Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: capturing full URL information via DNS request logs

From: Roger A Safian <r-safian () NORTHWESTERN EDU>
Date: Wed, 9 Oct 2013 20:10:32 +0000
I haven't used DNS for specific URL information.  I have used it for some HR type cases.  It's pretty easy to confirm 
if certain types of activity are coming from a device by using DNS.  I have seen, what I assume is, URL information in 
the DNS data but my assumption is it would not be complete.  One other thing, it's virtually impossible to use this 
option on an active NAT network.


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Youngquist, Jason
R.
Sent: Wednesday, October 9, 2013 3:03 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] capturing full URL information via DNS request logs

Hi All,

Currently we have a network monitoring device using netflow.  One problem
we are having with this device is it doesn't give us URL information.  There
are a few other methods that were recommended to us in order to get this
information.  Instead of getting an IP address that points to Akamai (ie. this
is want is captured via netflow), one person suggested that it was relatively
easy to capture the original content that the user was downloading.  Ie. in
the original DNS request the URL information would be included in the
packet info.  Are people using DNS logs to capture this type of URL traffic?  If
so, does it provide the full URL, or just the DNS host name?  DNS host name
would be useful, but full URL would be even better.

Appreciate any insights you may have.

Thanks.
Jason Youngquist, CISSP, CISA
Information Security Engineer
Columbia College - Technology Services
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu
Previous By Date Next
Previous By Thread Next

Current thread: