Overview
This article shares the processes for configuring the following in Kerio Control:
Note: We recommend configuring the DNS and DHCP servers in Kerio Control together because this makes the responses to repeated DNS queries fast. Additionally, in the case of Active Directory environments, Kerio Control forwards DNS queries to the internal Domain Name Server if Kerio Control is joined to the domain.
Important: IPv6 is not supported. The DNS forwarding service only works for IPv4.
Configuring Simple DNS Forwarding
For simple DNS forwarding, follow these steps:
- In the administration interface, go to DNS.
- Select Enable the DNS forwarding service. If the DNS forwarding service is disabled, the DNS module is used only as a Kerio Control's DNS resolver.
- Select Enable DNS cache for faster responses to repeat queries. Responses to repeated queries are much faster with this option enabled (the same query sent by various clients is also considered as a repeated query).
Note: Before forwarding a DNS query, Kerio Control can perform a local DNS lookup in a hosts table, or hostnames found in the DHCP lease table. - Combine the field When resolving name from the hosts table or lease table with the DNS domain entry below and specify the name of your local DNS domain. There are two reasons for this:
- DNS names in the hosts table can be specified without the local domain (for example, jsmith-pc). The DNS module can complete the query with the local domain.
- A host can send the DNS query in the jsmith-pc.example.com format. If the DNS module knows the local domain (example.com), the name is divided into the host and local domain as indicated below:
- host: jsmith-pc
- local domain: example.com
- Click Apply.
Configuring Custom DNS Forwarding
The DNS module allows the forwarding of DNS requests to DNS servers. It can be helpful when using a local DNS server for the local domain (the other DNS queries are forwarded to the Internet directly that speeds up the response).
Note: DNS forwarder settings also play a role in the configuration of private networks where it is necessary to provide correct forwarding of requests for names in domains of remote subnets.
Rules for DNS names or subnets define request forwarding and are ordered in a list that is processed from the top with the following outcomes:
- If a DNS name or a subnet in a request matches a rule, the request is forwarded to the corresponding DNS server.
- Queries that do not match any rule are forwarded to the default DNS servers.
Note: If the simple DNS resolution is enabled, the forwarding rules are applied only if the DNS module is not able to respond by using the information in the hosts table and the DHCP lease table.
Defining Rules
For custom DNS forwarding, follow these steps to define the rules:
- Configure simple DNS resolution.
- Select option Enable custom DNS forwarding to enable settings for forwarding certain DNS queries to other DNS servers and click Edit.
- In the Custom DNS Forwarding dialog, click Add. The rule can be defined for:
- Common DNS queries ('A' queries); and
- Reverse queries ('PTR' queries).
Note: Arrow buttons can reorder the rules. This enables more complex combinations of rules, for example, exceptions for certain workstations or subdomains. As the rule list is processed from the top downwards, rules should be ordered starting with the most specific one (e.g., name of a particular computer) and ending with the most general one at the bottom (e.g., the main domain of the company).Similarly, the rules for reverse DNS queries should be ordered by subnet mask length (e.g., with
255.255.255.0
at the top and255.0.0.0
at the bottom). Rules for queries concerning names and reversed queries are independent of each other.
- In the Custom DNS Forwarding dialog, you can create these types of rules:
- Match DNS query name: It is necessary to specify a corresponding DNS name (name of a host in the domain). In rules for DNS requests, it is necessary to enter an expression matching the full DNS name. If, for example, the
kerio.c*
expression is introduced, only names kerio.cz, kerio.com, etc. would match the rule, and hostnames included in these domains (such as www.kerio.cz and secure.kerio.com) would not. - Match IP address from reverse DNS query alternative to specify rule for DNS queries on IP addresses in a particular subnet (i.e.
192.168.1.0
/255.255.255.0
).
- Match DNS query name: It is necessary to specify a corresponding DNS name (name of a host in the domain). In rules for DNS requests, it is necessary to enter an expression matching the full DNS name. If, for example, the
- Use the Forward the query field to specify the IP address(es) of one or more DNS server(s) to which the queries will be forwarded.
- If multiple DNS servers are specified, they are considered as primary, secondary, etc.
- If the Do not forward option is checked, DNS queries will not be forwarded to any other DNS server, and Kerio Control will search only in the hosts table or in the DHCP server table.
- If the requested name or IP address is not found, the non-existence of the name/address is reported to the client.
- Save the settings and create another rule if it is needed.