Snort & Firewall IP to Resolve to DNS?

  • Is it possible to force PFSense logging for firewall and Snort logs to resolve IP to DNS name automatically?

  • Rebel Alliance Developer Netgate

    No. Generally speaking, it's a bad and insecure idea to resolve IP addresses to hostnames in logs automatically. It's slow, would delay or buffer logging while waiting for DNS, and could even be spoofed/inaccurate. Unless you verified forward to reverse, which is even slower, anyone can return any reverse DNS hostname they want if they have control over their PTR records.

    If someone is probing your network, a reverse DNS query could allow them to gain information about you that they couldn't get otherwise, too.

  • I don't know if I 100% agree with that statement. While it may take more processing power to perform the reserve lookup. If done right it would not be less secure.

    If your machine is making any requests for those services, they already have your IP during the handshake and reply so….

    Also just like most services, you would think they would do a reserve look up using a service provider. Such as a "whois" report server, and then return that data back to you. So you would not be sending data back to the original location asking for a "whois" you would be sending your "whois" reverse lookup request to a "whois" service that would return the answer.

    This practice is pretty common. I deploy Watchguard firewalls all the time and they have reserve DNS features as well that checks Watchguards DNS services and provides a respond back to resolve the name.

    Also one reason I went with PFSense is so I could have the increase hardware to perform these types of things... It's kind of a no brainier that it should be a feature and I dont see it being a wild request...

Log in to reply