DNS reverse lookup in Report Tab

Beerman

Hi,

why are internal IP addresses not resolved in the report tab?
This would be helpful, especially in larger networks.

External IP addresses are resolved, but internal IP addresses are always described as "unknown" although it would be resolvable.

Thx!

Gertjan

@beerman said in DNS reverse lookup in Report Tab:

why are internal IP addresses not resolved in the report tab?

Because IP addresses don't need resolving ;)

See here for what resolving does.

On that same page you can also find what is called "Reverse lookup". From an IP address, to a host name.

When I ask what the host name (url) of my device 192.168.1.2, it answers :

[2.5.2-RELEASE][admin@pfsense.brit-hotexxx.tld]/root: nslookup 192.168.1.2
2.1.168.192.in-addr.arpa        name = Bureau2.brit-hotexxxx.tld.

or

[2.5.2-RELEASE][admin@pfsense.brit-hotexxx.tld]/root: dig -x 192.168.1.2 +short
Bureau2.brit-hotexxx.tld.

( I'm a dig-man )

Under the pfBlockerNG -> Reports ->DNS replies, I found :

The DNS operation type is 'PRT'.

@beerman said in DNS reverse lookup in Report Tab:

internal IP addresses are always described as "unknown"

My 'internal' == RFC1918 IP addresses are not geolocated - GeoIP locations has no meaning for RFC1918.
TTL is also Unknown, as most of my LAN IPs are DHCP-MAC-Static, so 'valid for the eternity'. The relation between the DNS name <=> will not get refreshed of xx seconds (the TTL).

Beerman

Thanks for the answer! :)

Perhaps I have not expressed myself clearly enough.

I'm talking specifically about the Alert tab, where internal IP addresses are not resolved to host names, but external IPs are.

It would be nice if the internal IP addresses would be resolved to host names via reverse lookup. (If the DNS resolver is able to do this).

I hope it's a little clearer now. :)

Gertjan

@beerman said in DNS reverse lookup in Report Tab:

I hope it's a little clearer now. :)

One of mine :

where "samsungtvbarwifi" is the host name of a smart TV (a huge Samsung TYV in the bar) connect to your LAN using Wifi.
The Samsung TV tend to visit "8.8.8.8" (to "call home" I guess) but I blocked 8.8.8.8 using DNSBL, of the IP lists I guess ( pfB_DoH_IP_v4 ).

If the source host name isn't known, then that is because it isn't in your local DNS !
Assign a static IP (and other settings) to your host device - AND declare a host over ride in the unbound / Resolver, and it will be known.
Or do like me : take all your known equipment, assign them all, ones, an IP using the DHCP server using the device's MAC. (== DHCP static mac leases) No need to change any device settings, everything has to been done on pfSense.

Btw, I've no other options, as for extremely known reasons this option :

:

has to be un-checked.

edit : is the 10.10.1.2 also 'local' for you : do the same ting for all the devices on that network : make them known to pfSense, the resolver.

Beerman

That´s of course the first thing, I tested. :)
The pfSense box can resolve the internal addresses.

I have realized this by using "Domain Overrides" at the DNS resolver. In which for the domain "10.in-addr.arpa" points to an internal DBNS server.

On the console I can resolve the addresses and in "Diagnostics"->"DNS Lookup" also works.

Only in the Alerts tab it doesn't seem to work...