On 12/02/2018 08:40, Jason Timmins wrote: > Hi There, > > Is it possible, with Shorewall or otherwise, to capture all DNS packets and > extract the URL they are looking up?
IMHO, you're approaching an issue that is "wider" than what it seems, at first. Shorewall can surely "filter" standard DNS query packets (UDP/53), and it can also "act" based on their payload (to "match" for some specific hostname to be resolved, as an example). Actually I've been able to "stop" a not-so-complex DNS-bombing attack toward one of my DNS, by applying something similar to this: https://sourceforge.net/p/shorewall/mailman/shorewall-users/thread/1063501265.9331018.1380569265379.JavaMail.root%40playsrl.it/#msg31464706 And I'm also sure that you can "tune" such a technique to better suite your needs. _BUT_: 1) this is not 100% inline with "...extract the URL...": the "extraction" you're referring maybe require some additional treatments. And this depends from exact problem you're trying to solve; 2) not 100% of DNS queries are UDP/53 based and, actually, there are plenty of DNS query types: matching _ALL_ of them by filtering the payload of UDP/53 _AND_ TCP/53 can be really challenging. Also, as your needs seems to be specific to your own environment: > We’d like to use this to monitor user > activity via our firewall. I would suggest a different approach: a Layer-7 LOG (instead of L3). In other words: forcing your user to refer _ONLY_ to your official internal DNS-server (by filtering, with shorewall, outgoing UDP/53 and TCP/53) and, then, asking such official DNS to simply _LOG_ _ALL_ the query it receives and process. With such a simple approach, you'll easily get _LOTS_ of details (including "query details" and "client IP"). Details that are challenging to be retrieved with other techniques. If, for some reason, you cannot block access to external DNS then another chance could be to rely on a IDS-like tool, like "bro" [1], that succesfully support DNS activity reconstruction [2]. All the above does _NOT_ means that shorewall is "bad". Shorewall is really great, powerfull and definitely useful. But it's a firewall. And it provides its best when used accordingly. HTH Bye, DV P.S.: obviously, depending on the volume of the queries, you could immediately find another _BIG_ issue: once you have 90M query _PER_DAY_, having them written somewhere.... is quite useless. You have to properly store, process, and visualize them....to find "issues" and/or "security concerns". And that's a completely different story. [1] https://www.bro.org/ [2] https://www.bro.org/sphinx/scripts/base/protocols/dns/main.bro.html -- Damiano Verzulli e-mail: dami...@verzulli.it --- possible?ok:while(!possible){open_mindedness++} --- "Technical people tend to fall into two categories: Specialists and Generalists. The Specialist learns more and more about a narrower and narrower field, until he eventually, in the limit, knows everything about nothing. The Generalist learns less and less about a wider and wider field, until eventually he knows nothing about everything." - William Stucke - AfrISPA http://elists.isoc.org/mailman/private/pubsoft/2007-December/001935.html
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users