Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual

Chapter 25

Specific settings and troubleshooting

348

from the local host to the Internet, the packet will be dropped by the operating system

before the WinRoute driver is able to capture it.

2.

Typically the server is represented by the DNS name within traffic between clients and an

Internet server. Therefore, the first packet sent by a client is represented by the DNS query

that is intended to resolve a host name to an IP address.

In this example, the DNS server is the WinRoute host (this is very common) and the Internet

line is disconnected. A client’s request on this DNS server is traffic within the local network

and, therefore, it will not result in dialing the line. If the DNS server does not have the

appropriate entry in the cache , it must forward the request to another server on the

Internet. The packet is forwarded to the Internet by the local DNS client that is run at

the WinRoute host. This packet cannot be held and it will not cause dialing of the line.

Therefore, the DNS request cannot be answered and the traffic cannot continue.

For these reasons, the WinRoute’s DNS module enables automatic dialing (if the DNS server

cannot respond to the request itself). This feature is bound to on-demand dialing.

Note: If the DNS server is located on another host within the local network or clients

within the local network use an Internet DNS server, then the limitation is irrelevant and

the dialing will be available. If clients’ DNS server is located on the Internet, the line will

be dialed upon a client’s DNS query. If a local DNS server is used, the line will be dialed

upon a query sent by this server to the Internet (the default gateway of the host where the

DNS server is running must be set to the IP address of the WinRoute host).

3.

It can be easily understood through the last point that if the DNS server is to be running

at the WinRoute host, it must be represented by the DNS module because it can dial the

line if necessary.

If there is a domain based on Active Directory in the LAN (domain server with Windows

Server 2000/2003/2008), it is necessary to use Microsoft DNS server, because communica-

tion with Active Directory uses special types of DNS request. Microsoft DNS server does

not support automatic dialing. Moreover, it cannot be used at the same host as the DNS

module as it would cause collision of ports.

As understood from the facts above, if the Internet connection is to be available via dial-

up, WinRoute cannot be used at the same host where Windows Server with Active Directory

and Microsoft DNS are running.

4.

If the DNS module is used, WinRoute can dial as a response to a client’s request if the

following conditions are met:

•

Destination server must be defined by DNS name so that the application can create

a DNS query.

•

In the operating system, set the primary DNS server to the IP address of the fire-

wall). In Windows, go to TCP/IP properties in interfaces connected to the LAN and

set the IP address of this interface as the primary DNS server.