Thursday, January 1, 2015

Monitor Outgoing Internet Connections - #3 (continued)

Originally Posted at OpenWRT forum at https://forum.openwrt.org/viewtopic.php?pid=259403#p259403 


2015 New Years Update...with mixed results
I was able to spend some time again on my DNS logger setup.
Connected OpenWRT router inside local LAN
This took some time and effort, I finally bridged the LAN/WAN interfaces and simply connected the OpenWRT router on the WAN port with the LAN port of my home router. I certainly need to clean up this configuration....
Changed DNS configuration to ensure all LAN clients resolve via OpenWRT
Make sure to change the DNS setup properly, otherwise you may end up with a loop like this:
- OpenWRT resolves from its gateway (=home router)
- home router in turn resolves from OpenWRT on the LAN
First I forward DNS requests from OpenWRT to my cable modem or the internet:
nano /etc/dnsmasq.conf
#forward DNS requests to public DNS - e.g. Google
server=8.8.8.8
server=8.8.4.4
Since we are already in the DNSmasq config file, lets make some changes to the logging:
# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries
log-facility=/root/dnslog.txt
log-async=10
Lets restart the DNSmasq service to apply the new config:
 /etc/init.d/dnsmasq restart
Second, I changed the DNS settings on my home router (Fritzbox/Internet/Zugangsdaten) to the IP of my OpenWRT router.
Nice, I can see the log file growing and don't need monitor the syslog anymore! Apply the changes.

Now I can see all DNS queries in the dnslog.txt file:
root@OpenWrt:~# head dnslog.txt -n 20
Jan  1 13:48:49 dnsmasq[1339]: started, version 2.71 cachesize 150
Jan  1 13:48:49 dnsmasq[1339]: compile time options: IPv6 GNU-getopt no-DBus no-i18n no-IDN DHCP no-DHCPv6 no-Lua TFTP no-conntrack no-ipset no-auth no-DNSSEC
Jan  1 13:48:49 dnsmasq[1339]: using local addresses only for domain lan
Jan  1 13:48:49 dnsmasq[1339]: using nameserver 8.8.4.4#53
Jan  1 13:48:49 dnsmasq[1339]: using nameserver 8.8.8.8#53
Jan  1 13:48:49 dnsmasq[1339]: reading /tmp/resolv.conf.auto
Jan  1 13:48:49 dnsmasq[1339]: using local addresses only for domain lan
Jan  1 13:48:49 dnsmasq[1339]: using nameserver 8.8.4.4#53
Jan  1 13:48:49 dnsmasq[1339]: using nameserver 8.8.8.8#53
Jan  1 13:48:49 dnsmasq[1339]: using nameserver 192.168.0.1#53
Jan  1 13:48:49 dnsmasq[1339]: using nameserver 192.168.178.1#53
Jan  1 13:48:49 dnsmasq[1339]: read /etc/hosts - 1 addresses
Jan  1 13:48:49 dnsmasq[1339]: read /tmp/hosts/dhcp - 0 addresses
Jan  1 13:48:51 dnsmasq[1339]: query[A] ic.1f12ded8.017dfd.1.amazonmmd.loris.llnwd.net from 192.168.178.1
Awesome! Success! 
All my LAN clients are now resolving their DNS requests on my OpenWRT router.
root@OpenWrt:~# grep "query\[A" dnslog.txt
Jan  1 13:48:51 dnsmasq[1339]: query[A] ic.1f12ded8.017dfd.1.amazonmmd.loris.llnwd.net from 192.168.178.1
Jan  1 13:48:52 dnsmasq[1339]: query[A] amazonmmd-mmd-cust.lldns.net from 192.168.178.1
Jan  1 13:49:56 dnsmasq[1399]: query[A] www.amazon.de from 192.168.178.1
Jan  1 13:50:56 dnsmasq[1399]: query[A] spectrum.s3.amazonaws.com from 192.168.178.1
Jan  1 13:51:09 dnsmasq[1399]: query[A] www.amazon.de from 192.168.178.1
Jan  1 13:51:51 dnsmasq[1399]: query[A] clients4.google.com from 192.168.178.1
Jan  1 13:52:27 dnsmasq[1399]: query[A] mail.google.com from 192.168.178.1
Jan  1 13:53:00 dnsmasq[1399]: query[A] plus.google.com from 192.168.178.1
Jan  1 13:53:05 dnsmasq[1399]: query[A] apple-mobile.query.yahooapis.com from 192.168.178.1
Jan  1 13:53:05 dnsmasq[1399]: query[A] csi.gstatic.com from 192.168.178.1
Jan  1 13:53:06 dnsmasq[1399]: query[A] p32-keyvalueservice.icloud.com.akadns.net from 192.168.178.1
But....hey!!! Why is my Fritzbox simply forwarding DNS and not handing out the DNS server?
I can see that really all DNS requests are properly received and answered on OpenWRT. But as you can see above - the entries are all coming from the same IP (x.x.178.1) - which is the IP of the Fritzbox.
Checking IPconfig on my home PC I realize that the Fritzbox is NOT handing out the new DNS server directly - instead it forwards them. After I manually changed DNS on my PC I can also see which client is logged. 
Jan  1 14:05:24 dnsmasq[1399]: query[A] notepad-plus-plus.org from 192.168.178.38
How do I change DNS settings on all my clients in the LAN?
So...how do I convince my home router to hand out the DNS server instead of simply forwarding? I don't want to manually change the DNS settings on all my devices. Of course, I could replace my Home router with the modded OpenWRT unit alltogether - but then I can't play around with OpenWRT anymore (or, I get another WDR3600 unit?).
Next exercise: Log analysis and scripting