"Name resolution for the name [random ip].in-addr.arpa. timed out after none of the configured DNS servers responded."

+1 vote
asked Feb 27 in EventSentry by msimmons13 (570 points)
I'm seeing a lot of "Name resolution for the name [random ip].in-addr.arpa. timed out after none of the configured DNS servers responded." in the system logs, is this something EventSentry is trying to look up?

I recently upgraded to new hardware (servers & network) and when I asked my host (Rackspace) about this they said "Looking at the error, I believe that you have a client application that is attempting a revers DNS lookup of the noted IP."

Being that it is a production web server, I don't have much installed so I thought I would start here.

1 Answer

0 votes
answered Feb 27 by Ingmar (5,900 points)
selected Feb 28 by msimmons13
 
Best answer
I'm assuming you're referring to events that are logged to the event log in Windows. The events don't reveal which application is actually attempting the reverse lookup, but it's possible that it is EventSentry.

There are a number of features in EventSentry that perform reverse lookups. Those reverse lookups usually only affect internal IPs, but if EventSentry is processing external traffic then it's possible that it may attempt to resolve external IPs as well. A prime example would be NetFlow and various compliance tracking components (logon tracking in particular).

I would just ignore / exclude those events, they don't usually indicate a problem and reverse lookups usually provide useful context to various data captured by EventSentry. But you can also disable this functionality, it's a checkbox in most of the Compliance Tracking features.

Email actions also have the option to perform a reverse lookup as well as a GeoIP lookup when you use the collector, that could also be the source of the event. This is turned off in the advanced properties of the email action. But again, I would recommend to leave this on.
commented Feb 27 by msimmons13 (570 points)
>But you can also disable this functionality, it's a checkbox in most of the Compliance Tracking features.
Would that be under "Packages > Compliance Tracking > Policy Changes?" I unticked the "retrieve source IP" but I still received another of these.

If it were related to the email, I would think my host would recognize the IPs (and they seem to be from all over the globe) so I don't think that's it.

Sounds like it's outside of EventSentry and I'll have to trace this in another way.
commented Feb 27 by Ingmar (5,900 points)
Yes, but this check box is also present under "Account Management" as well as "Logon/Logoff -> Network Logons tab -> Perform additional hostname or reverse ....". Policy change events are pretty rare, as are account management, so if EventSentry is the source then it would like be the "Logon/Logoff" feature (if you have it enabled).
commented Feb 28 by msimmons13 (570 points)
Thank you for the additional information. I unticked the other two boxes and still received the notices so I am confidant there is something else other than EventSentry creating these alerts.
Welcome to EventSentry Q&A, where you can ask questions and receive answers from other members of the community.
...