Does pFsense not do PTR records? Won't resolve IP to name on LAN
-
@lpfw why would you think that would resolve - your asking for A.. not a ptr..
A ptr would be in this format.. Even in your Says right there in the response no such name A 10.29.29.5
$ dig -x 192.168.9.100 ; <<>> DiG 9.16.44 <<>> -x 192.168.9.100 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49071 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;100.9.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.9.168.192.in-addr.arpa. 424 IN PTR i9-win.local.lan. ;; Query time: 6 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Thu Oct 19 10:52:57 Central Daylight Time 2023 ;; MSG SIZE rcvd: 85If your wanting for pfsense to ask some other dns on your network, you would have to setup a domain override for the in-addr.arpa range your wanting to forward to this other NS on your network. But looks like have it just forwarding to this 10.29.29.1 NS
Where such a setup is going to be problematic - if it asks 9.9.9.9 its not going to work, and its not going to ask the 10.29.29.1 box then.
If you have some other NS for this specific PTR network - then should setup a domain override so pfsense will always ask that NS for that specific sort of query.
-
Yeah Quad wouldn't know.
I guess I wrongly assumed the point of two DNS server definitions was if one doesn't have an answer try the other. Thinking a little deeper it's more likely if one is unreachable use the other.
-
Oh whoops, it is not a PTR (IP -> name)?
I thought it was "To translate an IP address to a domain name, you typically use a reverse DNS (rDNS) lookup, and the specific DNS record type used for this purpose is the PTR (Pointer) record. A PTR record maps an IP address to a domain name, essentially performing the reverse of what an A (Address) record does, which maps a domain name to an IP address."
or does pfsense only resolve name->IP ? (a-record)
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
assumed the point of two DNS server definitions was if one doesn't have an answer try the other.
That's correct but one is inside and knows about your stuff, the other is outside and won't. the outside is responding faster than the internal. So even though it asks both, first response wins.
that's why in your first post when you posted the response from your internal DNS it works. You specifically asked that server.
Cheers
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
was if one doesn't have an answer try the other
Very common mis conception to be sure.. There was just a thread yesterday I believe going over this same exact thing..
You should never point to 2 or more NSers that do not resolve the same stuff.. You have no real idea which ns a client might ask even if they are labled 1 or 2 or 3 or primary/secondary.
if client ask ns A, and he says nx - then its done.. Only reason it would try to ask any other ns it has listed is if the first ns didn't answer at all.
Let me see if can dig up that other thread.
edit: here you go this thread went into that same misconception you had
https://forum.netgate.com/topic/183471/first-post-lan-some-vlans-cant-get-to-website-some-vlans-can
Also even if you ask a NS that can respond with an answer - if you ask for a A record for some IP, its not going to respond - you need to ask for the PTR..
-
OK now I see
I clicked on the fw rule widget on the main page to resolve an internal IP to name.
But it brings you to a screen that only expects a name which is why it doesn't work. (I was expecting it accept hostname or IP)
If I go to fw log section resolution works.
Thanks all for your help!!!
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
If I go to fw log section resolution works.
Did you remove 9.9.9.9? While it might work now. Next if it asks 9.9.9.9 its not..
-
Correct I moved quad9 to second place
Can't recall why I wanted it first but I guess it's fine if internal NS is down it goes direct to quad
internal ns points to quad9 anyway
lol
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
moved quad9 to second place
or better as noted remove it completely
where do your internal clients point to for DNS
the pfSense or the internal server? -
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
Correct I moved quad9 to second place
That is not going to solve the problem.. As I clearly stated - you have no idea which NS a client might ask at any give point..
-
all yours
-
I think I have everything set to point to the internal Pihole (DHCP clients, IPSEC clients)
I guess the crux of what was hoping for was in the FW rule logs window, have pfsense automatically resolve IPs to names, instead of me having to click on all the "i" for resolution.
chatgpt seems to say pfsense will not support this.
Thanks again for the second set of eyes !
-
Will pfSense resolve logged IPs to names? When looking at real time traffic, mine resolves the names just fine, but the logs have always had IPs.
If I were being evil and I knew you logged names, not IPs, I would hijack an IP and do evil, then return to normal while you grill some innocent.
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
have pfsense automatically resolve IPs to names, instead of me having to click on all the "i" for resolution.
That would be a horrible horrible idea to be honest. You could have 1000's of nonsense IPs hitting your wan for example... attempting to do a PTR for every one of those IPs - many of which won't resolve anyway is just spending cycles and extra dns queries for zero reason to be honest.
If that was an option - that would be pretty high on my list to make sure disabled..
-
yeah def of course, but in some cases could be helpful
ie
in my case the scenario would be
tshooting an issue
only internal fw stuff (LAN<->IOT) is logging
would want to see names not IPs
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
would want to see names not IPs
then click the little i - all instances of that IP in the log will now show up with its resolved name under it.
Your troubleshooting X can not talk to Y sort of thing - I would think before you could even start you would have the IPs involved.
-
@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:
crux of what was hoping for was in the FW rule logs window, have pfsense automatically resolve IPs to names,
Well now see that's a different issue, which has nothing really to do with pfSense's ability to resolve names if configured correctly -
you've turn this into a feature request to have the Firewall views (logs) just resolve the names auto-magically when you view those logs.
Were I building such a feature (and I'm not) you could base it on and only at the time the page is being loaded, under certain conditions - for example
on the Log Filter setting -Quantity
if the Quantity is 10000 - well you are just plain silly for trying to view it here anyway - move on
500 is records is questionable.
but if you select viewing for say 50 or even 100 records (say <= 100) resolving them in real time as the page loads is no worse in response time (page load) than someone trying to display say 1000 records without resolution.
That said, yeah generally not a good idea (on the pfSense box, not what it is made for), but with little effort if it important to you, you can syslog the records and report on them elsewhere if and as needed.
There are a ton of tools for doing this, any they will all show you names resolved on reports.
There are also some reports (views) within pfBlockerNG (for example) that will display the results with name already resolved.
Alerts View
There are sections, on this view each having their own count of records to be display and each with how many records to displayblocked, DNSBL, Permit, Match
200, 25, 200, 25 are my record counts in each of those sections.
takes no time at all to load this view containing 4 section all names resolved (if they actually have a PTR) .this is the "Source" column from that
Certainly doable, you have options.
-
it is open source after all
here is the "Firewall Logs" widget on the dashboard
since it is only display 10 (my setting, because on my dashboard anything more than that makes want to scroll, and I don't like scrolling dashboards.)
--- wait oh my is that name resolution working -
FWIW, it is not any slowerI won't keep this because 2 lines of code added, and I don't need it, but as a POC there it is.
as a side note, some people have crazy long name records. Already displaying in a smaller font, and I still have to wrap to fit the table provided by the widget.So when there is a will there is a way. Enjoy the ride.
