OpenWRT Coova Chilli DNS Loopup Logging

Hi,

Currently I am trying to monitor Web Activity of user through DNS Lookup but unfortunately ... all i see is

12:04:50.146833 IP (tos 0x0, ttl 64, id 22264, offset 0, flags [DF], proto UDP (17), length 88)
    10.20.0.1.53 > 10.20.0.8.58644: [udp sum ok] 40826 q: A? dns.google. 2/0/0 dns.google. [6m44s] A 8.8.8.8, dns.google. [6m44s] A 8.8.4.4 (60)
12:04:50.148336 IP (tos 0x0, ttl 64, id 22265, offset 0, flags [DF], proto UDP (17), length 132)
    10.20.0.1.53 > 10.20.0.8.55979: [udp sum ok] 24931 q: HTTPS? dns.google. 0/1/0 ns: dns.google. [4m2s] SOA ns1.zdns.google. cloud-dns-hostmaster.google.com. 1 21600 3600 259200 300 (104)
12:05:08.702001 IP6 (flowlabel 0xa6e31, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666 > fd1c:3c34:2b04::1.53: [udp sum ok] 50493+ A? www.msftconnecttest.com. (41)
12:05:08.702254 IP6 (flowlabel 0x40028, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516 > fd1c:3c34:2b04::1.53: [udp sum ok] 25652+ AAAA? www.msftconnecttest.com. (41)
12:05:08.706764 IP6 (flowlabel 0xf0a49, hlim 64, next-header UDP (17) payload length: 167) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516: [bad udp cksum 0xf11c -> 0x0d8a!] 25652 q: AAAA? www.msftconnecttest.com. 3/0/0 www.msftconnecttest.com. [33m32s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [4m13s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [3m34s] CNAME a1961.g2.akamai.net. (159)
12:05:08.710106 IP6 (flowlabel 0x046af, hlim 64, next-header UDP (17) payload length: 193) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666: [bad udp cksum 0xf136 -> 0x8aa5!] 50493 q: A? www.msftconnecttest.com. 5/0/0 www.msftconnecttest.com. [1m34s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [2m10s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [1m45s] CNAME a1961.g2.akamai.net., a1961.g2.akamai.net. [16s] A 183.82.248.58, a1961.g2.akamai.net. [16s] A 202.83.24.145 (185)
12:05:38.852525 IP6 (flowlabel 0x40028, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516 > fd1c:3c34:2b04::1.53: [udp sum ok] 62696+ A? www.msftconnecttest.com. (41)
12:05:38.855114 IP6 (flowlabel 0xa6e31, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666 > fd1c:3c34:2b04::1.53: [udp sum ok] 28303+ AAAA? www.msftconnecttest.com. (41)
12:05:38.862223 IP6 (flowlabel 0xf0a49, hlim 64, next-header UDP (17) payload length: 193) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516: [bad udp cksum 0xf136 -> 0x4c51!] 62696 q: A? www.msftconnecttest.com. 5/0/0 www.msftconnecttest.com. [39m39s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [1m52s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [2m30s] CNAME a1961.g2.akamai.net., a1961.g2.akamai.net. [10s] A 104.97.76.192, a1961.g2.akamai.net. [10s] A 104.97.76.217 (185)
12:05:38.872546 IP6 (flowlabel 0x046af, hlim 64, next-header UDP (17) payload length: 220) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666: [bad udp cksum 0xf151 -> 0x4cb9!] 28303 q: AAAA? www.msftconnecttest.com. 3/1/0 www.msftconnecttest.com. [23m30s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [1m54s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [1m32s] CNAME a1961.g2.akamai.net. ns: g2.akamai.net. [14m21s] SOA n0g2.akamai.net. hostmaster.akamai.com. 1693828999 1000 1000 1000 1800 (212)
12:06:07.540196 IP6 (flowlabel 0x10304, hlim 64, next-header UDP (17) payload length: 41) fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a.48742 > fd1c:3c34:2b04::1.53: [udp sum ok] 39501+ A? apis.google.com. (33)
12:06:07.546095 IP6 (flowlabel 0xf2675, hlim 64, next-header UDP (17) payload length: 78) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a.48742: [bad udp cksum 0x5aaf -> 0x7e83!] 39501 q: A? apis.google.com. 2/0/0 apis.google.com. [3m33s] CNAME plus.l.google.com., plus.l.google.com. [3m33s] A 142.250.196.14 (70)
12:06:08.985844 IP6 (flowlabel 0x40028, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516 > fd1c:3c34:2b04::1.53: [udp sum ok] 28145+ A? www.msftconnecttest.com. (41)
12:06:08.988408 IP6 (flowlabel 0xa6e31, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666 > fd1c:3c34:2b04::1.53: [udp sum ok] 22582+ AAAA? www.msftconnecttest.com. (41)
12:06:08.997361 IP6 (flowlabel 0x046af, hlim 64, next-header UDP (17) payload length: 167) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666: [bad udp cksum 0xf11c -> 0xa9a5!] 22582 q: AAAA? www.msftconnecttest.com. 3/0/0 www.msftconnecttest.com. [23m] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [1m24s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [1m2s] CNAME a1961.g2.akamai.net. (159)
12:06:08.999923 IP6 (flowlabel 0xf0a49, hlim 64, next-header UDP (17) payload length: 193) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516: [bad udp cksum 0xf136 -> 0x69f9!] 28145 q: A? www.msftconnecttest.com. 5/0/0 www.msftconnecttest.com. [32m32s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [3m13s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [2m34s] CNAME a1961.g2.akamai.net., a1961.g2.akamai.net. [18s] A 104.97.76.192, a1961.g2.akamai.net. [18s] A 104.97.76.217 (185)
12:06:39.114107 IP6 (flowlabel 0xa6e31, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666 > fd1c:3c34:2b04::1.53: [udp sum ok] 30419+ A? www.msftconnecttest.com. (41)
12:06:39.114318 IP6 (flowlabel 0x40028, hlim 64, next-header UDP (17) payload length: 49) fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516 > fd1c:3c34:2b04::1.53: [udp sum ok] 47689+ AAAA? www.msftconnecttest.com. (41)
12:06:39.122140 IP6 (flowlabel 0x046af, hlim 64, next-header UDP (17) payload length: 193) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.50666: [bad udp cksum 0xf136 -> 0xcc10!] 30419 q: A? www.msftconnecttest.com. 5/0/0 www.msftconnecttest.com. [32m1s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [2m42s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [2m3s] CNAME a1961.g2.akamai.net., a1961.g2.akamai.net. [7s] A 104.97.76.217, a1961.g2.akamai.net. [7s] A 104.97.76.192 (185)
12:06:39.124321 IP6 (flowlabel 0xf0a49, hlim 64, next-header UDP (17) payload length: 220) fd1c:3c34:2b04::1.53 > fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1.56516: [bad udp cksum 0xf151 -> 0xf1db!] 47689 q: AAAA? www.msftconnecttest.com. 3/1/0 www.msftconnecttest.com. [32m1s] CNAME ncsi-geo.trafficmanager.net., ncsi-geo.trafficmanager.net. [2m42s] CNAME www.msftncsi.com.edgesuite.net., www.msftncsi.com.edgesuite.net. [2m3s] CNAME a1961.g2.akamai.net. ns: g2.akamai.net. [13m43s] SOA n0g2.akamai.net. hostmaster.akamai.com. 1693829022 1000 1000 1000 1800 (212)

or

Sep  4 12:05:38 dnsmasq[1]: 604 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:05:38 dnsmasq[1]: 604 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:05:38 dnsmasq[1]: 604 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply a1961.g2.akamai.net is NODATA-IPv6
Sep  4 12:06:07 dnsmasq[1]: 605 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/48742 query[A] apis.google.com from fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a
Sep  4 12:06:07 dnsmasq[1]: 605 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/48742 forwarded apis.google.com to 192.168.0.1
Sep  4 12:06:07 dnsmasq[1]: 605 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/48742 reply apis.google.com is <CNAME>
Sep  4 12:06:07 dnsmasq[1]: 605 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/48742 reply plus.l.google.com is 142.250.196.14
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 query[A] www.msftconnecttest.com from fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 cached www.msftconnecttest.com is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 cached ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 cached www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 forwarded www.msftconnecttest.com to 192.168.0.1
Sep  4 12:06:08 dnsmasq[1]: 607 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 query[AAAA] www.msftconnecttest.com from fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1
Sep  4 12:06:08 dnsmasq[1]: 607 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached www.msftconnecttest.com is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 607 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 607 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 607 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached a1961.g2.akamai.net is NODATA-IPv6
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply www.msftconnecttest.com is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply a1961.g2.akamai.net is 104.97.76.192
Sep  4 12:06:08 dnsmasq[1]: 606 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply a1961.g2.akamai.net is 104.97.76.217
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 query[A] www.msftconnecttest.com from fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached www.msftconnecttest.com is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 cached www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 forwarded www.msftconnecttest.com to 192.168.0.1
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 query[AAAA] www.msftconnecttest.com from fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 cached www.msftconnecttest.com is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 cached ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 forwarded www.msftconnecttest.com to 192.168.0.1
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply www.msftconnecttest.com is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply a1961.g2.akamai.net is 104.97.76.217
Sep  4 12:06:39 dnsmasq[1]: 608 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/50666 reply a1961.g2.akamai.net is 104.97.76.192
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply www.msftconnecttest.com is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply ncsi-geo.trafficmanager.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply www.msftncsi.com.edgesuite.net is <CNAME>
Sep  4 12:06:39 dnsmasq[1]: 609 fd1c:3c34:2b04:0:d1eb:c4ec:4def:42f1/56516 reply a1961.g2.akamai.net is NODATA-IPv6
Sep  4 12:06:59 dnsmasq[1]: 610 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/10080 query[A] connectivitycheck.gstatic.com from fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a
Sep  4 12:06:59 dnsmasq[1]: 610 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/10080 forwarded connectivitycheck.gstatic.com to 192.168.0.1
Sep  4 12:06:59 dnsmasq[1]: 610 fd1c:3c34:2b04:0:416a:2919:9ca6:8a7a/10080 reply connectivitycheck.gstatic.com is 172.217.31.195
Sep  4 12:04:50 dnsmasq[1]: 599 10.20.0.8/58644 query[A] dns.google from 10.20.0.8
Sep  4 12:04:50 dnsmasq[1]: 599 10.20.0.8/58644 forwarded dns.google to 192.168.0.1
Sep  4 12:04:50 dnsmasq[1]: 600 10.20.0.8/55979 query[HTTPS] dns.google from 10.20.0.8
Sep  4 12:04:50 dnsmasq[1]: 600 10.20.0.8/55979 forwarded dns.google to 192.168.0.1
Sep  4 12:04:50 dnsmasq[1]: 599 10.20.0.8/58644 reply dns.google is 8.8.8.8
Sep  4 12:04:50 dnsmasq[1]: 599 10.20.0.8/58644 reply dns.google is 8.8.4.4
Sep  4 12:04:50 dnsmasq[1]: 600 10.20.0.8/55979 reply dns.google is NODATA

This is not what i am expecting. I am kind of trying to get the IPAddresses/Domain Names visited by that particular 10.20.0.x Client on the captive portal
Any Help on this?

Thanks in Advance.

Coova is just as dead now, as it was in April and March, when you were told not to use it, let's jog your memory ?

Hi I know its dead. Able to make it work till internet for individual users.
Now i am trying to get DNS Look ups for it.
I am just hoping can get a solution. Because still the DNS is diverted to coova ip as primary. So thought we can see the DNS Look ups at TUN0.

Someone might have an idea right. Still can be a plain linux issue rather than coova issue.
Can be with firewall rules or config file etc.

So trying to find some advices.

Thanks.

... the advice was not to use it, and go for opennds instead.

opendns. Oh let me look at it.