IBM Support

DNS resolution not working inside the QRadar application containers

Troubleshooting


Problem

The QRadar application container fails to resolve DNS, preventing the collection and transmission of data between external public sites. Because of this applications are not working as expected.

Symptom

  1. Application which rely on connection with internet or external sites are not working as expected.
  2. After running the nslookup for any FQDN returns error message "could not resolve host" inside the container.

Cause

  1. The DNS Configuration is not properly done.
  2. The Legacy DNS name server values can cause connection issues for applications.
  3. The parameter ipv4.ip_forward is disabled.

Diagnosing The Problem

Access the console by SSH as the root user. If the application runs on an apphost, initiate an SSH session to the apphost appliance.
Find the container id by running below command on console ( not on apphost ):
# echo 0 | /opt/qradar/support/qappmanager
Then, take access to the application container by using following command on console or apphost based on where apps are running:
# /opt/qradar/support/recon connect <container id>
Perform a DNS test within the container using the curl command :
If the container encounters DNS resolution problems, it will display the error message "Could not resolve host: ".

Example:
sh-4.4$ curl -vvvv www.ibm.com
* Rebuilt URL to: www.ibm.com/
* Could not resolve host: www.ibm.com
* Closing connection 0
curl: (6) Could not resolve host: www.ibm.com

Resolving The Problem

  1. Confirm DNS Configuration is set properly on console and apphost. Check if you are able to resolve the FQDN to IP address on console and apphost.
  2. Go through below technote and confirm if daemon.json is updated properly https://www.ibm.com/support/pages/node/6827785
  3. Confirm ipv4.ip_forward in sysctl.conf.
    • Execute the following command to verify if your system has disabled IP forwarding: 
      # grep -I "ip_forward" /etc/sysctl.conf
      You will encounter entries similar to the following:
      # grep -I "ip_forward" /etc/sysctl.conf
      net.ipv4.ip_forward = 0
      
    • Create a backup of the original file /etc/sysctl.conf.
    • Update "net.ipv4.ip_forward = 0" to "net.ipv4.ip_forward = 1" in /etc/sysctl.conf.
    • Afterwards, restart the network using the following command:
      Note: Below command might cause some interruption. IKeep iDRAC/ IMM or VM Direct access ready to check in case we face issue while starting network service. In case you need help here contact support for further assistance.
      systemctl restart network
    • To confirm if the changes have been applied, use the command and we should see similar to below output:
      # grep-i "ip_forward" /etc/sysctl.conf
      ​​​​​​​net. ipv4.1p_forward = 1
      
    • Now attempt to curl the URL. DNS resolution has been successful.
      sh-4.4$ curl -vvvv www.ibm.com
      * Rebuilt URL to: www.ibm.com/
      *   Trying 104.xx.xx.173...
      * TCP_NODELAY set
      * Connected to www.ibm.com (104.xx.xx.173) port 80 (#0)
      > GET / HTTP/1.1
      > Host: www.ibm.com
      > User-Agent: curl/7.61.1
      > Accept: */*
      > 
      < HTTP/1.1 301 Moved Permanently
      < Server: AkamaiGHost
      < Content-Length: 0
      < Location: https://www.ibm.com/
      < Date: Wed, 24 Apr 2024 06:47:01 GMT
      < Connection: keep-alive
      < x-content-type-options: nosniff
      < X-XSS-Protection: 1; mode=block
      < Content-Security-Policy: upgrade-insecure-requests
  • Now you can check the application and confirm if apps are working properly.
  • If you still have any issues, contact support.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"TS015627828","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
25 April 2024

UID

ibm17148306