Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: capturing full URL information via DNS request logs

From: Dave Koontz <dkoontz () MBC EDU>
Date: Wed, 9 Oct 2013 17:50:32 -0400
Depending on exactly what you are trying to determine and report on, you are likely trying to make the wrong tools do a 
job they were not designed for.  We use Palo Alto devices which give us this level of  insight, and allow us to control 
it if needed in many ways.  

In addition, for HR types of requests it's simple to pull a report on a users access. I am sure there are other tools 
to do the same, but Netflow and DNS were not designed for this purpose.  Reminds me of the requests we get to update 
our DNS servers to redirect a particular web page.

Just my 2 cents....

Sent from my iPad

On Oct 9, 2013, at 4:03 PM, "Youngquist, Jason R." <jryoungquist () CCIS EDU> wrote:


Hi All,

Currently we have a network monitoring device using netflow.  One problem we are having with this device is it 
doesn't give us URL information.  There are a few other methods that were recommended to us in order to get this 
information.  Instead of getting an IP address that points to Akamai (ie. this is want is captured via netflow), one 
person suggested that it was relatively easy to capture the original content that the user was downloading.  Ie. in 
the original DNS request the URL information would be included in the packet info.  Are people using DNS logs to 
capture this type of URL traffic?  If so, does it provide the full URL, or just the DNS host name?  DNS host name 
would be useful, but full URL would be even better.

Appreciate any insights you may have.

Thanks.
Jason Youngquist, CISSP, CISA
Information Security Engineer 
Columbia College - Technology Services
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu
Previous By Date Next
Previous By Thread Next

Current thread: