Overview
Customers may experience issues when trying to configure Kerio Control as an independent DNS server while still being joined to their Active Directory (AD) domain. The problem arises when the Domain Controller (DC) is offline for maintenance, and certain critical services are unable to resolve DNS via the DC. Even when the DNS server is explicitly set to be Kerio, it forwards the request to the offline DC. The desired outcome is for Kerio Control to resolve domain addresses by looking at its own hosts table, even for domain address queries, and not forward them to the DC.
Solution
To configure Kerio Control as a fallback DNS server in an Active Directory environment, follow these steps:
- Access the administration interface and navigate to the DNS settings.
- Enable the DNS forwarding service.
- Enable DNS cache to expedite responses to repeated queries.
- Configure Kerio Control to perform local DNS lookups in the host table or hostnames found in the DHCP lease table before forwarding a DNS query.
-
If the DNS forwarding service is disabled and clients that point to Kerio for their DNS cannot resolve queries.
- Kerio acts as passthrough for the next DNS server configured
- You can configure the DNS forwarder to specify external DNS servers that Kerio Control will use in case its internal DNS cache does not have a record for the requested domain. By setting reliable DNS servers like Google’s `8.8.8.8` and `8.8.4.4` or OpenDNS’s `208.67.222.222` and `208.67.220.220`, the risk of forwarding requests to an unreliable service is minimized.
- Clear the DNS cache after making any changes
- You can manually populate the Kerio host table with all the IPs of all machines in the local AD.
Summary
This article provides a step-by-step guide on how to configure Kerio Control as a fallback DNS server in an Active Directory environment. The solution involves enabling DNS forwarding, enabling DNS cache, and configuring Kerio Control to perform local DNS lookups.
FAQ
-
What happens when I disable the DNS forwarding service in Kerio Control?
When disabled, the DNS module functions solely as Kerio Control’s DNS resolver, meaning it won't forward DNS queries to your AD DNS server and it cannot be configured to ask as a DNS server. -
What should I do if clients that point to Kerio for their DNS cannot resolve queries?
Configure the DNS forwarder to specify external DNS servers that Kerio Control will use in case its internal DNS cache does not have a record for the requested domain. -
What can I do if the issue persists?
You can manually populate the Kerio host table with all the IPs of all machines in the local AD. This will allow Kerio to resolve domain queries even when your DC controller is offline.