A quick update…
First... ever notice that you have LESS free time on a holiday weekend? pfftt...
Anyway, I have this running (somewhat) on my own pfsense box to see how well the idea works. It isn't as nice as I thought it'd be...
First, my config:
I have multiple vlans, and all use a DHCP and DNS on a windows domain server. My windows server is running "windows server essentials" which likes to figure out the IP of your router, and forcibly reconfigures it's own DNS server to use your router as a DNS forwarder. (Fun! Fun! Fun!)
Because I have multiple vlans, I'm ignoring any linklocal Ipv6 addresses. If I included them, there'd be IP address collisions. That dropped the usefulness of this a small amount.
So, I have an hourly cron job that runs this program to add a bunch of lines to an unbound configuration. Each line is just something like this:
local-data-ptr: "1:2:3:4:5:6:7:8 10 hostname.domainname"
After that config is re-written, it forces unbound to re-read it's config via:
kill -HUP `cat /var/run/unbound.pid`
One issue with my odd DNS configuration is that it usually takes about 2-5 minutes before the reverse lookups appear in queries. (If I use "dig @localhost -x", I can see that unbound has already updated… so I know it's just the windows crud that's taking several minutes.)
Once Windows catches up, I'm somewhat limited on what I can use to view the results. Two things in particular I'm using to test:
1. "ndp -a". This works great. No issue.
2. "ntopng" This doesn't work so great. ntopng is a bit slow on doing DNS lookups. Also, I'm finding that ntopng's ipv6 support isn't all that great. (This might be fixed in a current ntopng version - I don't know.) What happens is that it resolves the ipv4 to a hostname... and a ipv6 to the same hostname. Then, in things like "Top Hosts (local)", it might show the same hostname multiple times.
That's not so bad. What IS bad is that the "details" URL for both hosts are pointing to the same place. For example:
https://192.168.1.1:3000/lua/host_details.lua?host=hostname.domainname
In other words, it doesn't have distinct URLs for IPv6 vs IPv4 hosts. It's confusing!
What I'm thinking about doing to try and work around that is add a switch to my program so that it mangles the hostname. For example, instead of "hostname.domainname" for ipv6 addresses, I might change it to "hostname.XXXX.domainname" (where XXXX is replaced with the last 4 nibbles of the ipv6 address.)
(Of course, ideally, ntopng would get fixed, and pfsense would be updated to use the most recent ntopng version… but that likely won't happen for a while, so I'm trying to give some option in the meantime.)
Finally, there are a couple cases where I'm not getting any names for ipv6 addresses. This is usually for hosts that are always using IPv6 for everything (meaning there's nothing in the (ipv4) arp cache to match it with.) There are ways around this (ping floods, raw ARP packets, etc), but I'm not sure I want to get into that.
... I'm still working at it... (when time permits.)