DNS forwarding service in Kerio Control
Kerio Control includes a DNSDomain Name System - A database enables the translation of hostnames to IP addresses and provides other domain related information. server. We recommend to configure the DNS server with the DHCPDynamic Host Configuration Protocol - A protocol that automatically gives IP addresses and additional configuration to hosts in a network. server in Kerio Control together. For more information refer to DHCP server in Kerio Control. Configuration and administration is simple and responses to repeated DNS queries are fast.
In case of Active DirectoryA directory service for Windows domain networks. environments, Kerio Control forwards DNS queries to the internal Domain Name Server if Kerio Control is joined to the domain. For more information refer to Connecting Kerio Control to directory service.
- In the administration interface, go to DNS.
- Select Enable the DNS forwarding service. If the DNS forwarding service is disabled, the DNS module is used only as a Kerio Control's DNS resolver.
- Select Enable DNS cache for faster responses to repeat queries. Responses to repeated queries are much faster with this option enabled (the same query sent by various clients is also considered as a repeated query).
- Before forwarding a DNS query, Kerio Control can perform a local DNS lookup in a hosts table, or hostnames found in the DHCP lease table.
- In the When resolving name from the hosts table or lease table combine it with DNS domain below entry, specify name of your local DNS domain. There are two reasons for that:
- DNS names in the Hosts table can be
specified without the local domain (for example
jsmith-pc). The DNS module can complete the query with the local domain. For more information refer to Hosts table.
- A host can send the DNS query in the
jsmith-pc.example.comformat. If the DNS module knows the local domain
example.com, the name is divided into host:
jsmith-pcand local domain:
- Click Apply.
Hosts table includes a list of IP addresses and corresponding DNS hostnames. Kerio Control uses this table to detect the IP addressAn identifier assigned to devices connected to a TCP/IP network. of hostname-specified local hosts, for example, if you have a local server which should be accessed using an internal, local IP address.
Each IP address can have multiple DNS names assigned. This can be defined:
A single record with separate individual names:
The main advantage of this method is space-saving. First name written is always considered as primary (so called canonical name) and the other names are used as its aliases.
An individual record for each name:
In case of this method, the primary name can be set as needed. To move records, use arrow buttons on the right side of the window. The name written as first at the IP address will be used as primary.
Each DNS name can have multiple IP addresses assigned (e.g. a computer with multiple network adapters). In that case, a record must be added to the table for each IP address, while DNS name will be identical in all these records.
The DNS module allows forwarding of DNS requests to DNS servers. It can be helpful when we intend to use a local DNS server for the local domain (the other DNS queries are forwarded to the Internet directly — this speeds up the response). DNS forwarder's settings also play a role in the configuration of private networks where it is necessary to provide correct forwarding of requests for names in domains of remote subnets.
Request forwarding is defined by rules for DNS names or subnets. Rules are ordered in a list which is processed from the top. If a DNS name or a subnet in a request matches a rule, the request is forwarded to the corresponding DNS server. Queries which do not match any rule are forwarded to the default DNS servers (see above).
If the simple DNS resolution is enabled, the forwarding rules are applied only if the DNS module is not able to respond by using the information in the hosts table and/or by the DHCP lease table.
Defining a rule
For custom DNS forwarding, follow these steps:
- Configure simple DNS resolution.
- Select option Enable custom DNS forwarding to enable settings for forwarding certain DNS queries to other DNS servers and click Edit.
- In the Custom DNS Forwarding dialog, click Add. The rule can be defined for:
- Common DNS queries (
- Reverse queries (
Rules can be reordered by arrow buttons. This enables more complex combinations of rules — e.g. exceptions for certain workstations or subdomains. As the rule list is processed from the top downwards, rules should be ordered starting by the most specific one (e.g. name of a particular computer) and with the most general one at the bottom (e.g. the main domain of the company).
Similarly to this, rules for reversed DNS queries should be ordered
by subnet mask length (e.g. with
255.255.255.0 at the top
255.0.0.0 at the bottom). Rules for queries concerning
names and reversed queries are independent from each other.
- In the Custom DNS Forwarding dialog, you can create these types of rules:
- Match DNS query name — it is
necessary to specify a corresponding DNS name (name of a host in the
domain). In rules for DNS requests, it is necessary to enter an
expression matching the full DNS name. If, for example, the
kerio.c*expression is introduced, only names
kerio.cometc. would match the rule and host names included in these domains (such as
secure.kerio.com) would not.
- Match IP address from reverse DNS query
alternative to specify rule for DNS queries on IP addresses in
a particular subnet (i.e.
- Use the Forward the query field to specify IP address(es) of one or more DNS server(s) to which queries will be forwarded. If multiple DNS servers are specified, they are considered as primary, secondary, etc. If the Do not forward option is checked, DNS queries will not be forwarded to any other DNS server — Kerio Control will search only in the hosts table or in the DHCP server table (see below). If requested name or IP address is not found, non-existence of the name/address is reported to the client.
- Save the settings and create another rule if it is needed.
Clear-out of all records from the DNS cache (regardless of their lifetime). This feature can be helpful e.g. for configuration changes, dial-up testing, error detection, etc.