Does pFsense not do PTR records? Won't resolve IP to name on LAN

johnpoz

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

If I go to fw log section resolution works.

Did you remove 9.9.9.9? While it might work now. Next if it asks 9.9.9.9 its not..

lpfw

@johnpoz

Correct I moved quad9 to second place

Can't recall why I wanted it first but I guess it's fine if internal NS is down it goes direct to quad

internal ns points to quad9 anyway

lol

jrey

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

moved quad9 to second place

or better as noted remove it completely

where do your internal clients point to for DNS
the pfSense or the internal server?

johnpoz

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

Correct I moved quad9 to second place

That is not going to solve the problem.. As I clearly stated - you have no idea which NS a client might ask at any give point..

jrey

@johnpoz

all yours

lpfw

@jrey

I think I have everything set to point to the internal Pihole (DHCP clients, IPSEC clients)

I guess the crux of what was hoping for was in the FW rule logs window, have pfsense automatically resolve IPs to names, instead of me having to click on all the "i" for resolution.

chatgpt seems to say pfsense will not support this.

Thanks again for the second set of eyes !

AndyRH

Will pfSense resolve logged IPs to names? When looking at real time traffic, mine resolves the names just fine, but the logs have always had IPs.

If I were being evil and I knew you logged names, not IPs, I would hijack an IP and do evil, then return to normal while you grill some innocent.

johnpoz

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

have pfsense automatically resolve IPs to names, instead of me having to click on all the "i" for resolution.

That would be a horrible horrible idea to be honest. You could have 1000's of nonsense IPs hitting your wan for example... attempting to do a PTR for every one of those IPs - many of which won't resolve anyway is just spending cycles and extra dns queries for zero reason to be honest.

If that was an option - that would be pretty high on my list to make sure disabled..

lpfw

@johnpoz

yeah def of course, but in some cases could be helpful

ie

in my case the scenario would be

tshooting an issue

only internal fw stuff (LAN<->IOT) is logging

would want to see names not IPs

johnpoz

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

would want to see names not IPs

then click the little i - all instances of that IP in the log will now show up with its resolved name under it.

Your troubleshooting X can not talk to Y sort of thing - I would think before you could even start you would have the IPs involved.

jrey

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

crux of what was hoping for was in the FW rule logs window, have pfsense automatically resolve IPs to names,

Well now see that's a different issue, which has nothing really to do with pfSense's ability to resolve names if configured correctly -

you've turn this into a feature request to have the Firewall views (logs) just resolve the names auto-magically when you view those logs.

Were I building such a feature (and I'm not) you could base it on and only at the time the page is being loaded, under certain conditions - for example

on the Log Filter setting -Quantity

if the Quantity is 10000 - well you are just plain silly for trying to view it here anyway - move on

500 is records is questionable.

but if you select viewing for say 50 or even 100 records (say <= 100) resolving them in real time as the page loads is no worse in response time (page load) than someone trying to display say 1000 records without resolution.

That said, yeah generally not a good idea (on the pfSense box, not what it is made for), but with little effort if it important to you, you can syslog the records and report on them elsewhere if and as needed.

There are a ton of tools for doing this, any they will all show you names resolved on reports.

There are also some reports (views) within pfBlockerNG (for example) that will display the results with name already resolved.
Alerts View
There are sections, on this view each having their own count of records to be display and each with how many records to display

blocked, DNSBL, Permit, Match
200, 25, 200, 25 are my record counts in each of those sections.
takes no time at all to load this view containing 4 section all names resolved (if they actually have a PTR) .

this is the "Source" column from that

Certainly doable, you have options.

jrey

@lpfw

it is open source after all

here is the "Firewall Logs" widget on the dashboard

since it is only display 10 (my setting, because on my dashboard anything more than that makes want to scroll, and I don't like scrolling dashboards.)

--- wait oh my is that name resolution working -
FWIW, it is not any slower

I won't keep this because 2 lines of code added, and I don't need it, but as a POC there it is.

as a side note, some people have crazy long name records. Already displaying in a smaller font, and I still have to wrap to fit the table provided by the widget.

So when there is a will there is a way. Enjoy the ride.