Configuring OpenWRT and OpenDNS to log all DNS lookups
Why log all DNS lookups?
- To list websites visited by you or any computer served by your router
- To assist in identifying presence of malware
This tutorial is for OpenWRT Chaos Calmer. However, with slight tweaks and understanding the gist of the setup described here, you should be able to get this to work with other versions.
How it works?
I believe that most public DNS servers log lookups whether they publicly declare or say nothing about. Why? For gathering analytics (market research), to curb abuses, etc.
OpenDNS is a free public DNS service provider. They have logging feature with log records view-able by you but some configuration is required to get this to work.
In order for OpenDNS to gather these details on your behalf, you must inform them of your current IP address so that it can log and correlate to you. Why? No user identity information is attached to DNS query payloads so correlating to your current IP address is the simplest method. The process of updating OpenDNS can be automated using OpenWRT.
OpenDNS DNS-O-Matic setup
Firstly, we need an account on DNS-O-Matic and OpenDNS to maintain logs.
- Signup for a DNS-O-Matic account. Use a password without special characters. As far as I remember, this caused issues with configuration on OpenWRT. You can compensate the loss of password strength by increasing length.
- Using the same login credentials, signin at https://dashboard.opendns.com/
- Under Settings, label your network with a name. I call it ‘Home’
- Settings for: <Your network label>, select this
- Click on Stats and Logs
- Enable stats and logs
- Go back to DNS-O-Matic
- Add a service, OpenDNS
- Select your home network
We need to configure OpenWRT to update OpenDNS via DNS-O-Matic service upon change of public IP address, i.e. due to reboot of router, WAN link dropped and reconnected, etc.
Note: These steps are for OpenWRT Chaos Calmer.
Important: Depending on available space on your router, you may have to resort to using non-SSL options.
- Navigate to
System > Software
- Update lists
- If you want to use SSL, install
- If you do not want to or unable to use SSL, install
- Navigate to Service > Dynamic DNS
- Add a new entry and call it
- Select -custom- DDNS Service provider
- Set Custom update-url to
http://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=all.dnsomatic.com&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHGwithout substituting anything
- Set hostname to
- Enter your username and password
- Check ‘Use HTTP Secure’ if you are using the SSL option
- The [IP] part of the URL will be substituted as defined by ‘IP address source ‘and ‘Network’ fields under ‘Advanced Settings’.
- Save & Apply
Login into DNS-O-Matic. You should be able to see the current IP address and history of updates. The IP should be the same as what you see on What Is My IP. In a couple of hours, DNS statistics should appear on your ‘OpenDNS Dashboard’ under Stats.
Redirect all DNS lookups (Optional)
The router’s DHCP server should have assigned itself as the DNS server to all DHCP clients on your network. However, one may deliberately choose to perform lookups on a different server. If you want to log every DNS lookup, you have to redirect all DNS queries to the router’s DNS forwarder.
In OpenWrt, navigate to Network > Firewall > Custom Rules. Add the following lines:
# Redirect DNS requests to go through router iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53
Note: This requires
iptables package to be installed.
Be sure to replace
br-lan with your LAN interface name in case different.