Domain Logging Per Client

Lockie

Hey,

I'd like to monitor the traffic on my network, I've blocks in place via pfBlockerNG but I'd still like to review the domains accessed (not the specific URLs, only the high level domain). I was hoping ntopng could help me, the flow feature displays the domains hit by a specific client which is what I need. The only issue is it's only live traffic and what I require is a historical view. From what I can see ntopng provides this option in their very expensive ntopng Enterprise M addition, but that's a bit to price for a household so I'm hoping for other options. Does anyone know of other ways I can achieve this and also have a guide I can reference for step by step setup.

Many Thanks

johnpoz

@Lockie pfblocker may be able to do this?? I am not sure I don't use it for blocking, I only use it for aliases that I use in my rules.

Sounds like your wanting to see what dns client A does, what client B does and what C does and be able to easy filter on a specific client. If so pihole does that very well. And the eyecandy (graphs and such) is pretty. I had been using that since it came out and never switched to pfblocker for my blocking needs because pihole does it so well.

I know pfblocker can block like pihole, just not clear on the specific reports you can get, etc. nice thing with pfblocker is just runs right on your pfsense.. With pihole you need something else to run it on, either a pi or sim sort of little device, or a vm/docker you run on something else on your network.. I run it on pi, because well I have a few of them ;)

keyser

@Lockie You can enable DNS reply logging in pfBlockerNG. That will log all DNS requests done by clients, but nothing is obviosly recorded about traffic and interactions with the requested names. Be aware DNS reply logging created a very active logfile on your disk. It this is a big SSD - no issues, but if you are using a device with a small eMMC or orther less durable flash device, it will wear out rather quickly.

Lockie

@johnpoz said in Domain Logging Per Client:

. If so pihole does that very well.

I did wonder if it did, so on Pihole you can see a clear list of text addresses (domains) that each devices has visited? Perhaps I should try that then. I think I've seen that you can couple it with pfSense.

Lockie

@keyser It is running on a SSD so I think this might be ok. Worth a go atleast before I look at pihole.

Is the setting required "DNS Reply"? Mine is currently set to 20,000. If so, where do I go from there to view the domains?

Many Thanks

Lockie

@keyser I think I might have it. I switched pfblockerng >DNSBL > DNSBL Mode to Unbound python mode. As it notes this will allow logging of DNS Replies, Then in Reports > DNS Reply > Alert Filter. I can define a device by IP to view the domains and times. Perfect! Thanks very much

keyser

@Lockie happy to help