url_response generates alarms with Host Name for the Source attribute

book

Article ID: 145003

calendar_today

Updated On:

Products

NIMSOFT PROBES DX Infrastructure Management

Issue/Introduction

url_response probe Source override works within UIM but when the alarm reaches Spectrum it actually has the "HostName" defined for the Source attribute. There seems to be some attribute mapping issue between UIM url_response alarms and Spectrum.

Cause

- DNS resolution for the same IP changes each time the reverse lookup is executed. So a different hostname is output each time, hence the alarm source changes.

Environment

Release : 8.51

Component : UIM - URL_RESPONSE

Resolution

DNS resolution changes for the same IP address. Environmental issue. DNS being used is anycast.

Every time the customer performed an nslookup of the IP, the hostname would not persist and would switch between cc-clxxxxx.ccf.org and  prod-clxxxxx.ccf.org

Reference: https://www.cloudflare.com/learning/dns/what-is-anycast-dns/

What is anycast DNS?

In anycast, one IP address can apply to many servers. Anycast DNS means that any one of a number of DNS servers can respond to DNS queries, and typically the one that is geographically closest will provide the response. This reduces latency, improves uptime for the DNS resolving service, and provides protection against DNS flood DDoS attacks.

What is anycast?

Typically, any device or server that connects directly to the Internet will have a unique IP address. Communication between network-connected devices is 1-to-1; each communication goes from one specific device to the targeted device on the other end of the communication. Anycast networks, in contrast, allow multiple servers on the network to use the same IP address, or set of IP addresses. Communication with an anycast network is 1-to-many.