ZenArmor Reports for local hosts (Odd Behavior)

[DoBoY]

I can't seem to find any good info regarding an issue I have found(if it even is one)

My Top local hosts report includes external addresses? A mix of both actually, and some are not resolving to proper alias's that are defined internally.

Now good the mix out of outside and inside IP's be due to a config on the opnsense? I am not sure where zenarmor pulls the data for "local hosts" All my internal hosts are non routable ip's of course.

ie.. I have a docker server running rtorrent and other apps, most of those rtorrent ip's are being recorded in local hosts even though they are external routable user's ?

I am not sure i am explaining this correctly but I expected Top local hosts to include only internal network objects?

[mb]

Hi @DoBoY,

Happy New Year!

We're aware of this problem. This affects Top Local and Top Remote Hosts charts. We're testing the fix in pilot environments.

We'll ship the fix with 1.12.3 tomorrow / Tuesday.

[DoBoY]

Well that's terrific news. Happy i was not crazy

Thanks.

So I  guess in the future I should wait a bit before upgrading to see if there any known issues, is there a good ressource we can access to verify that the latest versions have not included some unknown bugs/misbehaviors?

[DoBoY]

Hi @DoBoY,

Happy New Year!

We're aware of this problem. This affects Top Local and Top Remote Hosts charts. We're testing the fix in pilot environments.

We'll ship the fix with 1.12.3 tomorrow / Tuesday.

I guess there was more bugs to squash before releasing the fix? Any new ETA, I am running out of time on my 15 day trial.

[sy]

Hi,

The test process needs a bit more time. It will be shipped by the end of this week. Please contact the team by using the upper right corner of Zenarmor GUI to extend the trial time.

[DoBoY]

Hi,

The test process needs a bit more time. It will be shipped by the end of this week. Please contact the team by using the upper right corner of Zenarmor GUI to extend the trial time.

Ok So i have upgraded to latest version and it seems better now, maybe you can answer a quick question?

I have multiple alias's created from dynamic dns urls that get resolved to ip addresses in order to use in incoming firewall rules.

All I see is the external IP in the various reports, which then on hover gets resolved to an external generic url/dns name from the web. Can i not get it to use the internal DNS cache to populate ?

ie.. should they not get resolved to

A) My internal alias name's?
B) The dynamic URL that I defined in the alias?

Thanks

[sy]

Hi,

You can set the DNS server in the Configuration - Reporting & Data - DNS Enrichment for Reports. But hostname Infos are used for the source machines. 

[DoBoY]

Hi,

You can set the DNS server in the Configuration - Reporting & Data - DNS Enrichment for Reports. But hostname Infos are used for the source machines.

I have that feature enabled already and does not help. My guess is that when it does a reverse lookup since it's a dynamic dns it does not resolve to the url that is located in the alias, as in it does not check it's own DNS/PTR table  even it even has one. it goes outside and those ip's do not have a public PTR since they are dynamic

[packetmangler]

if you do a host lookup on those IP addresses from a host on your network what do they resolve to? 

I wouldn't expect anything outside of opnsense to know what anything inside of your aliases resolve to as that's not how DNS works.