Carbon Black Cloud: How to un-quarantine isolated DNS server with no Alternate DNS Configured.
search cancel

Carbon Black Cloud: How to un-quarantine isolated DNS server with no Alternate DNS Configured.

book

Article ID: 287459

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

How to un-quarantine isolated DNS server with no Alternate DNS Configured

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard

Cause

When a DC/DNS Server endpoint is put into quarantine, the sensor is unable to resolve the name of the back-end server. Since it can't check in, the quarantine state cannot be removed. Normally, the DNS server forwards requests it cannot satisfy to another server, configured in the DNS Server settings as a Forwarder server. When in quarantine, the sensor prevents forwarded DNS requests from being sent.

Resolution

Option 1:
  • Toggle the sensor into bypass manually on the system using REPCLI command. 
Option 2:
  • In the Network Interface properties, specify an Alternate DNS server in addition to the Preferred DNS server if available.
  • This option should begin working shortly after making the change you can try running the below command or giving it a few minutes. 
    ipconfig /flushdns
Option 3:
  1. Use RepCli command on quarantined server to find the back end server's name: 
    repcli status | find "ServerAddress"
  2. On another computer, use nslookup or ping to find and record the IP address for the server: 
    ping -n 1 prod05.conferdeploy.net
or
nslookup prod05.conferdeploy.net
  3. On the quarantined server, add a line to the C:\Windows\System32\Drivers\etc\hosts file using the format  <IP address> [tab] <Back-end Hostname> 
    Example: 34.236.65.205 dev-eap01.conferdeploy.net
  4. After the sensor has checked in and left quarantine, remove the hosts file entry; the back end servers are load-balanced and their IP addresses will eventually change

Additional Information

  • Specifying "127.0.0.1" vs. the second server's address in "Preferred" or "Alternate" doesn't matter. Functionally, a switch is supposed to be made between the two when a query is not resolved. (An incorrect response still counts as 'having been resolved' - there has to be no name resolution to effect the switch.)
  • Quarantining a production DNS Server should be undertaken only after careful thought.
  • The engineering team is aware of the issue and it will be addressed with the implementation of the "Quarantine Exclusions" feature.
  • DNS setting "Best practice" should be reviewed at https://activedirectorypro.com/dns-best-practices/ in the "Best DNS Order on Domain Controllers" to reduce impact.
Powered by Wolken Software