This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I trace a device trying to connect somewhere across the world

TLDR: How can I trace which of my devices, or maybe the router itself, is making constant request to connect to kaspersky servers?  Thanks

Hello.  My network setup is like this. 


Sophos Firewall - PC connected on under this subnet for management.

 - Streaming VLAN

 - IOT VLAN - where pihole is

 - LOCAL WLAN - where my surface pro is

 - Guest WLAN

 - Switches / AP VLAN

I uninstalled Kaspersky AV for obvious reasons.  However, I still get queries from my pihole going to kaspersky server every single minute.  I only have kaspersky in my PC and surface pro, which I uninstalled a month a go.  I powered off (power supply switch) my PC, shutdown my surface pro and put it outside wifi range, but I still keep seeing blocked queries in my pihole log.  The offending ip address is, which is located in switzerland according to ip2location or russia according to IpInfo.  I put it in my pihole blocklist.

How do I trace which device is making the request?  I tried searching for logs, I even did any-any-any with logging enabled in my firewall, opened the live log and couldn't find it.  My DNS forward is set to pihole.  When I look clients section in my pihole, I only get the gateway, which is

This thread was automatically locked due to age.
Parents Reply Children
  • My apologies, your break out of the various vlans looked like a xg setup.  Unrelated, what AP's are you using that support vlans?

    Is there a dns host type definition under network definitions?  If so, my guess is even if the object is unused, utm will still try to resolve it.

    Putting into a browser brings up the site

  • My goodness!  You solved it.  I have it in my network definition.  I deleted it and the queries stopped.  Thank you very much.  I was getting paranoid.  Anyway I use unifi AP.  It support VLANs but only a max of 4.  The the more vlan you use, the "slower" throughput is.  

  • Glad I could point you to the fix.  Probably a good idea to trim the list periodically of stale entries.

    My current wifi AP consists of a netgear orbi. It's a rather (using the term mildly) dumbed down consumer device but the wifi reaches far and works well - 160mhz ax capable. At the moment it's only serving a few phones/tablets and iot devices. All on the same subnet. Pc's are all wired.

    My eventual goal is to put a switch capable of mac based vlans between it and the rest of the network. This should allow me to segregate traffic once it leaves the AP. On the AP, the various devices will be in different subnets (ie, etc). They'll still be in the same broadcast domain, but will have some level of isolation.

  • Btw, such entries are logged in the system log.  Made a test dns host entry called  The following showed up in the systemlog.

    2022:04:23-16:55:14 utm dns-resolver[4700]: REF_NetDnsTest created
    2022:04:23-16:55:14 utm dns-resolver[4700]: Adding REF_NetDnsTest
    2022:04:23-16:55:14 utm dns-resolver[4700]: Updating REF_NetDnsTest ::
  • That's why I couldn't find it in my firewall/web filter log.  It's in the system log.  I saw it.

    2022:04:23-02:29:45  dns-resolver[5434]: Adding REF_NetDnsKaspersky
    2022:04:23-02:29:45  ntpd[4614]: ntpd exiting on signal 15 (Terminated)
    2022:04:23-02:29:45  ntpd[4614]: local addr -> <null>
    2022:04:23-02:29:45  ntpd[4614]: local addr -> <null>
    2022:04:23-02:29:45  ntpd[4614]: local addr -> <null>
    2022:04:23-02:29:45  ntpd[4614]: local addr -> <null>
    2022:04:23-02:29:45  ntpd[4614]: local addr -> <null>

  • My unifi is wifi 6e capable also.  Ceiling mount, set and forget.  It's on my 2nd floor ceiling.  It reach even a few feet outside my house.  I only bought it for $169

  • Nice!  This was free, so can't complain Grin

  • Yours is even better.  Free is free man.