*** Official Ubiquiti Discussion Thread ***

[ChrisD.]

Do you know the timeframe? And do you know the DHCP lease setting? IIRC Windows will ask to renew at 50% through the lease, if this is being denied/not getting through that could be the issue.

 

[BlizzardX]

DHCP is set for 7 days and is updates AD DNS automatically. Issue presents itself after a few days. If I was looking in the event viewer for DNS issues, where is the likely place to find it?

 

[ChrisD.]

It would be in the system log.

 

[WJA96]

Surprisingly, the issue doesn't resolve itself with a reboot. The PC is shutdown daily and it doesn't clear unless I use those commands followed by a reboot. I forgot that this laptop also has the same issue but it doesn't come up as the kids don't use it but the software is installed just incase. No VLANS just straight shared IP range currently with all PCs apart from the homelab and AD servers being served by DHCP/DNS from the AD servers.

As this laptop isn't connecting either, I did some tests and it can resolve the DNS name for the kaspersky server in the dns resolver but it wouldn't reverse lookup the two IPs that came up. releasing and renewing the IP address on the laptop allowed it to sync the settings (unblocked the flow to the Kaspersky server) but again it won't resolve the IP address and it won't via google dns either... it just says a non-existant domain using nslookup. I'm not sure how this could be part of the problem though as its only affecting those PCs connected via the Wifi network and not wired in via one of the switches.

As I understand it (VERY simplistically) all the DNS is doing for you is taking the URL you typed in and doing a directory search that finds the correct IP address(es) that match that and then your device will interact with the human-unfriendly machine IP address. So if that's not working then either the DNS server is tar-pitting or denying Kaspersky's DNS requests (which is possible) or the DNS server value on a device in the network is changing to something that isn't a working DNS server.

Are your access points on AUTO configuration and nightly optimisation? If they are, switch that off.

Is the UDM Pro acting as a router or is that the AD server? What is giving the access points their IP addresses? Do they always get the right DNS server from whatever is giving them their IP address? I'm sure you don't have two routers on the network so is the UDM Pro just functioning as a 1U Cloud Key?

From your post above it looks like whatever the AP DNS server is isn't working for Kaspersky.

If you google "Kaspersky Kids DNS issues" you're not alone in having the problem. And "Kaspersky DNS issues" is even worse.

I would really like to understand how your network is set up as you have a DHCP/DNS server if the UDM Pro is a functioning router and then you have another DHCP/DNS server in the AD box so which one is giving the access points their network settings?

Sorry if my thinking aloud comes across as 'mansplaining'. If you have an AD server running you clearly have some knowledge so it's more me trying to work out where everything is getting their settings from.

Direct connection over wires goes straight to the AD server and that works.

Connection through the AP stops working so what DNS server is the information going to over the access point? That's the question I think we need to answer to resolve the issue.

 

[the-evaluator]

From your post above it looks like whatever the AP DNS server is isn't working for Kaspersky.

The AP isn't a DNS server. It'll have DNS servers set, but that's for the AP itself to resolve DNS (say when looking up the IP of an NTP server) rather than any other clients on the network to use the AP as a DNS server.

 

[WJA96]

The AP isn't a DNS server. It'll have DNS servers set, but that's for the AP itself to resolve DNS (say when looking up the IP of an NTP server) rather than any other clients on the network to use the AP as a DNS server.

Quite. And the DNS lookup works over a cable so why doesn't it work over the access point? Simple answer? The access point isn't getting it's networking instructions from the AD server anymore. Like I said, I'm just brain dumping and trying to work things through.

There is an AD server and a UDM Pro on the same network. And a Unifi controller. All of them could be assigning the access point IP address and network settings. I just want to know which one it is when the Kaspersky goes offline.

 

[the-evaluator]

Quite. And the DNS lookup works over a cable so why doesn't it work over the access point? Simple answer? The access point isn't getting it's networking instructions from the AD server anymore. Like I said, I'm just brain dumping and trying to work things through.

There is an AD server and a UDM Pro on the same network. And a Unifi controller. All of them could be assigning the access point IP address and network settings. I just want to know which one it is when the Kaspersky goes offline.

The AP doesn't need 'network instructions'. It could have no IP address itself, an invalid IP address and clients connected to it wouldn't be aware of that and would work the same as if the AP had valid IP addressing.

I think you're barking up the wrong tree here, IP addressing on the AP isn't the issue.

 

[WJA96]

The AP doesn't need 'network instructions'. It could have no IP address itself, an invalid IP address and clients connected to it wouldn't be aware of that and would work the same as if the AP had valid IP addressing.

I think you're barking up the wrong tree here, IP addressing on the AP isn't the issue.

Please hear me out. And then I'll shut up. The access point should function as a transparent connection between the network card and the router. It's not doing that. It's behaving differently. I'm asking "why?"

If we rule out user interference (because the laptop does it and the children don't use the laptop) then the obvious answer is that the wired connection and the wireless connection are not using the same DNS server because one works and the other doesn't. Why?

I have seen issues where ISPs want to block tethering and they count hops but again, it shouldn't be an issue in this case because the AP should be transparent.

All I'm asking is what are the active routers and providers of network information at the time Kaspersky goes offline. If you google it, Kaspersky does seem to have massive DNS issues and I may well be barking up the wrong tree, I just want to know the answer to my query, to rule it out if nothing else.

 

[Caged]

I don't think this has anything to do with your network. If the only thing that stops working when the Kaspersky thing is complaining about being unreachable is the Kaspersky service itself then I can't see how it's a wider DNS issue.

Check for Kaspersky updates, Windows updates, and driver updates for your network card.

Also try manually setting Google or Cloudflare DNS into the affected PC, bypassing your Windows Server DNS entirely. There might be something weird going on with DNS packet sizes, maybe Kaspersky is for some reason trying to send information back to their cloud inside DNS requests rather than more standard methods.

 

[WJA96]

The AP doesn't need 'network instructions'. It could have no IP address itself, an invalid IP address and clients connected to it wouldn't be aware of that and would work the same as if the AP had valid IP addressing.

That's not correct. If it has no IP address it won't have any connected clients. The access point itself needs valid IP credentials.

 

[WJA96]

I don't think this has anything to do with your network. If the only thing that stops working when the Kaspersky thing is complaining about being unreachable is the Kaspersky service itself then I can't see how it's a wider DNS issue.

Check for Kaspersky updates, Windows updates, and driver updates for your network card.

So how do you conflate your position with the point that @the-evaluator is making (correctly) that the wireless connection is the same as a cabled connection and the reported issue that the cabled computers work fine but the wireless ones stop working?

 

[Caged]

The network adapter in the affected machine

 

[BlizzardX]

DNS servers are advertised via the DHCP servers both of which are secured against the Active Directory. UDM Pro should have DHCP/DNS disabled - happy to check as I've found DHCP but there is no option for DNS that I can see on the ethernet side of things, only in the WAN settings. All clients get the same DNS/DHCP servers responding and the connections are shown in windows server DNS and DHCP.

 

[BlizzardX]

The AP is the only differentiator here as far as I can see... all the PCs are AMD RYzen 5 series, all have inbuilt wifi 6 on the motherboards but only one is using a wired connection and this doesn't have any issues... It could be the wifi adapters but there is nothing obvious in the settings.

 

[john_smith]

Has anybody made unifi talk work in the UK? i've just spent 30 seconds on it and given up. Saw this thread bumped so asking here.

A client with a UDMP and an existing internal voip box that's on it's last legs so thought I would try talk.

 

[the-evaluator]

That's not correct. If it has no IP address it won't have any connected clients. The access point itself needs valid IP credentials.

No, no it doesn't. Think of a layer 2 switch, traffic will flow it it just fine if the switch has an invalid IP address or not. It's the same with an AP. If valid IP addresses were required for layer 2 devices to work then unmanaged switches wouldn't exist. Clearly it's different for layer 3 devices, but an AP isn't routing so that doesn't apply.

The AP does need a valid IP to report connected clients back to UniFi, but it doesn't need a valid IP for clients connected it to have network access.

 

[the-evaluator]

It could be the wifi adapters but there is nothing obvious in the settings.

Hence why I asked:

When the problem is there, can the problematic devices ping things on the internal network? Try to ping the UDMP. Can they ping things on the internet by IP? Try to ping 8.8.8.8.

From a problematic device, can you ping the Kasperspy DNS servers when things are working? Can you ping them when things aren't working? What happens if you try to do a DNS query whilst the problem is there from a powershell window / command prompt. What error do you get? Try to query another DNS server (try 8.8.8.8), do queries resolve?

If you temporarily set one problematic device to use the same DNS servers as the rest of your network does the problem occur or is it isolated to Kaspersky DNS?

 

[Caged]

Has anybody made unifi talk work in the UK? i've just spent 30 seconds on it and given up. Saw this thread bumped so asking here.

A client with a UDMP and an existing internal voip box that's on it's last legs so thought I would try talk.

I'd be taking a step back and listing all the reasons in favour of running Unifi Talk, of which there aren't many. People get very upset when their phones don't work, I'm not sure I'd be trusting Ubiquiti to run mine.

 

[BlizzardX]

@the-evaluator Yep ok, so until I reset the laptop (was afflicted with the same issue) I was able to browse the internet fine and play games via Geforce Now etc. without issue. I could do a lookup on the DNS of the kaspersky address in the dns resolver cache but not the IPs listed. Using hte IPconfig commands restored access to kaspersky but again hte two ips that the dns resolves to would not resolve back to the domain name - this was the same from either my own DNS server or 8.8.8.8.

 

[john_smith]

I'd be taking a step back and listing all the reasons in favour of running Unifi Talk, of which there aren't many. People get very upset when their phones don't work, I'm not sure I'd be trusting Ubiquiti to run mine.

Thank you. But their existing one is unsupported, nobody onsite with any knowledge. So plan was to seup talk as a backup and if their existing one dies were in a position to use an alternative.....as people get upset when their phones don't work