Re: capturing full URL information via DNS request logs

[Harry Hoffman <hhoffman () IP-SOLUTIONS NET>]

Hi Jason,

If you are just capturing DNS queries then you will have only hostnames
not the URL information (URL == protocol + host + location).

DNS requests will show the hostname from either a typed in URL or a
clicked upon URL so you'd get a virtual host and any subsequent
information like if it's a CNAME and the other hostnames associated with
that request.

These might not all come back in the same request and there might be
multiple DNS requests.

If you want full URL then you need to capture more then dns.

If it's http then you can grab the url from the request. If it's https
then your stuck only knowing the host information.

Hope this helps.

Cheers,
Harry




On 10/09/2013 04:03 PM, Youngquist, Jason R. wrote:
> Hi All,
>
> Currently we have a network monitoring device using netflow.  One problem we are having with this device is it 
> doesn't give us URL information.  There are a few other methods that were recommended to us in order to get this 
> information.  Instead of getting an IP address that points to Akamai (ie. this is want is captured via netflow), one 
> person suggested that it was relatively easy to capture the original content that the user was downloading.  Ie. in 
> the original DNS request the URL information would be included in the packet info.  Are people using DNS logs to 
> capture this type of URL traffic?  If so, does it provide the full URL, or just the DNS host name?  DNS host name 
> would be useful, but full URL would be even better.
>
> Appreciate any insights you may have.
>
> Thanks.
> Jason Youngquist, CISSP, CISA
> Information Security Engineer 
> Columbia College - Technology Services
> 1001 Rogers Street, Columbia, MO  65216
> (573) 875-7334
> jryoungquist () ccis edu
> http://www.ccis.edu