Configuring OpenWRT and OpenDNS to log all DNS lookups

Published: 21 January 2016 | Last updated: 26 February 2017 | Network

Why log all DNS lookups?

To list websites visited by you or any computer served by your router
To assist in identifying presence of malware

Requirements

This tutorial is for OpenWRT Chaos Calmer. However, with slight tweaks and understanding the gist of the setup described here, you should be able to get this to work with other versions.

You also need an account at DNS-O-Matic, a free service by OpenDNS. The reason is described below.

How it works

I believe that most public DNS servers log lookups whether they publicly declare or say nothing about. Why? For gathering analytics (market research), to curb abuses, etc.

OpenDNS is a free public DNS service provider. They have logging feature with log records view-able by you but some configuration is required to get this to work.

In order for OpenDNS to gather these details on your behalf, you must inform them of your current IP address so that it can log and correlate to you. Why? No user identity information is attached to DNS query payloads so correlating to your current IP address is the simplest method. The process of updating OpenDNS can be automated using OpenWRT.

Configuration

OpenDNS DNS-O-Matic setup

Firstly, we need an account on DNS-O-Matic and OpenDNS to maintain logs.

Signup for a DNS-O-Matic account. Use a password without special characters. As far as I remember, this caused issues with configuration on OpenWRT. You can compensate the loss of password strength by increasing length.
Using the same login credentials, signin at dashboard.opendns.com
Under Settings, label your network with a name. I call it ‘Home’
Settings for: <Your network label>, select this
Click on Stats and Logs
Enable stats and logs
Go back to DNS-O-Matic
Add a service, OpenDNS
Select your home network

OpenWRT configuration

We need to configure OpenWRT to update OpenDNS via DNS-O-Matic service upon change of public IP address, i.e. due to reboot of router, WAN link dropped and reconnected, etc.

Note: These steps are for OpenWRT Chaos Calmer.

Important: Depending on available space on your router, you may have to resort to using non-SSL options.

Navigate to System > Software
Update lists
If you want to use SSL, install ca-certificates and wget
If you do not want to or unable to use SSL, install wget-nossl
Install ddns-scripts and luci-app-ddns
Navigate to Service > Dynamic DNS
Add a new entry and call it dnsomatic
Select -custom- DDNS Service provider
Set Custom update-url to http://[USERNAME]:[PASSWORD]@updates.dnsomatic.com/nic/update?hostname=all.dnsomatic.com&myip=[IP]&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG without substituting anything
Set hostname to dnsomatic.com
Enter your username and password
Check ‘Use HTTP Secure’ if you are using the SSL option
The [IP] part of the URL will be substituted as defined by ‘IP address source ‘and ‘Network’ fields under ‘Advanced Settings’.
Save & Apply

Validation

Login into DNS-O-Matic. You should be able to see the current IP address and history of updates. The IP should be the same as what you see on What Is My IP. In a couple of hours, DNS statistics should appear on your ‘OpenDNS Dashboard’ under Stats.

Redirect all DNS lookups (Optional)

The router’s DHCP server should have assigned itself as the DNS server to all DHCP clients on your network. However, one may deliberately choose to perform lookups on a different server. If you want to log every DNS lookup, you have to redirect all DNS queries to the router’s DNS forwarder.

In OpenWrt, navigate to Network > Firewall > Custom Rules. Add the following lines:

# Redirect DNS requests to go through router
iptables -t nat -A PREROUTING -i br-lan -p udp --dport 53 -j REDIRECT --to-port 53

Note: This requires iptables package to be installed.

Be sure to replace br-lan with your LAN interface name in case different.

To test, configure your computer to utilise Google DNS. Then visit welcome.opendns.com where this page will tell you if you are on OpenDNS, which you should be.