Requesting access to dns logs for collection to local machine for analysis (Splunk, etc.).
I am requesting access to dns logs for collection to local machine for analysis (Splunk, etc.). I would like to run alerts and reports according to time, category, domain, action, etc. I could pick-up the logs every 5 minutes or less and index them into Splunk so that opendns would not be storing much of the logs.
-
So it appears that I have OpenDNS Home VIP service which does cost money. Regardless, I know many people who tell me that they are interested in knowing when their children go to bad sites. This immediately invokes the need for an alert to email with details on which ip address (computer) in the network and the time history of the bad domains visited. Other parents express an interest in knowing when their child uses the internet (especially when they are not home or asleep). This invokes the need for an email alert with a time history with all domains listed per computer during certain configurable hours. The fact that there have not been any votes for this indicates either that parents are not recognizing that my ideas here for logging empower them to meet those needs or that parents are simply not seeing this thread at all. Frankly, I think that even the free services need these features because it lies at the heart of the home and of parenting needs wordwide.
-
You didn't say what OpenDNS service you have. For the OpenDNS Home services the following applies:
For a tool to collect your stats see https://support.opendns.com/entries/21691004-opendns-fetchstats
You should not do this every 5 minutes, because stats are not real time, but appear with 1-3 hours delay. And there are no time stamps with the domain stats. Also, if you do it more often than once per hour, OpenDNS may become angry and may close your account. Think about if everybody would do that, this would bring the stats service down...
-
I have the OpenDNS Home Services, but I am the Splunk SME for my company which has the enterprise license and collects the logs to Amazon Web Services. The logs are received in real-time and indexed in real-time into Splunk. I am big data, and this data is not as difficult as you might think. I doubt that any reasonable solution for pulling detailed logs as the are generated would bother opendns in the slightest. I would even be open to taking the logs to AWS as the price is quite reasonable for their services. This isn't a difficult thing. I have looked at the tool mentioned above and I am not happy with the level of detail (or I should say, summarization) in those logs. I want to see every dns event separated with timestamp as distinct events. Such a logging service plays to one of opendns' greatest strengths. I see it everyday in Splunk and it is a great idea for the Home services as well.
-
Did I mention that my company is paying for my opendns account? Regardless, opendns can do whatever they wish to do to deliver the value of their services. They have very good reasons for the services that they do give us for free, I am sure. I am confident that access to the data will multiple the value of their services many times over and bring a lot more attention to opendns, and prove a very large defense against cyber criminals. They have every reason in the world to consider this feature. Will opendns please weigh in on this thread?
-
No, you didn't say that your company is paying for OpenDNS, however, since you keep referring to OpenDNS Home the reasonable assumption is that that is the service you are using. If so, then your company can't be paying for it, since there is no mechanism to pay for a free product.
As for weighing in, OpenDNS generally does not provide the kind of information you are looking for, i.e. all the back-end decision considerations that go into their decision making. Sometimes they will say that something is not planned, or that something is palnned for the future, but detailed information, such as how to use something or the purpose behind it is generally not discussed until a product or feature is released, or sometimes just before it is released.
I can say however that OpenDNS Home ins intended and positioned as a BASIC DNS-based filtering/security service for the home market, where the vast majority of people are lucky to get their routers plugged in and functioning. Looking at and analyzing detailed DNS logs is behind their technical ablity, knowledge level, or interest. More detailed information is available on the various paid plans, though I suspect based upon my experience providing IT services to those types of businesses that even then unless there is a dedicated IT staff (which generally means small or micro businesses) that very few businesses will be interested in that information.
-
"Did I mention that my company is paying for my opendns account?"
Not that I knew. What exact OpenDNS service would this be?
"Will opendns please weigh in on this thread?"
Most likely. But not as timely as you may think. They almost seem to wait for further comments from users and also for ideas being voted up. By now your idea didn't get any vote.
-
"So it appears that I have OpenDNS Home VIP service"
I can ensure you that OpenDNS will not go to offer these features with this Home use package. They do offer it already with some Enterprise versions. This is technically possible with installing also software locally, not with their DNS service alone.
"I know many people who tell me that they are interested in knowing when their children go to bad sites."
Sure, but "visiting sites" is not what a DNS service can see anyway. They can only show your DNS traffic, not your web traffic, because you send only DNS queries to them. Therefore they technically cannot offer anything beyond this. All such services and products work solely with local software implementations, at least in addition to cloud services. As OpenDNS Home (VIP) is purely a DNS service in the cloud, they simply do not have any information about what sites have been visited in your network and by whom and what device.
"Other parents express an interest in knowing when their child uses the internet"
The same applies. A DNS service has no control over your internet connection, just over your DNS traffic.
"The fact that there have not been any votes for this indicates either that parents are not recognizing that my ideas here for logging empower them to meet those needs or that parents are simply not seeing this thread at all."
Neither. The parents seeing this thread may have learned that a DNS service technically cannot cover your feature request. And if you will see votes later on, then the parents did not read what I just wrote.
"I think that even the free services need these features"
Definitely, but technically not possible with OpenDNS Home (VIP). You'll have to use a service / product which also installs software or hardware locally. All you request can be achieved by local measures only or in addition. Therefore it looks like you need to check somewhere else. Such services / products are indeed available. You must just use them!
-
"Sure, but "visiting sites" is not what a DNS service can see anyway. They can only show your DNS traffic, not your web traffic, because you send only DNS queries to them."
I know dns very well. Visiting sites produces a query of the domain by an ip address source for an ip address destination. Even if there is no resolution behind the network ip address (router), these reports can still prove to be highly useful. If configured at the device, there may be some device resolution, but if not, that is not a show stopper. You can still see a time line of domains per network from the logs. Web traffic REQUIRES dns resolution, unless straight ip addresses are entered, and that produces a browsing history, even if not device specific. -
You apparently don't know DNS as well as you think you do, or you understand it in an oversimplified manner. WEB traffic does not require DNS resolution. INTERNET traffic that uses domain names requires domain name resolution in some manner, but not all INTERNET traffic is WEB traffic, nor is all of it generated by human traffic such as navigating to a particular website.
Visiting a website will generate a DNS request if the domain isn't already in the local cache or host file. This can also potentially happen with email software IM software, various scripts that run in the system, or even backup software that is sending data to a server somewhere. In addition, once you land on a particular website many additional DNS requests can be generated, such as for scripts that run as part of the page, ads, or if the browser supports browser pre-fetch, domain lookups for links on the page that don't even get clicked on, etc.. There is no one to one correlation between DNS traffic and website that a person is actually visiting, and in fact if a lookup happens for a third party domain name for something on a webpage there is no way to associate that domain name with that particular page. DNS traffic can give you a general idea of what kind of internet activity is occurring within a particular network, but there is no way, without locally installed software or devices to provide the kind of detail and monitoring that you are looking for.
As for the alerts you referred to in another post, the information they provide would be extremely misleading if someone thought that it would tell them what kind of things people were doing on their network. Whether or not a particular domain was blocked, OpenDNS could only tell you when they received a DNS request. If that domain were already resolved in a local cache OpenDNS could provide no insight into when or if someone tried to visit the associated website, or even how many times they tried to access it. And if that request were made due to prefetch lookup on a link or an ad that wasn't clicked on then it would generate a false positive when no one even tried to visit a website.
Like rotblitz said, to accomplish what you want you will need to look elsewhere for the information that OpenDNS (or any DNS based service) cannot provide.
-
I have no idea why you might think that I did not know the things you mentioned, which are true but irrelevant for our purposes. Cache dps not hold dns entries forever. If there was any reason for a dnsquery from pornxyz.com (for example), parents will be interested in the exact time when it happened. If there is backup software going to pornxyz, we would be very interested in seeing that because I bet you that it is not just doing backups, if it is even doing that. Dns can provide that timeline with the context around it. I look at raw dns logs every day in Splunk so I think I understand what they are logging pretty well. -
I think that because you oversimplified things to the point where you sound like the people I encounter on a regular basis, i.e., ones who have a little technical knowledge and that makes them think they are experts on everything. Frankly, your posts here have not at all made it clear that you knew or understood any of the details I referred to. Looking at logs does not mean that you understand the data you are looking at, nor does it mean that you understand the software or protocol that is generating the data contained in those logs. Since I have no idea what it is that you do, or what kind of knowledge about DNS or related technologies you possess, I'll judge by the level of knowledge displayed in your posts.
And no, what rotblitz and I pointed out is not irrelevant because it precisely applies to how OpenDNS functions, and how getting log files from OpenDNS is not at all an accurate indication of what is happening on a network, or what people are trying to do.
As for what parent's want, it's good to know that you have been elected to speak for all parents and what they want and need instead of just what you want for yourself. If those parents want to know when specific queries were made to OpenDNS then they will just need to pay for the appropriate level of service that provides that information, the same as for any other OpenDNS customer. As I've said OpenDNS is a BASIC service, and as rotblitz has said, it's very unlikely that they will just give away what they are charging for. They are already giving away quite a lot of service for free, and not only do they need to recoup their costs, but they need to make a profit. If they just gave everything away for free that parents, or any other group, might find useful or desirable how are they going to do that?
Besides which, not all OpenDNS users are parents, and not all want or need that level of logging, let alone can implement it or understand what it's telling them.
-
Let's stop making this personal. This issue does not have to do with me or your impression of me. Let's stop trying to speak for opendns. They are fully capable of making their own decisions. Finally, let's stop pretending to be dns experts and saying what dns can't do. Dns can exfil, dns can man-in-the-middle, dns can beacon, dns can proxy, and among many other things, dns can track and block all dynamic (non-ip) traffic initiations. Dns is powerful if you understand it, powerless if you don't. Keep this about the issues; avoid ad hominem. -
It looks like logging is a hot issue that everyone wants. For example, https://support.opendns.com/entries/21683844-Add-timestamps-to-the-logging I believe that it would be easy and negligible cost for opendns to simply send the logs to the AWS server of the customer's choosing (opendns would not have to pay for any AWS log storage costs). Instead of dropping the logs, the only additional effort would be to forward the logs to Amazon, and only when a checkbox is checked with an amazon AWS server address specified.
I would also like to propose a couple other reporting/alerting solutions as well:
Timechart reports of counts by action (block or allow) by category would meet most of our needs in a very easy and small report. Automatic email notifications/reports of blocked activity. Addition of time information for each domain reported and the action for each (block or allow).
-
The link you point to is people asking for additional logging capability, ie timestamps, that are not available in the free home product but are available in some of the pay products. It was not about asking for exporting OpenDNS log files to an external service.
On what basis, other than wishing, do you think that sending this log data to a 3rd party would be easy and of negligible cost? I have no idea of how easy or difficult it would be, but a minimum it would cost time for a developer to create, test, and roll it out, plus ongoing maintenance, in addition to processor cycles and bandwidth in order to provide the service on an ongoing basis. Without knowing how many of their customers would be interested in such a feature (and my suspicion based on experience interacting with other OpenDNS users and my own clients is that very, very few would want something so highly specialized) I'm not sure how the cost/profit analysis would work out for them.
As for the other new requests you added into this post, these features either already exist in other services, or for the ones that don't you need to open a separate thread for each one so that they can be voted upon and looked at individually. Some of them already have existing threads.
Please sign in to leave a comment.
Comments
15 comments