In WinRoute, the DNS Forwarder plug-in can be used to enable easier configuration for DNS hosts within local networks or to speed up responses to repeated DNS queries. At local hosts, DNS can be defined by taking the following actions:
use IP address of the primary or the back-up DNS server. This solution has the risk of slow DNS responses. All requests from each computer in the local network will be sent to the Internet.
use the DNS server within the local network (if available). The DNS server must be allowed to access the Internet in order to be able to respond even to queries sent from outside of the local domain.
use the DNS plug-in in WinRoute. It can be also used as a basic DNS server for the local domain or/and as a forwarder for the existing server.
If possible, it is recommended to use the DNS plug-in as a primary DNS server for LAN hosts (the last option). The DNS plug-in provides fast processing of DNS requests and their correct routing in more complex network configurations. The DNS plug-in can answer directly to repeated requests and to requests for local DNS names, without the need of contacting DNS servers in the Internet.
If the DNS plug-in cannot answer any DNS request on its own, it can forward it to a DNS server set for the Internet link through which the request is sent. For details addressing configuration of the firewall's network interfaces, see chapter 5 Network interfaces, more information on Internet connection options, refer to chapter 6 Internet Connection.
By default, DNS server (the DNS forwarder service), cache (for faster responses to repeated requests) and simple DNS names resolver are enabled in WinRoute.
The configuration can be fine-tuned in Configuration → DNS.
This option enables DNS server in WinRoute. Without other configuration, any DNS requests are forwarded to DNS servers on the corresponding Internet interface.
If the DNS forwarder service is disabled, the DNS plug-in is used only as a WinRoute's DNS resolver.
If DNS forwarder is not used for your network configuration, it can be switched off. If you want to run another DNS server on the same host, DNS forwarder must be disabled, otherwise collision might occur at the DNS service's port (53/UDP
).
If this option is on, all responses will be stored in local DNS cache. Responses to repeated queries will be much faster (the same query sent by various clients is also considered as a repeated query).
Physically, the DNS cache is kept in RAM. However, all DNS records are also saved in the DnsCache.cfg
file (see chapter 25.2 Configuration files). This means that records in DNS cache are kept even after WinRoute Firewall Engine is stopped or the firewall is closed.
Note:
Time period for keeping DNS logs in the cache is specified individually in each log (usually 24 hours).
Use of DNS also speeds up activity of the WinRoute's non-transparent proxy server (see chapter 8.4 Proxy server).
Clear-out of all records from the DNS cache (regardless of their lifetime). This feature can be helpful e.g. for configuration changes, dial-up testing, error detection, etc.
Use this option to enable settings for forwarding certain DNS queries to other DNS servers (see below).
The DNS plug-in can answer some DNS requests on its own, typically requests regarding local host names. In local network, no other DNS server is required, neither it is necessary to save information about local hosts in the public DNS. For hosts configured automatically by the DHCP protocol (see chapter 8.2 DHCP server), the response will always include the current IP address.
These options allow setting of where the DNS plug-in would search for the name or IP address before the query is forwarded to another DNS server.
'hosts' file — this file can be found in any operating system supporting TCP/IP. Each row of this file includes host IP addresses and a list of appropriate DNS names. When any DNS query is received, this file will be checked first to find out whether the desired name or IP address is included. If not, the query is forwarded to a DNS server.
If this function is on, the DNS plug-in follows the same rule. Use the button to open a special editor where the hosts
file can be edited within the Administration Console even if this console is connected to WinRoute remotely (from another host).
DHCP lease table— if the hosts within local network are configured by the DHCP server in WinRoute (see chapter 8.2 DHCP server), the DHCP server knows what IP address was defined for each host. After starting the system, the host sends a request for IP address definition including the name of the host.
The DNS plug-in can access DHCP lease tables and find out which IP address has been assigned to the host name. If asked to inform about the local name of the host, DNS Forwarder will always respond with the current IP address. Actually, this is a method of dynamical DNS update.
Note: If both options are disabled, the DNS plug-in forwards all queries to other DNS servers.
In the When resolving name from the 'hosts' file or lease table combine it with DNS domain below entry, specify name of the local DNS domain.
If a host or a network device sends a request for an IP address, it uses the name only (it has not found out the domain yet). Therefore, only host names without domain are saved in the table of addresses leased by DHCP server . The DNS plug-in needs to know the name of the local domain to answer queries on fully qualified local DNS names (names including the domain).
Note: If the local domain is specified in the DNS plug-in, local names with or without the domain can be recorded in the hosts
system file.
The problem can be better understood through the following example.
The local domain's name is company.com
. The host called john
is configured so as to obtain an IP address from the DHCP server. After the operating system is started the host sends to the DHCP server a query with the information about its name (john
). The DHCP server assigns the host IP address 192.168.1.56
. The DHCP server then keeps the information that the IP address is assigned to the john
host.
Another host that wants to start communication with the host will send a query on the john.company.com
name (the john
host in the company.com
domain). If the local domain name would not have been known by the DNS plug-in, the forwarder would pass the query to another DNS server as it would not recognize that it is a local host. However, as DNS Forwarder knows the local domain name, the company.com
name will be separated and the john
host with the appropriate IP address will be easily looked up in the DHCP table.
The DNS plug-in allows forwarding of certain DNS requests to specific DNS servers. This feature can be helpful for example when we intend to use a local DNS server for the local domain (the other DNS queries will be forwarded to the Internet directly — this will speed up the response). DNS forwarder's settings also play role in configuration of private networks where it is necessary to provide correct forwarding of requests for names in domains of remote subnets (for details, check chapter 23 Kerio VPN).
Request forwarding is defined by rules for DNS names or subnets. Rules are ordered in a list which is processed from the top. If a DNS name or a subnet in a request matches a rule, the request is forwarded to the corresponding DNS server. Queries which do not match any rule are forwarded to the “default” DNS servers (see above).
Note: If Simple DNS resolution is enabled (see below), the forwarding rules are applied only if the DNS plug-in is not able to respond by using the information in the hosts system file and/or by the DHCP lease table.
Clicking on the DNS plug-in configuration (see figure 8.1 DNS settings) opens a dialog for setting of rules concerning forwarding of DNS queries.
button in theThe rule can be defined for:
DNS name — queries requiring names of computers will be forwarded to this DNS server (so called A
queries)
a subnet — queries requiring IP addresses of the particular domain will be forwarded to the DNS server (reverse domain — PTR
queries)
Rules can be reordered by arrow buttons. This enables creating of more complex combinations of rules — e.g. exceptions for certain workstations or subdomains. As the rule list is processed from the top downwards, rules should be ordered starting by the most specific one (e.g. name of a particular computer) and with the most general one at the bottom (e.g. the main domain of the company). Similarly to this, rules for reversed DNS queries should be ordered by subnet mask length (e.g. with 255.255.255.0
at the top and 255.0.0.0
at the bottom). Rules for queries concerning names and reversed queries are independent from each other. For better reference, it is recommended to start with all rules concerning queries for names and continue with all rules for reversed queries, or vice versa.
Click on the
or the button to open a dialog where custom DNS forwarding rules can be defined.The Name DNS query option allows specification of a rule for name queries. Use the If the queried name matches entry to specify a corresponding DNS name (name of a host in the domain).
It is usually desirable to forward queries to entire domains rather than to specific names. Specification of a domain name may therefore contain *
wildcard symbol (asterisk — substitutes any number of characters) and/or ?
(question mark — substitutes a single character). The rule will be applied to all names matching with the string (hosts, domains, etc.).
DNS name will be represented by the string ?erio.c*
. The rule will be applied to all names in domains kerio.com
, cerio.com
, aerio.c
etc., such as on www.kerio.com
, secure.kerio.com
, www.aerio.c
, etc.
In rules for DNS requests, it is necessary to enter an expression matching the full DNS name! If, for example, the kerio.c*
expression is introduced, only names kerio.cz
, kerio.com
etc. would match the rule and host names included in these domains (such as www.kerio.cz
and secure.kerio.com
) would not!
Use the Reverse DNS query alternative to specify rule for DNS queries on IP addresses in a particular subnet. Subnet is specified by a network address and a corresponding mask (i.e. 192.168.1.0 / 255.255.255.0
).
Use the Then forward query to DNS Server(s) field to specify IP address(es) of one or more DNS server(s) to which queries will be forwarded.
If multiple DNS servers are specified, they are considered as primary, secondary, etc.
If the Do not forward option is checked, DNS queries will not be forwarded to any other DNS server — WinRoute will search only in the hosts
local file or in DHCP tables (see below). If requested name or IP address is not found, non-existence of the name/address is reported to the client.