[itdiscuss] OpenDNS & Untangle question

[Kevin Brunson]

If you are reviewing a browsing history log, you would never see it, since there was never any port 80 traffic to the sites.  The browser never got past looking for DNS, so it would never have been able to initiate a connection to the web server.  

-----Original Message-----
From: discuss-bounces at janoah.net [mailto:discuss-bounces at janoah.net] On Behalf Of Dustin Drewery
Sent: Monday, March 07, 2011 9:17 PM
To: IT Discuss
Subject: [itdiscuss] OpenDNS & Untangle question

I'm forcing everybody through opendns but I've also got the free version of untangle running transparently to just to log where people are going.  I'm also logging my DNS requests from the DNS server on my DC (which forwards on to OpenDNS) and I'm now coming into this weird scenario.

OpenDNS shows several porn sites that were blocked.
My DNS logs show the IP of the user who looked them up.
My untangle logs for that user don't show the sites at all.

I'm guessing that this is because untangle monitors actual traffic passing through and that since opendns blocked the site, it never really saw traffic to the site and therefore had nothing to log?  Anybody know if this is true?  The untangle logs I'm looking at are entire browsing history, not just blocked/violations.

There is a slight possibility that this user also has access to our DNS and untangle server.. doesn't look like they have been tampered with but I can't tell.. (surely they'd be smart enough to completely erase their tracks....)