I want to build a labs project where an alert/webhook/screen pop occurs when a specific domain is requested from any devices connected to my OpenWRT router.
Right now I'm using RaspberryPi's to do a lot of the work.
Route: RaspberryPi 4 with OpenWRT installed with screen
RPi1: Regular RaspberryPi
RPi2: Regular RaspberryPi
RPi3: Regular RaspberryPi
What I want to do is when any of Pi's 1,2 or 3 make a connection to my.domain.com
is be able to
Print the request URL on the OpenWRTPi Screen
eg: "Pi1 accessed http://my.domain.com/ via GET, a 200 was issued."
ping an CURL to a separate URL so that I know the domain was accessed.
Im not looking to interfere with or view the payload in anyway.
If you can force the clients to use an explicit squid proxy, this is your best bet.
If not... it seems unlikely to work.
- Domains are not the same as IP addresses, multiple domains can be hosted on one IP, and multiple IPs can be involved in a given domain.
- Because of (1) you can only know if a "domain" is accessed by virtue of it having been DNS looked-up, and then remembering every IP address associated to it, and then looking at packets associated to those IP addresses, and then somehow inferring that the domain of interest was involved in cases where more than one domain is hosted on a given IP....
Squid proxy will handle this for you, since the client will request explicitly that a domain be connected to, at which point you can log it.
My thought was that because all traffic was flowing though the OpenWrtPi I could use that to capture all traffic associated with my test domain.
I will have a look at Squid Proxy! Thank you for your help!
If this is for your own explicit clients for testing purposes, and you can ensure no-one will be connecting via HTTPS or to machines that host more than one domain etc, so that you have a much more limited problem than the "general" problem of detecting domain access, then you could log all syn packets sent to a particular IP port 80 without too much trouble. That's more or less a simple iptables rule.
Otherwise, for more general usage, the squid proxy is a far more general solution. NOTE you WANT to use an EXPLICIT proxy not some kind of intercepting proxy.