Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Azure ATP Health - Low success rate of active name resolution using reverse DNS

Copper Contributor

Hello!

Got an alert about Domain controller health where issue is low success rate of active name resolutiong using reverse DNS:

Sensor X, has a low success rate of active name resolution using reverse DNS. Azure ATP may issue more false positive alerts and accurate detection capabilities may be affected.

Only recommendation is:

- Check that the Sensor can reach the DNS server and that Reverse Lookup Zones are enabled.

What does that mean? I have not done any changes to my DNS zones and reverse DNS is working fine.
Am I missing some reverse lookup zones?

Also I do not get any health alerts of other domain controllers from the domain which are in the same subnet.

15 Replies

Hi @Mtee- ,

 

Azure ATP is relying on the ability to resolve IPs to computers, using the process called Network Name Resolution.

 

To be able to do it Azure ATP is using  4 methods and when we observe a Sensor which has a high amount of resoultion failres of a specific methods a health alert is issued. We give this informaiton so you can make sure the environment is configured correctly, and in your example that there is an option to reolve computers using reverse DNS. In some cases this information should be hadled because it affects Azure ATP learning and detections functionalities. If you are seeing a lot of IPs and computers that are not resolved you should validate it. If everything looks good and computers are resolved, it means that other Sensors are working good in terms of resolution and it is enough or this Sensor has high failures of DNS but the RPC over NTLM and NetBIOS are working and it is ok.

 

You can read more about it here.

 

Thanks,

Tali

 

 

@Mtee- 

Same warning appeared.  No DNS changes made.  I wonder what's going on.

@TheITDept , notice that this is a relatively NEW alert, so it might have just now reported on an existing problem without you changing anything recently.

I checked also ATP sensor error logs and no new errors even if the ATP keeps alerting.
I am in a process of upgrading that 2012 R2 DC to 2019 so lets see if it alerts after that.
I have one 2019 DC and two 2012 R2 DCs in my environment. Only that one 2012 R2 is alerting about that name resolution and that is the fsmo role owner and DHCP server (where it differs from the 2019 DC which does not alert)

@Mtee-  thanks please keep us updated.

the 2012 is alerting on reverse DNS method or others too?

 

Thanks,

Tali

Hi,

No, only that one DC is alerting and others are fine.
CPU, memory etc. are identical on every DC.

@Tali Ash 

 

Updated the alerting DC to 2019 and installed the ATP sensor to it and it have not alerted now. Can't really say the reason for alerting but it seems to be healthy now with that DC.

 

But now the earlier updated DC (2019) is alerting about that same thing...

@Mtee- both DCs are active in the same domain agaist the same computers and DNS servers?

@Tali Ash 

 

Yes, both DCs are in the same domain and are also DNS servers with same DNS settings.

@Mtee- @Tali Ash 

 

Was any solution found for this, we have 1 of 5 DCs that constantly reports this alert?

@Adrian Harper Hi Adrian!

 

Actually this was not resolved yet. Although everything works in our infra as usual but Azure ATP alerts about those Reverse DNS problems. Also our RODC alerts about RPC and NetBIOS resolving but this is more than likely about firewall issue and not under investigation because we are demoting the RODC.

 

I have not figured out why the low success of name resolution alerts pop up sometimes and sometimes all seems to be ok.

@Mtee- Reinstalling the sensor on the DC in question seems to have stopped the issue for us.

 

I spoke too soon, the issue has reoccurred this morning after a number of days without error.

@Mtee- , the alerts pops if your daily failure rate exceeds a certain percentage (90% if I am not mistaken). it could be that normally you  are borderline, so sometimes you exceed it and sometimes not...

 

@Eli Ofek Is there something to get better logging or understanding of how to resolve. We just had the same thing come up to 4 domain controllers in our environment all at the same time and vastly different locations. No work is being done at theses sites as far as I am aware. End users and app teams are not complaining on any issues at all. 

 

 

@Joshua Kolka , Yes, there is, but it's better to open a support case and have an experienced engineer walk you through the process.

IT is unlikely that other app will experience the same issue, they are most likely not trying to do the same thing as the sensor...

Generally, the engineer will walk you through checking some common issues, then capturing some network traces, and if it's not enough, they can ask for a log level increase for a few hours so the sensors will give more info about where the problems are.