Host Names in Reports

[Taunt9930]

HI there, I have done a search, but nothing I have found appears to work.

On my OPNSense firewall I have allocated static IP's and Hostnames for every device that has connected. I use unbound DNS, and have ticked 'Register DHCP static mappings'. If I do a local check on the network with a netscan, the hostnames as per my static reservations are shown.

However, I cannot get these host names to show in the Zenarmor reports. I have in ZenArmor > configuration > reporting and data ENABLED 'Perform real-time DNS reverse queries for local IP addresses' & 'Use OPNsense Host aliases for DNS enrichment'. I have put the OPNSense firewall LAN IP in 'DNS server IP addresses to do reverse IP lookups:' - is this correct?

I do not have either of the two 'anonymize' or 'do not perform' settings checked in the next section.

Should I not be seeing my Host names as per my DHCP address static reservations, or have I misunderstood?

Thanks,

Jason.

[Taunt9930]

OK, so if it helps anyone, after I erased reporting data it sprung into life with the Host Names, apart from the odd weird one that refuses to work for some reason - still trying to work that out.

[Taunt9930]

OK so it didn;t work. Still not getting meaningful local host names in reports. All of my local hosts have statically assigned addresses with host-names also. Using Unbound as my DNS service.

Anyone got any tips, or is that 'as designed' until an update?

[mb]

Hi @Taunt9930,

Need a bit more information here. Do you see some hostnames resolved or nothing at all? And if you're seeing some hostnames, are the missing ones IPv6 addresses?

[Taunt9930]

Hi @mb - thanks for replying. Fair point, was a bit light on the info!

It is a mix - at least 2 of my very few ipv6 clients have resolved. Same for IPv4 clients on my network - it is a mix - some have resolved as expected (e.g.jasons-surface.home), some have resolved as *.local (e.g. android-3.local, hubitat.local), and a whole load have not resolved at all - e.g. 172.16.10.xxx

ALL of the devices on my network are statically mapped (IPv4) by MAC address with OPNSense with host-names.

I use Unbound DNS - Register DHCP Leases, and Register DHCP Static Mappings are both enabled.

Happy to give any other info if I'm pointed to where to look - very new to this!

Many Thanks,

[mb]

Hi @Taunt9930,

My pleasure.

Zenarmor utilizes 6 different mechanisms (ranging from MDNS/SSDP/LLMR to static IP mappings). These have confidence levels assigned; so for instance, if zenarmor detects a reverse ip mapping for an IP address, which has a higher confidence level than an LLMR message, it'll start to use that resolution for the same IP address. This is why you might be seeing different types of hostnames. For now, the mappings are not persisted to a database though.

2.0 will ship with Device Identification, which will have the necessary pieces to provide more streamlined user experience.

On the other hand, for now, if you have static mappings for IP addresses, you should be able to see them resolved in the charts/reports. Let's have a look at this to see if we're missing anything.

[Taunt9930]

Great, thanks @mb. The 2.0 release sounds great - I have read a few bits a pieces about it when mentioned.

Yes, all of my clients are assigned static addresses in OPNsense, so I was indeed expecting to see those host names resolved. More than happy to be asked obvious questions - clearly I am missing something.

[Taunt9930]

Hi, is there anything I can look at to try and resolve this?

Apart from many local IP addresses not showing the host names in reports, I am also getting a load of ***.local (e.g. android-3.local) - does this give any clues as to why I am not seeing my statically assigned host names?

Thanks,

[Taunt9930]

Still keen to understand if anyone is able to point me to any settings or considerations I may have missed on this, if anyone can spare the time! As it stands, the reports are really not very useful to me at all.

[sy]

Hi,

Can you confirm that the Show Hostname is checked in Report Settings?

[Taunt9930]

Hi,

Can you confirm that the Show Hostname is checked in Report Settings?

Hi Sy, I can confirm that is selected.

[paul_a2]

For me the hostname in reports works so that if I move the mouse over hostname then those that have a hostname in OPNsense will switch to hostname.

Aka if I open report with 10 rows I need to go the to the source ip column and move mouse pointer over all rows and they will "switch" to hostname if it exits on opnsense.

[Taunt9930]

For me the hostname in reports works so that if I move the mouse over hostname then those that have a hostname in OPNsense will switch to hostname.

Aka if I open report with 10 rows I need to go the to the source ip column and move mouse pointer over all rows and they will "switch" to hostname if it exits on opnsense.

That's interesting. I just had a look, and that doesn't happen for me. Further digging shows this:

• 
  On the 'Reports' Tab under Zenarmor, All of the charts under connections, threats, blocks, web, DNS, TLS have a mix of three things in the same chart - completely unresolved local hosts shown as IP Address, Hosts shown with the static Hostname, and hosts with something else like android-3.local.
• If I open any of the Pop-up Reports that show as tables e.g. 'Connections' > 'Activity Explorer' & 'Live Sessions Explorer', or 'Threats' > 'Live Security Events Explorer', then the hosts are all shown correctly e.g. Phone.LushHome