Does pFsense not do PTR records? Won't resolve IP to name on LAN

so 10.29.29.11 is your internal DNS that would hold your names ?
Make the netgate point to that, then make that DNS go outside (wherever you want) for things it can't resolve.

johnpoz · Oct 19, 2023, 3:58 PM

@lpfw why would you think that would resolve - your asking for A.. not a ptr..

login-to-view

A ptr would be in this format.. Even in your Says right there in the response no such name A 10.29.29.5

$ dig -x 192.168.9.100

; <<>> DiG 9.16.44 <<>> -x 192.168.9.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49071
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.9.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
100.9.168.192.in-addr.arpa. 424 IN      PTR     i9-win.local.lan.

;; Query time: 6 msec
;; SERVER: 192.168.3.10#53(192.168.3.10)
;; WHEN: Thu Oct 19 10:52:57 Central Daylight Time 2023
;; MSG SIZE  rcvd: 85

If your wanting for pfsense to ask some other dns on your network, you would have to setup a domain override for the in-addr.arpa range your wanting to forward to this other NS on your network. But looks like have it just forwarding to this 10.29.29.1 NS

Where such a setup is going to be problematic - if it asks 9.9.9.9 its not going to work, and its not going to ask the 10.29.29.1 box then.

If you have some other NS for this specific PTR network - then should setup a domain override so pfsense will always ask that NS for that specific sort of query.

lpfw · Oct 19, 2023, 3:59 PM

@jrey

Yeah Quad wouldn't know.

I guess I wrongly assumed the point of two DNS server definitions was if one doesn't have an answer try the other. Thinking a little deeper it's more likely if one is unreachable use the other.

lpfw · Oct 19, 2023, 4:05 PM

@johnpoz

Oh whoops, it is not a PTR (IP -> name)?

I thought it was "To translate an IP address to a domain name, you typically use a reverse DNS (rDNS) lookup, and the specific DNS record type used for this purpose is the PTR (Pointer) record. A PTR record maps an IP address to a domain name, essentially performing the reverse of what an A (Address) record does, which maps a domain name to an IP address."

or does pfsense only resolve name->IP ? (a-record)

jrey · Oct 19, 2023, 4:05 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

assumed the point of two DNS server definitions was if one doesn't have an answer try the other.

That's correct but one is inside and knows about your stuff, the other is outside and won't. the outside is responding faster than the internal. So even though it asks both, first response wins.

that's why in your first post when you posted the response from your internal DNS it works. You specifically asked that server.

Cheers

johnpoz · Oct 19, 2023, 4:09 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

was if one doesn't have an answer try the other

Very common mis conception to be sure.. There was just a thread yesterday I believe going over this same exact thing..

You should never point to 2 or more NSers that do not resolve the same stuff.. You have no real idea which ns a client might ask even if they are labled 1 or 2 or 3 or primary/secondary.

if client ask ns A, and he says nx - then its done.. Only reason it would try to ask any other ns it has listed is if the first ns didn't answer at all.

Let me see if can dig up that other thread.

edit: here you go this thread went into that same misconception you had

https://forum.netgate.com/topic/183471/first-post-lan-some-vlans-cant-get-to-website-some-vlans-can

Also even if you ask a NS that can respond with an answer - if you ask for a A record for some IP, its not going to respond - you need to ask for the PTR..

lpfw · Oct 19, 2023, 4:19 PM

OK now I see

I clicked on the fw rule widget on the main page to resolve an internal IP to name.

But it brings you to a screen that only expects a name which is why it doesn't work. (I was expecting it accept hostname or IP)

If I go to fw log section resolution works.

Thanks all for your help!!!

login-to-view

johnpoz · Oct 19, 2023, 4:14 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

If I go to fw log section resolution works.

Did you remove 9.9.9.9? While it might work now. Next if it asks 9.9.9.9 its not..

lpfw · Oct 19, 2023, 4:16 PM

@johnpoz

Correct I moved quad9 to second place

Can't recall why I wanted it first but I guess it's fine if internal NS is down it goes direct to quad

internal ns points to quad9 anyway

lol

jrey · Oct 19, 2023, 4:22 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

moved quad9 to second place

or better as noted remove it completely

where do your internal clients point to for DNS
the pfSense or the internal server?

johnpoz · Oct 19, 2023, 4:22 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

Correct I moved quad9 to second place

That is not going to solve the problem.. As I clearly stated - you have no idea which NS a client might ask at any give point..

jrey · Oct 19, 2023, 4:25 PM

@johnpoz

all yours

lpfw · Oct 19, 2023, 4:27 PM

@jrey

I think I have everything set to point to the internal Pihole (DHCP clients, IPSEC clients)

I guess the crux of what was hoping for was in the FW rule logs window, have pfsense automatically resolve IPs to names, instead of me having to click on all the "i" for resolution.

chatgpt seems to say pfsense will not support this.

Thanks again for the second set of eyes !

AndyRH · Oct 19, 2023, 4:34 PM

Will pfSense resolve logged IPs to names? When looking at real time traffic, mine resolves the names just fine, but the logs have always had IPs.

If I were being evil and I knew you logged names, not IPs, I would hijack an IP and do evil, then return to normal while you grill some innocent.

johnpoz · Oct 19, 2023, 4:40 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

have pfsense automatically resolve IPs to names, instead of me having to click on all the "i" for resolution.

That would be a horrible horrible idea to be honest. You could have 1000's of nonsense IPs hitting your wan for example... attempting to do a PTR for every one of those IPs - many of which won't resolve anyway is just spending cycles and extra dns queries for zero reason to be honest.

If that was an option - that would be pretty high on my list to make sure disabled..

lpfw · Oct 19, 2023, 4:43 PM

@johnpoz

yeah def of course, but in some cases could be helpful

ie

in my case the scenario would be

tshooting an issue

only internal fw stuff (LAN<->IOT) is logging

would want to see names not IPs

johnpoz · Oct 19, 2023, 4:49 PM

@lpfw said in Does pFsense not do PTR records? Won't resolve IP to name on LAN:

would want to see names not IPs

then click the little i - all instances of that IP in the log will now show up with its resolved name under it.

Your troubleshooting X can not talk to Y sort of thing - I would think before you could even start you would have the IPs involved.