TLDR: How can I trace which of my devices, or maybe the router itself, is making constant request to connect to kaspersky servers? Thanks
Hello. My network setup is like this.
Sophos Firewall 10.0.0.1 - PC connected on under this subnet for management.
- Streaming VLAN 172.16.10.1
- IOT VLAN 172.16.20.1 - where pihole is
- LOCAL WLAN 172.16.30.1 - where my surface pro is
- Guest WLAN 172.16.40.1
- Switches / AP VLAN 10.0.10.1
I uninstalled Kaspersky AV for obvious reasons. However, I still get queries from my pihole going to kaspersky server every single minute. I only have kaspersky in my PC and surface pro, which I uninstalled a month a go. I powered off (power supply switch) my PC, shutdown my surface pro and put it outside wifi range, but I still keep seeing blocked queries in my pihole log. The offending ip address is 188.8.131.52, which is located in switzerland according to ip2location or russia according to IpInfo. I put it in my pihole blocklist.
How do I trace which device is making the request? I tried searching for logs, I even did any-any-any with logging enabled in my firewall, opened the live log and couldn't find it. My DNS forward is set to pihole. When I look clients section in my pihole, I only get the gateway, which is 172.16.20.1.
You're in the UTM subforum, not XG (or sfos).
Kaspersky still working well here, no plans to remove it at this time.
Re tracking, your best bet would be to run tcpdump on the pihole instance. Don't know the exact parameters off hand, but there's a sequence that will monitor for a particular host. Give this a read https://danielmiessler.com/study/tcpdump/ . If you get no hits then run it on the firewall.
I have UTM firewall. I’m trying to look through my firewall. Even did any-any-any with my firewall and click log traffic, still a no go. I’ll run a tcpdump. Thanks
My apologies, your break out of the various vlans looked like a xg setup. Unrelated, what AP's are you using that support vlans?
Is there a dns host type definition under network definitions? If so, my guess is even if the object is unused, utm will still try to resolve it.
Putting 184.108.40.206 into a browser brings up the forum.kaspersky.com site
My goodness! You solved it. I have it in my network definition. I deleted it and the queries stopped. Thank you very much. I was getting paranoid. Anyway I use unifi AP. It support VLANs but only a max of 4. The the more vlan you use, the "slower" throughput is.
Glad I could point you to the fix. Probably a good idea to trim the list periodically of stale entries.
My current wifi AP consists of a netgear orbi. It's a rather (using the term mildly) dumbed down consumer device but the wifi reaches far and works well - 160mhz ax capable. At the moment it's only serving a few phones/tablets and iot devices. All on the same subnet. Pc's are all wired.
My eventual goal is to put a switch capable of mac based vlans between it and the rest of the network. This should allow me to segregate traffic once it leaves the AP. On the AP, the various devices will be in different subnets (ie 192.168.1.0/24, 192.168.2.0/24... etc). They'll still be in the same broadcast domain, but will have some level of isolation.
Btw, such entries are logged in the system log. Made a test dns host entry called test.com. The following showed up in the systemlog.
That's why I couldn't find it in my firewall/web filter log. It's in the system log. I saw it.
2022:04:23-02:29:45 dns-resolver: Adding REF_NetDnsKaspersky
2022:04:23-02:29:45 ntpd: ntpd exiting on signal 15 (Terminated)
2022:04:23-02:29:45 ntpd: 127.127.1.0 local addr 127.0.0.1 -> <null>
2022:04:23-02:29:45 ntpd: 220.127.116.11 local addr 18.104.22.168 -> <null>
2022:04:23-02:29:45 ntpd: 22.214.171.124 local addr 126.96.36.199 -> <null>
2022:04:23-02:29:45 ntpd: 188.8.131.52 local addr 184.108.40.206 -> <null>
2022:04:23-02:29:45 ntpd: 220.127.116.11 local addr 18.104.22.168 -> <null>