What is the best way to get PRECISE domain name from ip address logged in iptables log

Solution 1:

I'm not sure i get the whole picture but since you are writing about websites i think you are using a tool that is not exactly suitable for the task.

imho you are looking for that information (the visited domain name) at the wrong level: you should have a proxy and analyze its logs to gather that info.

A proxy is 'near' the client and has the exact and precise information you are looking for.

A transparent proxy would be able to gather these info without any client configuration change.

Solution 2:

You cannot easily determine what the user typed into their browser's URL bar using just an IP address log: You can't tell if someone accessing 104.16.13.13 got there by typing aviation.stackexchange.com or tex.stackexchange.com (the best you can determine is that it's a CloudFlare IP address).

In order to get the information you seek you would need to either cross-reference with queries on your DNS server around the same time, or capture the whole packet and look for something in the protocol data (like an HTTP request) that discloses the hostname. The latter is trivial to foil: Just access sites over https or some other encrypted transport.

Given an IP address the best you can do is get the reverse DNS PTR record (dig -x or equivalent), or the netblock & netblock owner info (via whois), which you've already rejected as inadequate for your needs.

Solution 3:

You are tackling this problem at the wrong layer. Literally, layer 4 when you should use layer 7.

Don't log TCP connections in iptables. Instead, capture HTTP traffic and inspect the Host header in the requests that the clients are making.