IP addresses on the dashboard are not replaced by names from the network table if they cannot be associated with a MAC address immediately

DL6ER · May 15, 2021, 7:05am

Each client seen for the first time will trigger a name lookup. This is true for both IPv4 and IPv6 clients but can be altered using the config options RESOLVE_IPv4 and RESOLVE_IPv6 (both defaulting to true). Another condition for whether we should resolve a hostname is that said client has to have made at least one query within the last two hours. This to avoid making reverse lookups for clients that are already gone when restarting FTL and reloading the last 24 hours of queries from the database.

The REFRESH_HOSTNAMES option has nothing to do with this first lookup. It only controls said refreshing of the host names which happens on every full hour (compile-time option RERESOLVE_INTERVAL).

Note that you can set DEBUG_RESOLVER=true in pihole-FTL.conf to get detailed explanations in your FTL log about how/where a host name was found.

The procedure of resolving a host name is now the following (function resolveAndAddHostname()):

We query the nameserver at 127.0.0.1 (this will typically be your Pi-hole) for the name using a PTR query. A successful lookup will be logged with the debug message ---> "abc.de" (found internally).
If this returned no result, we try the nameserver(s) configured in resolv.conf. This is necessary to get hotnames associated with docker containers and can be the correct choice if conditional forwarding is not configured and the Pi-hole still using the DNS server installed before Pi-hole (typically the router in at-home installations).
If both above returned NXDOMAIN, we check the option NAMES_FROM_NETDB (defaulting to true) and ask the network table using:
```
SELECT name FROM network_addresses
       WHERE name IS NOT NULL AND
             ip = 'ip-addr';
```

If nothing was found here, there is another fallback checking for a hostname associated with the same device but another IP address (if ambiguous, we choose the most recent one):

SELECT name FROM network_addresses 
       WHERE name IS NOT NULL AND
             network_id = (SELECT network_id FROM network_addresses
                                  WHERE ip = 'ip-addr')
       ORDER BY lastSeen DESC LIMIT 1;

If all these lookups fail, we return with "hostname not known".

Point 4 above answers

A restart of FTL should pick the address up, too. But, yes, in the present scenario the issue comes from that IPv6 hostnames once found (or not) stay there forever. This default was chosen as more and more operating systems (I think Apple started the discussion, Windows entered and some Linux flavors followed) started to make IPv6 privacy extensions the default and quickly filled each small home network with several dozens of new addresses every few hours, resulting in a lot of lookups that have to be done on the full hour.

The option REFRESH_HOSTNAMES was added here:

github.com/pi-hole/FTL

Fix for numerous hourly PTR requests seen in network with many (dead) IPv6 addresses

pi-hole:release/v5.3.2 ← pi-hole:fix/hourly_PTR_requests

opened 09:09PM - 01 Dec 20 UTC

DL6ER

+42 -146

**By submitting this pull request, I confirm the following:** - [X] I have re…ad and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] I have checked that [another pull request](https://github.com/pi-hole/FTL/pulls) for this purpose does not exist. - [X] I have considered, and confirmed that this submission will be valuable to others. - [X] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [X] I give this submission freely, and claim no ownership to its content. **How familiar are you with the codebase?:** ## 10 --- Do not try to resolve IPs for records without hostnames in the `network_addresses` table to resolve a flood of PTR requests if there are many IPv6 addresses (probably due to "privacy extension" (PE)) without host names. The issue itself comes from the growing number of temporary IPv6 addresses having recently being enabled by default in Windows and (some?) Mac devices. The PR adds a new option `REFRESH_HOSTNAMES` which which you can change how the hourly PTR requests are made. I'm currently thinking about three options: - `REFRESH_HOSTNAMES=NONE` - Don't do any hourly PTR lookups This means we look host names up exactly once (when we first see a client) and never again. This means we will miss future changes of host names. - `REFRESH_HOSTNAMES=IPV4` - Do the hourly PTR lookups only for IPv4 addresses This is **the new default** and should do away with the issue. - `REFRESH_HOSTNAMES=ALL` - Do the hourly PTR lookups for all addresses This is the same as what we're doing with FTL v5.3(.1) and which seems to create a lot of PTR queries for some This should be the most satisfactory solution because many IPv6 hosts won't even have a name associated to it (PE IPs surely have no names by construction).

It is open for discussion if we should add maybe a fourth option REFRESH_HOSTNAMES=IPV6-RECENT reducing the activity requirement to maybe 30 minutes for IPv6 addresses. The related previous discussion is here:

IP addresses on the dashboard are not replaced by names from the network table if they cannot be associated with a MAC address *immediately*

IP addresses on the dashboard are not replaced by names from the network table if they cannot be associated with a MAC address immediately