8.1  DNS plug-in

In WinRoute, the DNS Forwarder plug-in can be used to enable easier configuration for DNS hosts within local networks or to speed up responses to repeated DNS queries. At local hosts, DNS can be defined by taking the following actions:

If possible, it is recommended to use the DNS plug-in as a primary DNS server for LAN hosts (the last option). The DNS plug-in provides fast processing of DNS requests and their correct routing in more complex network configurations. The DNS plug-in can answer directly to repeated requests and to requests for local DNS names, without the need of contacting DNS servers in the Internet.

If the DNS plug-in cannot answer any DNS request on its own, it can forward it to a DNS server set for the Internet link through which the request is sent. For details addressing configuration of the firewall's network interfaces, see chapter 5  Network interfaces, more information on Internet connection options, refer to chapter 6  Internet Connection.

The DNS plug-in configuration

By default, DNS server (the DNS forwarder service), cache (for faster responses to repeated requests) and simple DNS names resolver are enabled in WinRoute.

The configuration can be fine-tuned in Configuration → DNS.

DNS settings

Figure 8.1. DNS settings


Enable DNS forwarder

This option enables DNS server in WinRoute. Without other configuration, any DNS requests are forwarded to DNS servers on the corresponding Internet interface.

If the DNS forwarder service is disabled, the DNS plug-in is used only as a WinRoute's DNS resolver.

Warning

If DNS forwarder is not used for your network configuration, it can be switched off. If you want to run another DNS server on the same host, DNS forwarder must be disabled, otherwise collision might occur at the DNS service's port (53/UDP).

Enable cache for faster response of repeated queries

If this option is on, all responses will be stored in local DNS cache. Responses to repeated queries will be much faster (the same query sent by various clients is also considered as a repeated query).

Physically, the DNS cache is kept in RAM. However, all DNS records are also saved in the DnsCache.cfg file (see chapter 25.2  Configuration files). This means that records in DNS cache are kept even after WinRoute Firewall Engine is stopped or the firewall is closed.

Note:

  1. Time period for keeping DNS logs in the cache is specified individually in each log (usually 24 hours).

  2. Use of DNS also speeds up activity of the WinRoute's non-transparent proxy server (see chapter 8.4  Proxy server).

Clear cache

Clear-out of all records from the DNS cache (regardless of their lifetime). This feature can be helpful e.g. for configuration changes, dial-up testing, error detection, etc.

Use custom forwarding

Use this option to enable settings for forwarding certain DNS queries to other DNS servers (see below).

Simple DNS resolution

The DNS plug-in can answer some DNS requests on its own, typically requests regarding local host names. In local network, no other DNS server is required, neither it is necessary to save information about local hosts in the public DNS. For hosts configured automatically by the DHCP protocol (see chapter 8.2  DHCP server), the response will always include the current IP address.

Before forwarding a query...

These options allow setting of where the DNS plug-in would search for the name or IP address before the query is forwarded to another DNS server.

  • 'hosts' file — this file can be found in any operating system supporting TCP/IP. Each row of this file includes host IP addresses and a list of appropriate DNS names. When any DNS query is received, this file will be checked first to find out whether the desired name or IP address is included. If not, the query is forwarded to a DNS server.

    If this function is on, the DNS plug-in follows the same rule. Use the Edit button to open a special editor where the hosts file can be edited within the Administration Console even if this console is connected to WinRoute remotely (from another host).

    Editor of the Hosts system file

    Figure 8.2. Editor of the Hosts system file


  • DHCP lease table— if the hosts within local network are configured by the DHCP server in WinRoute (see chapter 8.2  DHCP server), the DHCP server knows what IP address was defined for each host. After starting the system, the host sends a request for IP address definition including the name of the host.

    The DNS plug-in can access DHCP lease tables and find out which IP address has been assigned to the host name. If asked to inform about the local name of the host, DNS Forwarder will always respond with the current IP address. Actually, this is a method of dynamical DNS update.

Note: If both options are disabled, the DNS plug-in forwards all queries to other DNS servers.

Local DNS domain

In the When resolving name from the 'hosts' file or lease table combine it with DNS domain below entry, specify name of the local DNS domain.

If a host or a network device sends a request for an IP address, it uses the name only (it has not found out the domain yet). Therefore, only host names without domain are saved in the table of addresses leased by DHCP server . The DNS plug-in needs to know the name of the local domain to answer queries on fully qualified local DNS names (names including the domain).

Note: If the local domain is specified in the DNS plug-in, local names with or without the domain can be recorded in the hosts system file.

The problem can be better understood through the following example.

Example

The local domain's name is company.com. The host called john is configured so as to obtain an IP address from the DHCP server. After the operating system is started the host sends to the DHCP server a query with the information about its name (john). The DHCP server assigns the host IP address 192.168.1.56. The DHCP server then keeps the information that the IP address is assigned to the john host.

Another host that wants to start communication with the host will send a query on the john.company.com name (the john host in the company.com domain). If the local domain name would not have been known by the DNS plug-in, the forwarder would pass the query to another DNS server as it would not recognize that it is a local host. However, as DNS Forwarder knows the local domain name, the company.com name will be separated and the john host with the appropriate IP address will be easily looked up in the DHCP table.

Enable DNS forwarding

The DNS plug-in allows forwarding of certain DNS requests to specific DNS servers. This feature can be helpful for example when we intend to use a local DNS server for the local domain (the other DNS queries will be forwarded to the Internet directly — this will speed up the response). DNS forwarder's settings also play role in configuration of private networks where it is necessary to provide correct forwarding of requests for names in domains of remote subnets (for details, check chapter 23  Kerio VPN).

Request forwarding is defined by rules for DNS names or subnets. Rules are ordered in a list which is processed from the top. If a DNS name or a subnet in a request matches a rule, the request is forwarded to the corresponding DNS server. Queries which do not match any rule are forwarded to the “default” DNS servers (see above).

Note: If Simple DNS resolution is enabled (see below), the forwarding rules are applied only if the DNS plug-in is not able to respond by using the information in the hosts system file and/or by the DHCP lease table.

Clicking on the Define button in the DNS plug-in configuration (see figure 8.1  DNS settings) opens a dialog for setting of rules concerning forwarding of DNS queries.

Specific settings of DNS forwarding

Figure 8.3. Specific settings of DNS forwarding


The rule can be defined for:

  • DNS name — queries requiring names of computers will be forwarded to this DNS server (so called A queries)

  • a subnet — queries requiring IP addresses of the particular domain will be forwarded to the DNS server (reverse domain — PTR queries)

Rules can be reordered by arrow buttons. This enables creating of more complex combinations of rules — e.g. exceptions for certain workstations or subdomains. As the rule list is processed from the top downwards, rules should be ordered starting by the most specific one (e.g. name of a particular computer) and with the most general one at the bottom (e.g. the main domain of the company). Similarly to this, rules for reversed DNS queries should be ordered by subnet mask length (e.g. with 255.255.255.0 at the top and 255.0.0.0 at the bottom). Rules for queries concerning names and reversed queries are independent from each other. For better reference, it is recommended to start with all rules concerning queries for names and continue with all rules for reversed queries, or vice versa.

Click on the Add or the Edit button to open a dialog where custom DNS forwarding rules can be defined.

DNS forwarding — a new rule

Figure 8.4. DNS forwarding — a new rule


  • The Name DNS query option allows specification of a rule for name queries. Use the If the queried name matches entry to specify a corresponding DNS name (name of a host in the domain).

    It is usually desirable to forward queries to entire domains rather than to specific names. Specification of a domain name may therefore contain * wildcard symbol (asterisk — substitutes any number of characters) and/or ? (question mark — substitutes a single character). The rule will be applied to all names matching with the string (hosts, domains, etc.).

    Example:

    DNS name will be represented by the string ?erio.c*. The rule will be applied to all names in domains kerio.com, cerio.com, aerio.c etc., such as on www.kerio.com, secure.kerio.com, www.aerio.c, etc.

    Warning

    In rules for DNS requests, it is necessary to enter an expression matching the full DNS name! If, for example, the kerio.c* expression is introduced, only names kerio.cz, kerio.com etc. would match the rule and host names included in these domains (such as www.kerio.cz and secure.kerio.com) would not!

  • Use the Reverse DNS query alternative to specify rule for DNS queries on IP addresses in a particular subnet. Subnet is specified by a network address and a corresponding mask (i.e. 192.168.1.0 / 255.255.255.0).

  • Use the Then forward query to DNS Server(s) field to specify IP address(es) of one or more DNS server(s) to which queries will be forwarded.

    If multiple DNS servers are specified, they are considered as primary, secondary, etc.

    If the Do not forward option is checked, DNS queries will not be forwarded to any other DNS server — WinRoute will search only in the hosts local file or in DHCP tables (see below). If requested name or IP address is not found, non-existence of the name/address is reported to the client.