Hostnames not matching mac addresses, can't flush network table

dfx334 · November 18, 2021, 10:53am

Hello,

today I was looking at the traffic of some devices of my network and I discovered that the traffic was not correctly matched with the devices. So I checked the network table and indeed the hostnames were not correctly matching the mac address of the devices. I tried to flush the network table but the flushing button doesn't work, the network table remain there. Also deleting the entry individually does nothing, the network table always come back as it was before.

I tried some solution found around but I wasn't able to solve. Here is the debug log.
Thank you!

Debug Token:

https://tricorder.pi-hole.net/U8mV1EtJ/

Bucking_Horn · November 18, 2021, 12:01pm

Pi-hole has no knowledge of devices.
A device can have multiple network interfaces, and a network interface can carry multiple IP addresses.

Pi-hole only has immediate knowledge of the source IP address of the requester, as that is contained in a DNS request.

( As an additional measure (independent from DNS), Pi-hole can indirectly observe IP addresses as associated to a MAC address of a network interface that's directly connected to the same network segment as Pi-hole. (click for more) )

Pi-hole may then use that information to provide a hostname for an IP address that fails with reverse lookups.

But in order to do so, Pi-hole needs at least one successful hostname resolution for one of the IP addresses associated with the same NIC's MAC address.

That method may produce unexpected results if a device would be connected to a different network segment, e.g. behind an additional router or L3 switch, as IP addresses of multiple devices connected through that equipment would appear to be associated with a MAC address of that equipment.

EDIT: Similar would be true for those clients that would spoof a MAC address every time they connect to a network.

To associate an IP address with a name, DNS provides a reverse lookup mechanism involving PTR records.

When Pi-hole isn't also acting as DHCP server, Pi-hole's prime source of getting to know a hostname for a private IP address from your network is to issue the respective reverse lookup DNS requests for PTR records from time to time.

Now, your debug log shows you've ticked both Never forward non-FQDN A and AAAA queries as well as Never forward reverse lookups for private IP ranges.

Pi-hole's UI shows the following advice directly under those options:

Important : Enabling these two options may increase your privacy, but may also prevent you from being able to access local hostnames if the Pi-hole is not used as DHCP server.

Please try unticking at least Never forward reverse lookups for private IP ranges.

This should fix hostname resolution for local IPs as displayed in the dashboard's Top Clients and in the Client column of the Query Log.
Note that it may take a short while before Pi-hole has issued and retrieved the required PTR records.
The Network overview table may require flushing to update.

dfx334 · November 18, 2021, 7:45pm

Thank you for the clear explanation, I was naively believing that Pi-hole was associating the hostname resolution to the MAC address. I did the modification you suggested and I will update this post with the results.

dfx334 · November 19, 2021, 12:16am

Is there an alternative way to flush the network table? The button in the setting panel and the single buttons in the tools/network panel doesn't work.

Bucking_Horn · November 19, 2021, 10:24am

I have no issues deleting entries from the network overview on my system.

Could you elaborate "doesn't work" a bit?

dfx334 · November 19, 2021, 11:03am

Sure, sorry. I was meaning that the buttons have no effect, after I click any of them the network table turn back as it was before. It cannot be flushed.

Bucking_Horn · November 19, 2021, 11:12am

When you try to delete single entries, do the Number of queries columns get reset, or do they stay at the same value?

EDIT:
Also, please provide the output for:

ls -lah /etc/pihole/*.db

dfx334 · November 19, 2021, 11:28am

Yes, the Number of queries get reset, and I tried also the Flush network table button in the setting panel and it does the same. I was expecting to see some very old record entries to disappear, that's why I believed it wasn't working, sorry for my confusion! I've totally missed that column!

The output you requested:
-rw-rw-r-- 1 pihole pihole 5.4M Nov 14 03:14 /etc/pihole/gravity.db
-rw-rw-r-- 1 pihole pihole 5.4M Nov 14 03:14 /etc/pihole/gravity_old.db
-rw-r--r-- 1 pihole pihole 2.7M Oct 24 17:58 /etc/pihole/macvendor.db
-rw-rw-r-- 1 pihole pihole 90M Nov 19 12:21 /etc/pihole/pihole-FTL.db

dfx334 · November 20, 2021, 1:58pm

I believe I found the issue and it was not because of the Pi-hole, but your initial help raised a doubt in my mind and I went to check the network table of my Fritz!BOX router and for some reason it was completely messed up. Never seen anything like that in all those years, that's why it didn't cross my mind to check it before. There were even very old hostnames that appeared again from nowhere like they were present in the LAN. I was able to flush it and its network table started to be pupated correctly again and consequently the same happened on the Pi-hole.

So sorry for having opened the post, but thank you for the head up and the useful informations!

Bucking_Horn · November 21, 2021, 9:26am

There's no reason to apologise - we all learn and benefit from questions, especially the ones that get solved. It's the ultimate reason for this forum in the first place.

system · December 12, 2021, 9:27am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.