Hello!Got an alert about Domain controller health where issue is low success rate of active name resolutiong using reverse DNS:Sensor X, has a low success rate of active name resolution using reverse DNS. Azure ATP may issue more false positive alerts and accurate detection capabilities may be affected.Only recommendation is:- Check that the Sensor can reach the DNS server and that Reverse Lookup Zones are enabled.What does that mean? I have not done any changes to my DNS zones and reverse DNS is working fine.Am I missing some reverse lookup zones?Also I do not get any health alerts of other domain controllers from the domain which are in the same subnet.

Tali Ash Updated the alerting DC to 2019 and installed the ATP sensor to it and it have not alerted now. Can't really say the reason for alerting but it seems to be healthy now with that DC. But now the earlier updated DC (2019) is alerting about that same thing...

Hi Mtee- , Azure ATP is relying on the ability to resolve IPs to computers, using the process called Network Name Resolution. To be able to do it Azure ATP is using 4 methods and when we observe a Sensor which has a high amount of resoultion failres of a specific methods a health alert is issued. We give this informaiton so you can make sure the environment is configured correctly, and in your example that there is an option to reolve computers using reverse DNS. In some cases this information should be hadled because it affects Azure ATP learning and detections functionalities. If you are seeing a lot of IPs and computers that are not resolved you should validate it. If everything looks good and computers are resolved, it means that other Sensors are working good in terms of resolution and it is enough or this Sensor has high failures of DNS but the RPC over NTLM and NetBIOS are working and it is ok. You can read more about it here. Thanks, Tali

Mtee- Same warning appeared. No DNS changes made. I wonder what's going on.

TheITDept , notice that this is a relatively NEW alert, so it might have just now reported on an existing problem without you changing anything recently.

I checked also ATP sensor error logs and no new errors even if the ATP keeps alerting.I am in a process of upgrading that 2012 R2 DC to 2019 so lets see if it alerts after that.I have one 2019 DC and two 2012 R2 DCs in my environment. Only that one 2012 R2 is alerting about that name resolution and that is the fsmo role owner and DHCP server (where it differs from the 2019 DC which does not alert)

Azure ATP Health - Low success rate of active name resolution using reverse DNS

15 Replies

Mtee-
Copper Contributor
Apr 03, 2019
I checked also ATP sensor error logs and no new errors even if the ATP keeps alerting.
I am in a process of upgrading that 2012 R2 DC to 2019 so lets see if it alerts after that.
I have one 2019 DC and two 2012 R2 DCs in my environment. Only that one 2012 R2 is alerting about that name resolution and that is the fsmo role owner and DHCP server (where it differs from the 2019 DC which does not alert)
- Tali Ash
  Microsoft
  Apr 03, 2019
  Mtee- thanks please keep us updated.
  
  the 2012 is alerting on reverse DNS method or others too?
  
  Thanks,
  
  Tali
  - Mtee-
    Copper Contributor
    Apr 09, 2019
    Tali Ash
    
    Updated the alerting DC to 2019 and installed the ATP sensor to it and it have not alerted now. Can't really say the reason for alerting but it seems to be healthy now with that DC.
    
    But now the earlier updated DC (2019) is alerting about that same thing...
TheITDept
Copper Contributor
Mar 29, 2019
Mtee-
Same warning appeared. No DNS changes made. I wonder what's going on.
- EliOfek
  Microsoft
  Mar 31, 2019
  TheITDept , notice that this is a relatively NEW alert, so it might have just now reported on an existing problem without you changing anything recently.
Tali Ash
Microsoft
Mar 28, 2019
Hi Mtee- ,

Azure ATP is relying on the ability to resolve IPs to computers, using the process called Network Name Resolution.

To be able to do it Azure ATP is using 4 methods and when we observe a Sensor which has a high amount of resoultion failres of a specific methods a health alert is issued. We give this informaiton so you can make sure the environment is configured correctly, and in your example that there is an option to reolve computers using reverse DNS. In some cases this information should be hadled because it affects Azure ATP learning and detections functionalities. If you are seeing a lot of IPs and computers that are not resolved you should validate it. If everything looks good and computers are resolved, it means that other Sensors are working good in terms of resolution and it is enough or this Sensor has high failures of DNS but the RPC over NTLM and NetBIOS are working and it is ok.

You can read more about it here.

Thanks,

Tali

Forum Discussion

Azure ATP Health - Low success rate of active name resolution using reverse DNS

15 Replies

Resources