Simple DNS log per host? Pfblocker? Ntopng?

MikeGraw376

Thanks and good points. I’ll head over to the pfblocker group.
Meanwhile I ran a google search for ntopng logging. It led me towards an area I don’t want to go: dumping logs to an ELK server. I have no servers running that can run an ELK stack and I have no knowledge whatsoever doing CLI / unix stuff.

Actually I’m thinking maybe pfsense is not for me, and should have chosen a different concept for a router.

Mike

A Former User

@mikegraw376 Don't give up on pfsense too quickly. It's not a full on NG firewall right out of the box, but it's good stuff and you can't beat the price ;)

MikeGraw376

@jwj thanks for your encouragement :-). Actually I absolutely love the GUI and how straightforward and solid it works. Before this I used a USG 4 pro. I had VLANs, UniFi cameras in Separate VLANs with static mappings and granular FW rules using only some ports. I managed to transfer all that to pfsense without a pain and it’s all working great.
However some of the reasons to go pfsense route were:

• more processing power -> USG performs poorly for IPS
• pfblocker and custom whitelist / blacklist
• FttH config
• DNS logging
  So far it delivers on the first three goals.

Mike

A Former User

@mikegraw376 I also came from a USG. The Unifi stuff is a great concept. It just seams like they got 60% done and called it a day to go make IoT stuff.

I also had great desire to do detailed DNS logging. I followed a path not unlike you. Looked at ntop and really wanted pfblocker to have DNS logging beyond what was blocked. In the end I found it just wasn't all that worthwhile. Too much noise to recognize the signal. I do find pi-hole useful. It's really easy to configure different block lists for different groups of hosts. You can also search for specific hosts or domain names trivially. It's just knowing what to look for in all of the data that is challenging.

Anyhow, I think you'll find this forum useful. You can get the attention of Netgate employees and other professional network and security engineers. All for free... I have learned a ton here.

MikeGraw376

@jwj thanks for sharing your story. I think I have found an acceptable solution for now. Agonising over where to push the logs to (don’t have any Linux servers) I suddenly realised I have a synology NAS. I ran a google search for “synology syslog”, I set it up and I’m now feeding the pfsense dns resolver logs.
On the synology I can filter on client IP address so I get a pretty good list of domain names.
Already I can see it’s a lot of noise, as you said. But so far I kinda like it, it’s what I’ve wanted to have for a few years but could not get on the USG.
Best, Mike

A Former User

@mikegraw376 That's great! I love remote syslog.

beachbum2021

softd will log your traffic but most of the free softwares are not good, EventSentry is nice but they want my retirement for a license. If we could log the URLs visited as part of the ntop config that would be nice, there's a feature named Active Monitoring but I dont see it listed in the GUI anywhere. THe closest I came was the interface Interface >Protocol history which isnt timestamped or granular.

bingo600

@mikegraw376

Just something to be aware of.

You might be able to log DNS from IoT devices for now ... simple queries.

But DoH will interfere with that soon (terrible)

If your kids are using Chrome , they'll (chrome will) bypas normal DNS, and use DoH.

All you will see is a series of HTTPS requests.
/Bingo

MikeGraw376

@bingo600 said in Simple DNS log per host? Pfblocker? Ntopng?:

@mikegraw376
If your kids are using Chrome , they'll (chrome will) bypas normal DNS, and use DoH.

All you will see is a series of HTTPS requests.

Thanks for that, I heard about this before. I’m not all that worried yet. DoH still has to be enabled manually at this point and my family members don’t have a clue about IT so I can still service all devices and disable it where applicable.
We mostly use macs and iOS devices.

You reckon IoT crap will start to use DoH anytime soon?

Mike

bingo600

@mikegraw376 said in Simple DNS log per host? Pfblocker? Ntopng?:

You reckon IoT crap will start to use DoH anytime soon?

Depends ....
DoH will enable the company to "sniff" all your requests , as they could use DoH servers they control. For Google i'd say yes (speakers etc) , just to collect more info.

For an ESP8266 WiFi switch ...
It would prob depend on if they are already using HTTPS for fw-update or registering , then the code is already in the device.
A small company they would prob not have own DoH servers, so they will claim security as the benefit.

In general i'd say for smaller companys ... Not yet.

/Bingo

MikeGraw376

@bingo600
Insightful, thanks. As I’m allergic to data collectors, tracking, sniffing etc I don’t use any google products. We use the apple Ecosystem exclusively for our personal devices. Then I have synology, UniFi and now pfsense.
I’m thinking about Philips hue, put them in a sealed off VLAN,
Actually I don’t want them to phone home and scramble it, I don’t want them to know when I turn on my lights.

A Former User

@mikegraw376 The bulb talks to some service, your controller app then talks to that service to control the bulb. That's how I(nternet!)oT works. It's not local. So, yeah, they are going to know when you turn your lights on and off. A selling point is you can turn off the lights from the beach halfway around the world.

Issue is they're often easy to compromise and turn into zombie agents of bad stuff.

Smart phone that knows your every step. Credit cards that know your every purchase. Facial recognition in your city. Let's not loose sight of the forest while we worry about the trees.

bingo600

@mikegraw376 said in Simple DNS log per host? Pfblocker? Ntopng?:

I’m allergic to data collectors, tracking, sniffing etc I don’t use any google products.

Me neither , have the same attitude.

And i have a PinePhone , to avoid tracking there (well i can't avoid GSM Mast location) but else ...

@jwj

Let's not loose sight of the forest while we worry about the trees.

I'm doing my "forrest" one tree at a time, since i cant do them all.

/Bingo

MikeGraw376

@jwj valid points. Phones and facial recognition we can’t control. I just don’t want to help burglars giving them “nobody’s home, please come in” invitations. This is especially relevant during summer holidays, where we will be away for weeks.

Mike

A Former User

@bingo600 If you don't want someone to know when you turn your lights off you can't have IoT light bulbs. Simple. The genie is out of the bottle and F'n around with DNS or firewall rules isn't going to put him back in.

What happens to these companies when they screw up their security and let somebody steal the data? Never update the firmware and the devices get turned into bots? Nothing much. Slap on the hand. Small fine. They don't care. Caring costs too much money. All the while people still line up to buy their stuff. It's an own goal.

MikeGraw376

@jwj I suppose that was addressed to me :-). Well you are right, maybe I’ll stick with a dumb home for now instead of a smart home.
Mike

bingo600

@jwj said in Simple DNS log per host? Pfblocker? Ntopng?:

@bingo600 If you don't want someone to know when you turn your lights off you can't have IoT light bulbs. Simple. The genie is out of the bottle and F'n around with DNS or firewall rules isn't going to put him back in.

It depends .... on your capabilities
I have put Tasmota FW in my Sonoff wifi switches , now i can control them via "local web" & VPN

If i had HUE i'd look for something like this, and kick out the genie.
https://diyhue.org/#primary
https://diyhue.github.io/

/Bingo

A Former User

@bingo600 I imagine that took some time and effort. Sounds kinda cool. Have you looked at the source of that firmware? Trust it 100%.

The investment in time and effort to worry about light bulbs while using credit cards and mobile phones is upside down. Big effort for little things. Little effort for big things. That's the point I'm trying to make. By all means, if you can have your smart switches privately do so!

Take smart TV's. It sucks that they track everything. But I'm not all that worried that LG knows I watch Gilligan's Island at 3pm on Tuesdays. I have better things to do than worry about that.

The genie I am talking about is surveillance capitalism. Some of the wealthiest companies in the world exist on that business model. Making one set of smart home switches go dark has done F all to put the genie back in the bottle.

bingo600

@jwj said in Simple DNS log per host? Pfblocker? Ntopng?:

@bingo600 I imagine that took some time and effort. Sounds kinda cool. Have you looked at the source of that firmware? Trust it 100%.

Yepp i rebuild it my self from source.
The main point is to get away from the "Cloud" , and control it locally via LAN/VPN.
Then everything is "just firewalling" ...

Downside . The "fancy" Manufactor APP on your phone, will not work.
So there is a tradeoff.

But there are several "home server" web based systems , that makes things neat.

I like this one
https://www.home-assistant.io/

This is also polular
https://www.openhab.org/

/Bingo

MikeGraw376

@jwj I respectfully disagree. credit cards don’t expose my whereabouts other than inside the CC company. iPhones don’t do that either. IoT stuff is much easier to break in to and gives more insight in our home security.

That said, I don’t believe burglars will go through so much trouble hacking and analysing smart home stuff for our type of home. We’re not millionaires with large villas.

I suppose it’s a matter of risk (still tiny with careful VLAN segregating) and whether or not we will accept that risk to be able to enjoy the tech.
Mike