413      0t0  TCP 192.168.1.2:https (LISTEN)
pixelserv 31088  nobody    6u  IPv4  999414      0t0  TCP 192.168.1.2:www (LISTEN)

Have I done something wrong ? Or is it enough that I have DNS-Filtering enabled (OpenDNS Family) ?

Also, I should point out that I don't have a Diversion tab in the LAN section of the GUI as I've seen in some screenshots here on the forum (perhaps is something you install explicitly ?)

DNS filter should set to Router (so Diversion/dnsmasq process DNS queries) with WAN DNS set to OpenDNS family

 

[develox]

Your suggestion made me aware of an error I had in my configuration, thanks! In DNS Filter I had specific clients configured with OpenDNS Family (mostly kids) and that was intended, but it was wrong that I also had the Global Filter mode set to OpenDNS Family instead of Router. Now I changed this and diversion kicked off.
However, just as I start to understand how it works, I've tried DNS-filtering my own machine's IP and it stopped to be logged in Diversion. So it looks like I can either have Diversion or DNS-filtering indeed (either globally or per-client).

Would the only way to have both be to follow your suggestion to set DNS-Filtering to router and then set the WAN DNS to OpenDNS Family ? I'm perplex about this because it would:
a) apply to all clients and I'd rather keep my clients e.g. to be completely free (though not that much of an issue at the very end)
b) I would have to give up to my current DNSes (Quad9 and Cloudflare) that I use to set at the external firewall level (a ZyXEL USG) and that are hence automatically used by the Asus router in its WAN setup (as the ZyXEL is it's gateway)

(All this because I can right-away see the benefits of the adblocking which I never considered before, so as I said I'm starting with it and if anyone complains I'll see).

P.S. Should I say that I also have Skynet up and running ?