Why log all DNS lookups?
This tutorial is for OpenWRT Chaos Calmer. However, with slight tweaks and understanding the gist of the setup described here, you should be able to get this to work with other versions.
I believe that most public DNS servers log lookups whether they publicly declare or say nothing about. Why? For gathering analytics (market research), to curb abuses, etc.
OpenDNS is a free public DNS service provider. They have logging feature with log records view-able by you but some configuration is required to get this to work.
In order for OpenDNS to gather these details on your behalf, you must inform them of your current IP address so that it can log and correlate to you. Why? No user identity information is attached to DNS query payloads so correlating to your current IP address is the simplest method. The process of updating OpenDNS can be automated using OpenWRT.
Firstly, we need an account on DNS-O-Matic and OpenDNS to maintain logs.
We need to configure OpenWRT to update OpenDNS via DNS-O-Matic service upon change of public IP address, i.e. due to reboot of router, WAN link dropped and reconnected, etc.
Note: These steps are for OpenWRT Chaos Calmer.
Important: Depending on available space on your router, you may have to resort to using non-SSL options.
System > Software
http://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=all.dnsomatic.com&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHGwithout substituting anything
Login into DNS-O-Matic. You should be able to see the current IP address and history of updates. The IP should be the same as what you see on What Is My IP. In a couple of hours, DNS statistics should appear on your ‘OpenDNS Dashboard’ under Stats.
The router’s DHCP server should have assigned itself as the DNS server to all DHCP clients on your network. However, one may deliberately choose to perform lookups on a different server. If you want to log every DNS lookup, you have to redirect all DNS queries to the router’s DNS forwarder.
In OpenWrt, navigate to Network > Firewall > Custom Rules. Add the following lines:
# Redirect DNS requests to go through router iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
Note: This requires
iptables package to be installed.
Be sure to replace
br-lan with your LAN interface name in case different.