IBM Support

QRadar: Legacy DNS name server values can cause connection issues for applications

Troubleshooting


Problem

QRadar® application containers use DNS name resolution to establish connections. If applications suddenly stop resolving hostnames, DNS name servers for all Docker containers can be verified on the Console or App Host in /etc/resolv.conf to confirm the values are correct. Issues can occur when administrators manually update resolv.conf entries without using the qchange_netsetup utility. This article instructs administrators on how to identify the issue and temporarily resolve the problem until a maintenance window can be scheduled to configure DNS values with qchange_netsetup.

Symptom

When DNS is not configured properly, applications are not able to reach out to external URLs. The following application error messages are examples of how manual edits in resolv.conf can lead to application issues:
  1. QRadar Assistant needs access to api.xforce.ibmcloud.com to check for available upgrades of installed applications. When the API request fails, a "QRadar Assistant is running in offline mode" error is displayed. For example,
    image-20221006194336-1
  2. Threat Intelligence also needs to connect to an external API endpoint to collect STIX/TAXII data. In this scenario, the error "There is a problem connecting to the TAXII server" is displayed as Docker cannot resolve the name server IP address.
    image-20221031175340-2
     

Cause

The network is not blocking connections and DNS servers are up, but nslookup requests from QRadar do not resolve.

Environment

QRadar applications running on Console or App Host.

Diagnosing The Problem

Verify the configured DNS servers on the appliance hosting the applications.
Procedure
  1. Use SSH to log in to the Console as the root user.
  2. Optional. If the app runs on an App Host, open an SSH session to the App Host appliance.
  3. To view a list of DNS servers, type:
    grep nameserver /etc/resolv.conf
    The output of resolve.conf lists three DNS servers. We know that the name server at 10.11.12.1 was previously decommissioned and is no longer available; however, the value is listed in resolv.conf and commented out.
    # nameserver 10.11.12.1
    nameserver 10.11.12.2
    nameserver 10.11.12.3
  4. Confirm the IP address 10.11.12.1 does not resolve. For example,
    nslookup www.ibm.com 10.11.12.1
    ;; connection timed out; no servers could be reached
  5. Type the following command to view the DNS configuration in the daemon.json file:
    grep -i dns /etc/docker/daemon.json
    The output of the daemon.json file displays the DNS configuration for all containers in Docker. In this example, 10.11.12.1 is not present in the core Docker configuration.
    "dns": ["10.11.12.2", "10.11.12.3"],

    Result
    Administrators must take action depending on these scenarios:
    • If the DNS server is valid but it does not return the expected output, then engage your DNS administrator.
    • If the DNS server was decommissioned, see the Resolving the Problem section to update your DNS entries.

Resolving The Problem

The IP address for 10.11.12.1 is confirmed as not being required by Docker's core configuration and does not resolve DNS requests as the server is decommissioned. As the DNS administrator confirmed the IP address is no longer in use, you must remove the entry.

Procedure
  1. Use SSH to log in to the Console as the root user.
  2. Optional. If the app runs on an App Host, open an SSH session to the App Host appliance.
    Important: Updating resolv.conf to remove a name server entry is a temporary workaround. After you remove the decommissioned IP address in resolv.conf, you must schedule a maintenance window to correct the issue by setting your DNS correct with qchange_netsetup.
  3. Remove the commented entry from /etc/resolv.conf.
    1. Back up the configuration file.
      mkdir -pv /store/IBM_Support/
      cp -fv /etc/resolv.conf /store/IBM_Support/
    2. Edit /etc/resolv.conf. Change the IP with the correct IP from your network environment.
      sed -i '/10.11.12.1/d' /etc/resolv.conf
    3. Verify the conflicting entry no longer exists.
      cat /etc/resolv.conf
    4. To restart docker, type:
      Note: Restarting the service affects all the running applications.
      systemctl restart docker
    5. Confirm the docker configuration file reflects the change.
      grep -i dns /etc/docker/daemon.json
      "dns": ["10.11.13.2", "10.11.13.3"],

      Result
      Application containers include the correct DNS name server IP address and no longer display communication error messages. If the issue persists after you update the resolv.conf file, contact QRadar Support for assistance.

      What's next
      You must schedule a maintenance window to correct the file by using qchange_netsetup.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt3AAA","label":"QRadar Apps"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
31 October 2022

UID

ibm16827785