cancel
Showing results for 
Search instead for 
Did you mean: 

DNS lookups and outbound HTTP to Apple from Ruckus AP

ctay
New Contributor III

Hello.  R610 AP on Unleashed 200.13.6.1.319. 

TLDR: Unleashed doing DNS lookups and outbound HTTP to Apple (and others), part of Internet Checking functionality, can be disabled in limited fashion, but prefer to completely disable.

Logging devices in same environment have been recording excessive DNS lookups and outbound HTTP to captive.apple.com from the AP. After some topic searching here and elsewhere it appears to be a function of the Internet Connectivity checking with Unleashed.  I see outbound traffic every 65 seconds initially caught in Suricata IDS logs (outbound HTTP, curl User-Agent), but also seen in Unbound DNS logs.

Using the Internet-check CLI command via SSH I managed to disable the checks.  The functionality appears to contact captive.apple.com, but falls back to www.microsoft.com and then support.ruckuswireless.com if unable to reach first.  All three were disabled, but now every 35 seconds I'm seeing DNS lookups to www.apple.com , along with IPv4 and IPv6 Reverse DNS lookups for same domain. Obviously the prior attempt to disable the Internet Checking is limited and actually creates more log spam than before.

Are there possibly any undocumented CLI commands to disable the remaining attempts? 

While this is not a large issue by any means, I prefer to not have the AP reach out if not necessary and create log spam.  For the time being, I left support.ruckwireless.com check enabled reducing lookups to 65 seconds and have a host override in Unbound to blackhole the request.  Still creates some log spam which can't be filtered, though I can purge ever so often when needed.   Thanks.

CLI command reference:

https://docs.commscope.com/en-US/bundle/unleashed-200.13-commandref/page/GUID-B6343A24-59CA-4711-815...

Previous mention of issue within this forum: 

https://community.ruckuswireless.com/t5/Access-Points-Indoor-and-Outdoor/DNS-Requests-to-baidu-com-f...

 

2 ACCEPTED SOLUTIONS

sanjay_kumar
RUCKUS Team Member

Hi @ctay 
The command is as below from CLI :

ruckus> en
ruckus# config
You have all rights in this mode.
ruckus(config)# system

ruckus(config-sys)# show internet-check
Internet Check:
Company = apple, Enable = 1

Internet Check:
Company = microsoft, Enable = 1

Internet Check:
Company = ruckus, Enable = 1

Now to disable this use the below command:

ruckus(config-sys)# no internet-check all
The internet check settings have been updated.
ruckus(config-sys)# end
Your changes have been saved.

To cross check:
ruckus(config)# system
ruckus(config-sys)# show internet-check
Internet Check:
Company = apple, Enable = 0

Internet Check:
Company = microsoft, Enable = 0

Internet Check:
Company = ruckus, Enable = 0

I would recommend using this function in 200.14, which is about to release in next week.

View solution in original post

ctay
New Contributor III

I can confirm the fix appears to be working in this update.  After upgrade to 200.14 and resetting Internet Checking, the AP would start its cycle of 65 sec DNS lookups to captive.apple.com, but after disabling Internet Checking via CLI, all further DNS traffic ceased.  Thanks Sanjay.

View solution in original post

13 REPLIES 13

ctay
New Contributor III

Update:   Identified an acceptable workaround.  Configured the AP's IP settings to have its DNS server pointing to an invalid address; something internal that doesn't exist.  Obviously I'm using Manual vs DHCP in settings.  I also don't use the AP's DHCP server to provide DNS settings to clients nor do I use any AP features that require it to lookup any addresses, so I see little consequence (so far).

Once a false DNS server was configured, the excessive DNS lookups stopped.  I only noticed within the GUI dashboard that Internet connectivity was flagged as unavailable.  I then used the CLI command mentioned earlier to remove the remaining server (support.ruckuswireless.com) from internet checking.  Once this was done, no further error was displayed.

I wouldn't call this a valid solution, but it works for me and stops the log spam.  It would be better for Ruckus to allow Internet checking to be truly disabled if needed.

sanjay_kumar
RUCKUS Team Member

Hi @ctay 
captive.apple.com
www.microsoft.com
www.baidu.com
 ping support.ruckuswireless.com

However, we have introduced the option to disable the Internet check. This can be disable completely or disable for particular site.
Let me check the command in my lab setup and will update you here.

ctay
New Contributor III

Thanks.  I'll test it on my side as well when you share the command.  

sanjay_kumar
RUCKUS Team Member

Hi @ctay 
The command is as below from CLI :

ruckus> en
ruckus# config
You have all rights in this mode.
ruckus(config)# system

ruckus(config-sys)# show internet-check
Internet Check:
Company = apple, Enable = 1

Internet Check:
Company = microsoft, Enable = 1

Internet Check:
Company = ruckus, Enable = 1

Now to disable this use the below command:

ruckus(config-sys)# no internet-check all
The internet check settings have been updated.
ruckus(config-sys)# end
Your changes have been saved.

To cross check:
ruckus(config)# system
ruckus(config-sys)# show internet-check
Internet Check:
Company = apple, Enable = 0

Internet Check:
Company = microsoft, Enable = 0

Internet Check:
Company = ruckus, Enable = 0

I would recommend using this function in 200.14, which is about to release in next week.