Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Problem: Kerio Control Windows 2008 + 2 x WAN (E-mail's return, DNS Lookup failed)
  •  
Workstation Rio

Messages: 4
Karma: 0
Send a private message to this user
How are you?

  I am facing serious problems when I have my Kerio Control installed on Windows 2008 Server and two internet connections on DSL Failover.

Symptoms: After a few hours working with two active connections (for failover), my emails go to the kerio Conect not be sent stating that it is not possible to resolve the DNS of the recipient. The navigation is also paralyzed at the stations and the users receive the message DNS LOOKUP FAILED.

If I disable the internet connection interface secondary (backup), e-mail and browsing are fired back to normal ...

Any help?
  •  
Workstation Rio

Messages: 4
Karma: 0
Send a private message to this user
PS.: I am using the version of Kerio Control: Kerio 7.3.2 and 7.4.2 Conect
Windows 2008 Server Standard X64
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
You'll need to describe your DNS setup.

Are you using your ISP's DNS?
Do you use DNS forwarding on Kerio?
Have you attempted any nslookup debugging during the failure mode?
How are you load balancing your links? Host/connection?

I'm going to guess you are using your ISP's DNS and using connection based load balancing. Somewhere along the line, your DNS requests get sent out ISP link #2, but are trying to use ISP #1's DNS. ISP #1 has its DNS protected from outside usage and you get blocked.

If you think this might be the case, you should be able to check the Control's connection table and see where your DNS requests are going.

This is a just a wildly speculative guess based on a limited understanding of your network. If you provide more data, we can probably provide you better guesses.
  •  
Workstation Rio

Messages: 4
Karma: 0
Send a private message to this user
It works more or less like this:

  In most networks I administer, I have 2x servers: 1x data server (DNS and AD) and 1x Server Email and Firewall (Kerio Control and Kerio Connect).

  In the Firewall Server in my LAN connection, the DNS server pointing to the data server.

  In this specific case, the DNS forwarding option is enabled.

Strangely this problem only happens with Windows 2008, Windows 2003 because in this same configuration and have no problems I face ...

[Updated on: Wed, 31 October 2012 15:13]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Where do you run DHCP? Is it enabled on Control? I presume you have DHCP enabled on your DC.
Have you tried disabling DNS forwarding?
Do you have any other DNS forwarding configuration other than just enabling it?

The reason I ask is that, if the clients are somehow getting pointed at Control for DNS instead of the AD DNS, you could see DNS failures for internal namespaces.

You would need to verify your DNS configurations to ensure they point at the AD DNS.

It is possible to configure the DNS forwarding service to point back at the AD for the internal namespace, but this is not a default configuration.
  •  
Workstation Rio

Messages: 4
Karma: 0
Send a private message to this user
I understand, but theoretically this problem happen with any connection, ie taking 1x WAN connected or two, right?

  For this problem only happens if you have two wan connections active on the same server. If I keep only 1x active connection to the server firewall, I have no problem ...

So I thought it was some incompatibility with windows 2008 kerio control ...
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
You could still be dealing with a mixture of the two problems: ISP DNS issues and DNS forwarding problems. Though, your internal namespace would have to be a publically registered domain, too. Thus, you were resolving internal DNS names by going out to your ISP and coming back in.

You can set a rule that all outgoing DNS requests have to go out a specific interface.

There are quite a few permutations that can cause issues like this. Even an incompatibility with Windows 2008 Smile.

I utilize two different ISPs here, but I use the virtual appliance. I use an internal DNS. I haven't seen any issues with DNS resolution in this configuration. I've even used DNS forwarding for a backup DNS if the DC is down.
Previous Topic: Clamav antivirus problem
Next Topic: Statistic by IP address instead of username
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Wed Oct 18 15:03:48 CEST 2017

Total time taken to generate the page: 0.00451 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.