Re: [PacketFence-users] Windows 10 & Kaspersky (off-topic)
Price-reliability-performance-features. Pick 3. How much internet bandwidth do you use? They are priced reasonably by actual expected throughout. Our 5050 ha pair was damn expensive, but we use them to firewall between all our VRFs including between the campus and servers. So having 5-10gig throughput is a requirement. However. The lower end models that do 1g of throughout aren't really that expensive. Multi gig/10gig ports is where the price really goes up. 100mbit models are only a couple grand. Sent from my iPhone On Sep 9, 2016, at 1:16 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: Palo Alto. Will do it all. PA is nice, but good golly Ms. Molly are they proud of them. I couldn't afford one if I sold all my major organs ... sad day. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: Tim DeNike <tim.den...@mcc.edu> Sent: Thursday, September 8, 2016 2:33 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Windows 10 & Kaspersky Palo Alto. Will do it all. Including block connections to ssl sites based on content of the flow. Ie: matching cerificates in the handshake. Sent from my iPhone On Sep 8, 2016, at 12:44 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: Solving the issue is simple. Block the traffic. When the traffic is being tunneled out via dest port 443 over SSL to a seemingly random list of servers blocking it is difficult. We do block all access to DNS servers that are not on-campus, so thoe people who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty quick that nothing works; but that is operating under the assumption that the standard DNS ports are being used. I am looking for a DNS proxy that I can put in place to intercept and reply to DNS requests, so if anyone knows of one please feel free to drop me a line. I know the technology exists I just haven't gotten around to it yet. My working theory is to use a route map on my edge router to relay all the requests to a DNS server I controll running BIND. But alas, this requires time which I do not have at the moment and running tests that can potentially take down our production network is frowned upon. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: Tim DeNike <tim.den...@mcc.edu> Sent: Wednesday, September 7, 2016 7:32 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Windows 10 & Kaspersky Solving the issue is simple. Block the traffic. The rest will work itself out. People need to learn to not do things that break the Internet. Using 3rd party DNS servers like that causes decreased performance of the interwebzz. Sent from my iPhone On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: I didn't see anyone else reply to this so here is what we are seeing. Scenario 1: (less likely) Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV software and are tunneling all DNS traffic to their own servers. I did some research a while ago into this and found the traffic was being tunneled out via port 443 but I do not remember who the AV vendor was at the time. We run split horizon DNS so the effects of this DNS proxy are rather serious; not only does it break our onboarding process, but it also denies access to most of our campus resources while the user is actually on campus. Sometimes it is a setting (in some versions of Norton) but other times it is just there and cannot be disabled as far as I can tell (as is the case with Kaspersky). Interestingly enough, stopping the Kaspersky services does not seem to fix the issue and we have to either uninstall the AV or manually register the user. Scenario 2: (more likely) There is an option to disable the built-in Windows DNS Client service when you install Kaspersky. If the user checked that it can cause DNS issues as well. You can check the Windows services manager and see if the DNS Client service is stopped and disabled, if it is that could be your issue. By default it should be set to automatic start and restart on all failures and should be running as "Network Service" Conclusion: It is a pain and we have no way of solving this issue, I am open to ideas though if anyone has them. Also, if anyone has a direct line to the folks at Kaspersky and/or the other vendors who are doing this ... tell them from me they deserve a swift kick in the naughty bits for all the trouble they are causing. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton,
Re: [PacketFence-users] Windows 10 & Kaspersky (off-topic)
> Palo Alto. Will do it all. PA is nice, but good golly Ms. Molly are they proud of them. I couldn't afford one if I sold all my major organs ... sad day. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: Tim DeNike <tim.den...@mcc.edu> Sent: Thursday, September 8, 2016 2:33 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Windows 10 & Kaspersky Palo Alto. Will do it all. Including block connections to ssl sites based on content of the flow. Ie: matching cerificates in the handshake. Sent from my iPhone On Sep 8, 2016, at 12:44 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: >> Solving the issue is simple. Block the traffic. > > When the traffic is being tunneled out via dest port 443 over SSL to a > seemingly random list of servers blocking it is difficult. > > We do block all access to DNS servers that are not on-campus, so thoe people > who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty quick that > nothing works; but that is operating under the assumption that the standard > DNS ports are being used. > > I am looking for a DNS proxy that I can put in place to intercept and reply > to DNS requests, so if anyone knows of one please feel free to drop me a line. > > I know the technology exists I just haven't gotten around to it yet. My > working theory is to use a route map on my edge router to relay all the > requests to a DNS server I controll running BIND. But alas, this requires > time which I do not have at the moment and running tests that can potentially > take down our production network is frowned upon. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > > From: Tim DeNike <tim.den...@mcc.edu> > Sent: Wednesday, September 7, 2016 7:32 PM > To: packetfence-users@lists.sourceforge.net > Subject: Re: [PacketFence-users] Windows 10 & Kaspersky > > Solving the issue is simple. Block the traffic. The rest will work > itself out. People need to learn to not do things that break the > Internet. Using 3rd party DNS servers like that causes decreased > performance of the interwebzz. > > Sent from my iPhone > >> On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: >> >> I didn't see anyone else reply to this so here is what we are seeing. >> >> >> Scenario 1: (less likely) >> >> >> Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV >> software and are tunneling all DNS traffic to their own servers. I did some >> research a while ago into this and found the traffic was being tunneled out >> via port 443 but I do not remember who the AV vendor was at the time. >> >> >> We run split horizon DNS so the effects of this DNS proxy are rather >> serious; not only does it break our onboarding process, but it also denies >> access to most of our campus resources while the user is actually on campus. >> >> >> Sometimes it is a setting (in some versions of Norton) but other times it is >> just there and cannot be disabled as far as I can tell (as is the case with >> Kaspersky). >> >> >> Interestingly enough, stopping the Kaspersky services does not seem to fix >> the issue and we have to either uninstall the AV or manually register the >> user. >> >> >> Scenario 2: (more likely) >> >> >> There is an option to disable the built-in Windows DNS Client service when >> you install Kaspersky. If the user checked that it can cause DNS issues as >> well. You can check the Windows services manager and see if the DNS Client >> service is stopped and disabled, if it is that could be your issue. >> >> >> By default it should be set to automatic start and restart on all failures >> and should be running as "Network Service" >> >> >> Conclusion: >> >> >> It is a pain and we have no way of solving this issue, I am open to ideas >> though if anyone has them. >> >> >> Also, if anyone has a direct line to the folks at Kaspersky and/or the other >> vendors who are doing this ... tell them from me they deserve a swift kick >> in the naughty bits for all the trouble they are causing. >> >> >> Jake Sallee >> Godfather of Bandwidth >>
Re: [PacketFence-users] Windows 10 & Kaspersky
Palo Alto. Will do it all. Including block connections to ssl sites based on content of the flow. Ie: matching cerificates in the handshake. Sent from my iPhone On Sep 8, 2016, at 12:44 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: >> Solving the issue is simple. Block the traffic. > > When the traffic is being tunneled out via dest port 443 over SSL to a > seemingly random list of servers blocking it is difficult. > > We do block all access to DNS servers that are not on-campus, so thoe people > who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty quick that > nothing works; but that is operating under the assumption that the standard > DNS ports are being used. > > I am looking for a DNS proxy that I can put in place to intercept and reply > to DNS requests, so if anyone knows of one please feel free to drop me a line. > > I know the technology exists I just haven't gotten around to it yet. My > working theory is to use a route map on my edge router to relay all the > requests to a DNS server I controll running BIND. But alas, this requires > time which I do not have at the moment and running tests that can potentially > take down our production network is frowned upon. > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > > From: Tim DeNike <tim.den...@mcc.edu> > Sent: Wednesday, September 7, 2016 7:32 PM > To: packetfence-users@lists.sourceforge.net > Subject: Re: [PacketFence-users] Windows 10 & Kaspersky > > Solving the issue is simple. Block the traffic. The rest will work > itself out. People need to learn to not do things that break the > Internet. Using 3rd party DNS servers like that causes decreased > performance of the interwebzz. > > Sent from my iPhone > >> On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: >> >> I didn't see anyone else reply to this so here is what we are seeing. >> >> >> Scenario 1: (less likely) >> >> >> Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV >> software and are tunneling all DNS traffic to their own servers. I did some >> research a while ago into this and found the traffic was being tunneled out >> via port 443 but I do not remember who the AV vendor was at the time. >> >> >> We run split horizon DNS so the effects of this DNS proxy are rather >> serious; not only does it break our onboarding process, but it also denies >> access to most of our campus resources while the user is actually on campus. >> >> >> Sometimes it is a setting (in some versions of Norton) but other times it is >> just there and cannot be disabled as far as I can tell (as is the case with >> Kaspersky). >> >> >> Interestingly enough, stopping the Kaspersky services does not seem to fix >> the issue and we have to either uninstall the AV or manually register the >> user. >> >> >> Scenario 2: (more likely) >> >> >> There is an option to disable the built-in Windows DNS Client service when >> you install Kaspersky. If the user checked that it can cause DNS issues as >> well. You can check the Windows services manager and see if the DNS Client >> service is stopped and disabled, if it is that could be your issue. >> >> >> By default it should be set to automatic start and restart on all failures >> and should be running as "Network Service" >> >> >> Conclusion: >> >> >> It is a pain and we have no way of solving this issue, I am open to ideas >> though if anyone has them. >> >> >> Also, if anyone has a direct line to the folks at Kaspersky and/or the other >> vendors who are doing this ... tell them from me they deserve a swift kick >> in the naughty bits for all the trouble they are causing. >> >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer >> University of Mary Hardin-Baylor >> WWW.UMHB.EDU >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> From: Thomas, Gregory A <thom...@uwp.edu> >> Sent: Wednesday, September 7, 2016 1:14 PM >> To: packetfence-users@lists.sourceforge.net >> Subject: [PacketFence-users] Windows 10 & Kaspersky >> >> All, >> >> Is any one else having problems with Win
Re: [PacketFence-users] Windows 10 & Kaspersky
> Solving the issue is simple. Block the traffic. When the traffic is being tunneled out via dest port 443 over SSL to a seemingly random list of servers blocking it is difficult. We do block all access to DNS servers that are not on-campus, so thoe people who come in with static 8.8.8.8 and 8.8.4.4 and such notice pretty quick that nothing works; but that is operating under the assumption that the standard DNS ports are being used. I am looking for a DNS proxy that I can put in place to intercept and reply to DNS requests, so if anyone knows of one please feel free to drop me a line. I know the technology exists I just haven't gotten around to it yet. My working theory is to use a route map on my edge router to relay all the requests to a DNS server I controll running BIND. But alas, this requires time which I do not have at the moment and running tests that can potentially take down our production network is frowned upon. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: Tim DeNike <tim.den...@mcc.edu> Sent: Wednesday, September 7, 2016 7:32 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Windows 10 & Kaspersky Solving the issue is simple. Block the traffic. The rest will work itself out. People need to learn to not do things that break the Internet. Using 3rd party DNS servers like that causes decreased performance of the interwebzz. Sent from my iPhone > On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: > > I didn't see anyone else reply to this so here is what we are seeing. > > > Scenario 1: (less likely) > > > Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV > software and are tunneling all DNS traffic to their own servers. I did some > research a while ago into this and found the traffic was being tunneled out > via port 443 but I do not remember who the AV vendor was at the time. > > > We run split horizon DNS so the effects of this DNS proxy are rather serious; > not only does it break our onboarding process, but it also denies access to > most of our campus resources while the user is actually on campus. > > > Sometimes it is a setting (in some versions of Norton) but other times it is > just there and cannot be disabled as far as I can tell (as is the case with > Kaspersky). > > > Interestingly enough, stopping the Kaspersky services does not seem to fix > the issue and we have to either uninstall the AV or manually register the > user. > > > Scenario 2: (more likely) > > > There is an option to disable the built-in Windows DNS Client service when > you install Kaspersky. If the user checked that it can cause DNS issues as > well. You can check the Windows services manager and see if the DNS Client > service is stopped and disabled, if it is that could be your issue. > > > By default it should be set to automatic start and restart on all failures > and should be running as "Network Service" > > > Conclusion: > > > It is a pain and we have no way of solving this issue, I am open to ideas > though if anyone has them. > > > Also, if anyone has a direct line to the folks at Kaspersky and/or the other > vendors who are doing this ... tell them from me they deserve a swift kick in > the naughty bits for all the trouble they are causing. > > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > From: Thomas, Gregory A <thom...@uwp.edu> > Sent: Wednesday, September 7, 2016 1:14 PM > To: packetfence-users@lists.sourceforge.net > Subject: [PacketFence-users] Windows 10 & Kaspersky > > All, > > Is any one else having problems with Windows 10 and Kaspersky AV? > > I am having multiple folks that can connect to the network, but the browser > reports: No Connection. > > Any clues on what I may need to change on my side or advice to give them to > connect. > > -- > Gregory A. Thomas > Student Life Support Specialist > University of Wisconsin-Parkside > thom...@uwp.edu > 262.595.2432 > > > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net >
Re: [PacketFence-users] Windows 10 & Kaspersky
Solving the issue is simple. Block the traffic. The rest will work itself out. People need to learn to not do things that break the Internet. Using 3rd party DNS servers like that causes decreased performance of the interwebzz. Sent from my iPhone > On Sep 7, 2016, at 6:54 PM, Sallee, Jake <jake.sal...@umhb.edu> wrote: > > I didn't see anyone else reply to this so here is what we are seeing. > > > Scenario 1: (less likely) > > > Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV > software and are tunneling all DNS traffic to their own servers. I did some > research a while ago into this and found the traffic was being tunneled out > via port 443 but I do not remember who the AV vendor was at the time. > > > We run split horizon DNS so the effects of this DNS proxy are rather serious; > not only does it break our onboarding process, but it also denies access to > most of our campus resources while the user is actually on campus. > > > Sometimes it is a setting (in some versions of Norton) but other times it is > just there and cannot be disabled as far as I can tell (as is the case with > Kaspersky). > > > Interestingly enough, stopping the Kaspersky services does not seem to fix > the issue and we have to either uninstall the AV or manually register the > user. > > > Scenario 2: (more likely) > > > There is an option to disable the built-in Windows DNS Client service when > you install Kaspersky. If the user checked that it can cause DNS issues as > well. You can check the Windows services manager and see if the DNS Client > service is stopped and disabled, if it is that could be your issue. > > > By default it should be set to automatic start and restart on all failures > and should be running as "Network Service" > > > Conclusion: > > > It is a pain and we have no way of solving this issue, I am open to ideas > though if anyone has them. > > > Also, if anyone has a direct line to the folks at Kaspersky and/or the other > vendors who are doing this ... tell them from me they deserve a swift kick in > the naughty bits for all the trouble they are causing. > > > Jake Sallee > Godfather of Bandwidth > System Engineer > University of Mary Hardin-Baylor > WWW.UMHB.EDU > > 900 College St. > Belton, Texas > 76513 > > Fone: 254-295-4658 > Phax: 254-295-4221 > > From: Thomas, Gregory A <thom...@uwp.edu> > Sent: Wednesday, September 7, 2016 1:14 PM > To: packetfence-users@lists.sourceforge.net > Subject: [PacketFence-users] Windows 10 & Kaspersky > > All, > > Is any one else having problems with Windows 10 and Kaspersky AV? > > I am having multiple folks that can connect to the network, but the browser > reports: No Connection. > > Any clues on what I may need to change on my side or advice to give them to > connect. > > -- > Gregory A. Thomas > Student Life Support Specialist > University of Wisconsin-Parkside > thom...@uwp.edu > 262.595.2432 > > > -- > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] Windows 10 & Kaspersky
I didn't see anyone else reply to this so here is what we are seeing. Scenario 1: (less likely) Some AV vendors (Kaspersky being one) are installing a DNS proxy with the AV software and are tunneling all DNS traffic to their own servers. I did some research a while ago into this and found the traffic was being tunneled out via port 443 but I do not remember who the AV vendor was at the time. We run split horizon DNS so the effects of this DNS proxy are rather serious; not only does it break our onboarding process, but it also denies access to most of our campus resources while the user is actually on campus. Sometimes it is a setting (in some versions of Norton) but other times it is just there and cannot be disabled as far as I can tell (as is the case with Kaspersky). Interestingly enough, stopping the Kaspersky services does not seem to fix the issue and we have to either uninstall the AV or manually register the user. Scenario 2: (more likely) There is an option to disable the built-in Windows DNS Client service when you install Kaspersky. If the user checked that it can cause DNS issues as well. You can check the Windows services manager and see if the DNS Client service is stopped and disabled, if it is that could be your issue. By default it should be set to automatic start and restart on all failures and should be running as "Network Service" Conclusion: It is a pain and we have no way of solving this issue, I am open to ideas though if anyone has them. Also, if anyone has a direct line to the folks at Kaspersky and/or the other vendors who are doing this ... tell them from me they deserve a swift kick in the naughty bits for all the trouble they are causing. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 From: Thomas, Gregory A <thom...@uwp.edu> Sent: Wednesday, September 7, 2016 1:14 PM To: packetfence-users@lists.sourceforge.net Subject: [PacketFence-users] Windows 10 & Kaspersky All, Is any one else having problems with Windows 10 and Kaspersky AV? I am having multiple folks that can connect to the network, but the browser reports: No Connection. Any clues on what I may need to change on my side or advice to give them to connect. -- Gregory A. Thomas Student Life Support Specialist University of Wisconsin-Parkside thom...@uwp.edu 262.595.2432 -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] Windows 10 & Kaspersky
All, Is any one else having problems with Windows 10 and Kaspersky AV? I am having multiple folks that can connect to the network, but the browser reports: No Connection. Any clues on what I may need to change on my side or advice to give them to connect. -- Gregory A. Thomas Student Life Support Specialist University of Wisconsin-Parkside thom...@uwp.edu 262.595.2432 -- ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users