IBM Support

QRadar: How to Reduce the Quantity of Reverse DNS Lookup Events

Troubleshooting


Problem

If a local name server (Bind) is in use on the same network as QRadar, reverse DNS queries can be sent to QRadar to confirm IP and hostname relationships.
If the local IP addresses for QRadar Managed Hosts are not included in PTR records on the local name server, the Operating System of the QRadar host might not be able to respond to the Bind server. If these incidents happen frequently, then the QRadar monitoring engine may receive a high number of unwanted events for unsuccessful reverse lookups. The excessive volume of these kinds of events might have an impact on your license and they are counted as all the other events.

Resolving The Problem

To Resolve this issue

Option 1

Add any missing IP addresses & hostnames to the

/etc/hosts
file on the target collector that is receiving events from the DNS bind server.
  1. ssh to the target collector
  2. Back up /etc/hosts to your chosen location.
  3. Use your preferred text editor to add the IP address and hostname for any DNS servers on the network.
  4. Save the changes

Option 2

Create PTR records on your DNS server for the IP addresses & hostnames of each of your QRadar Managed Hosts.

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Component":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
30 June 2023

UID

ibm10884544