Kerio WinRoute Firewall provides (among others) services for remote access from the Internet to the local network (VPN server — see chapter 23 Kerio VPN and the Clientless SSL-VPN interface — see chapter 24 Kerio Clientless SSL-VPN). Also other services can be accessible from the Internet — e.g. the Kerio StaR interface (see chapter 21 Kerio StaR — statistics and reporting), remote administration of WinRoute by the Administration Console (see chapter 16.1 Setting Remote Administration) or any other service (e.g. web server in local network — see chapter 7.4 Basic Traffic Rule Types). These services are available at the firewall's public IP address. If this IP address is static and there exists a corresponding DNS record for it, a corresponding name can be used for access to a given service (e.g. server.company.com
). If there is no corresponding DNS record, it is necessary to remember the firewall's IP address and use it for access to all services. If the public IP address is dynamic (i.e. it changes), it is extremely difficult or even impossible to connect to these services from the Internet.
This problem is solved by WinRoute's support for dynamic DNS. Dynamic DNS provides DNS record for a specific name of a server which will always keep the current IP address. This method thus allows making mapped services always available under the same server name, regardless of the fact if IP address changes and how often.
Dynamic DNS (DDNS) is a service providing automatic update of IP address in DNS record for the particular host name. Typically, two versions of DDNS are available:
free — user can choose from several second level domains (e.g. no-ip.org
, ddns.info
, etc.) and select a free host name for the domain (e.g. company.ddns.info
).
paid service — user registers their own domain (e.g. company.com
) and the service provider then provides DNS server for this domain with the option of automatic update of records.
User of the service gets an account which is used for access authentication (this will guarantee that only authorized users can update DNS records. Update is performed via secured connection (typically HTTPS) to make sure that the traffic cannot be tapped. Dynamic DNS records can be updated either manually by the user or (mostly) by a specialized software — WinRoute in this case.
If WinRoute enables cooperation with dynamic DNS, a request for update of the IP address in dynamic DNS is sent upon any change of the Internet interface's IP address (including switching between primary and secondary Internet connection — see chapter 6.3 Connection Failover). This keeps DNS record for the particular IP address up-to-date and mapped services may be accessed by the corresponding host name.
Note:
Usage of DDNS follows conditions of the particular provider.
Dynamic DNS records use very short time-to-live (TTL) and, therefore, they are kept in cache of other DNS servers or forwarders for a very short time. Probability that the client receives DNS response with an invalid (old) IP address is, therefore, very low.
Some DDNS servers also allow concurrent update of more records. Wildcards are used for this purpose.
Example: In DDNS there exist two host names, both linked to the public IP address of the firewall: fw.company.com
and server.company.com
. If the IP address is changed, it is therefore possible to send a single request for update of DNS records with name *.company.com
. This requests starts update of DNS records of both names.
To set cooperation with the dynamic DNS server, go to the Dynamic DNS folder in Configuration → Advanced Options.
As already mentioned, the first step is to make an account (i.e. required dynamic DNS record with appropriate access rights) at a DDNS provider. WinRoute now supports these DDNS providers:
ChangeIP (http://www.changeip.com/),
DynDNS (http://www.dyndns.org/),
No-IP (http://www.no-ip.com/).
On the Dynamic DNS tab, select a DDNS provider, enter DNS name for which dynamic record will be kept updated and set user name and password for access to updates of the dynamic record. If DDNS supports wildcards, they can be used in the host name.
Once this information is defined, it is recommended to test update of dynamic DNS record by clicking on
. This verifies that automatic update works well (the server is available, set data is correct, etc.) and also updates the corresponding DNS record (IP address of the firewall could have changed since the registration or the last manual update).If an error occurs while attempting to update DNS record, an error is reported on the Dynamic DNS tab providing closer specification of the error (e.g. DDNS server is not available, user authentication failed, etc.). This report is also recorded in the error log.