how to see domain names accessed in MikroTik routers?

S

SilverNodashi

Expert Member
Joined
Oct 12, 2007
Messages
3,337
Hi,

Does anyone know how to see which domains are being accessed, when looking at the traffic using on a MikroTik router?
i.e. I'm using Torch to see what bandwidth is being used on a 60+ user network, but Torch only shows the IP's. Before I just randomly block stuff, I need to know what websites / service they're accessing.
 
Peon

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,666
Rudi, if you specify the mikrotik as DNS server you can goto IP -» DNS -» Cache

There you can see items in the DNS cache of domains queried.
 
M

Murfle

Well-Known Member
Joined
May 15, 2011
Messages
232
Peon said:
Rudi, if you specify the mikrotik as DNS server you can goto IP -» DNS -» Cache

There you can see items in the DNS cache of domains queried.
Click to expand...

Does that end up showing you what IPs the requests came from?
 
Peon

Peon

Expert Member
Joined
Sep 28, 2006
Messages
3,666
No. Let me check. I think there is a way to capture traffic and send it to wireshark and see it that way.
 
Sinbad

Sinbad

Honorary Master
Joined
Jun 5, 2006
Messages
81,151
Best bet is to set up a proxy and route all web traffic through it.
With the proliferation of CDns you won't get an idea what is being browsed from ip addresses
 
M

Murfle

Well-Known Member
Joined
May 15, 2011
Messages
232
Peon said:
No. Let me check. I think there is a way to capture traffic and send it to wireshark and see it that way.
Click to expand...

You can do a capture that is readable in wireshark easily enough. You have to copy the file over to a machine with wireshark though, unless there's a way to mount an SMB share or something... You could also write up a quick script to parse the capture file for domains accessed from which IP, and limit the capture to port 53 to reduce the filesize...

I was also considering setting up a pi-hole as our local DNS server... Might be worth looking into, as it has nice graphs and such for reports.
 
S

SilverNodashi

Expert Member
Joined
Oct 12, 2007
Messages
3,337
Thanx guys. I'm trying to stay away from setting another server / device / service just for this purpose. This particular client won't allow for it.
I need to add, the mikrotik connects to two Fiber lines and an ADSL as backup and serve as VPN for 3 distinct networks in different cities, on different IP subnets. I can see all the traffic going through the Fibre NTU's IP address, but need to establish what it is, without installing another server / device on the LAN.
 
You must log in or register to reply here.
Top