Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » DNS resolution troubles after upgrading to 8.6 patch 1
  •  
bigmountain

Messages: 115

Karma: 0
Send a private message to this user
It seems that after I have upgraded our firewalls, Control has difficutly resolving the Kerio update servers and then disables the filter. This has happened with both IPS and Web Content filtering. It is not consistent and may go several hours without problems, then has trouble checking for updates and disables the filter. I can disable/re-enable the web content filter and that seems to kick it into gear with updates and I can simply check for updates on the IPS filter and that seems to then work and get it started too. I had this issue every once in a while prior to 8.6, but now over the past 12 hours it seems to be a big problem. The issue is the same on both our Control boxes. One is a physical box and the other is a VM appliance. Has anyone else experienced this?

My servers behind the firewall resolve to 8.8.8.8 for DNS resolution. My firewalls also resolve 8.8.8.8. However, my servers behind the firewall do not seem to have any problems reaching out to Google's DNS servers and getting their responses... only the Control boxes do.

Thanks!

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com
  •  
germanr

Messages: 293

Karma: 7
Send a private message to this user
I have experienced the same issue on heavy use since version 8.5. What I did was two things as a workaround: (1) set up an internal DNS server and put Kerio Control to query that internal server and (2) disabled the reverse name resolution on Kerio Control (in the cfg files ).

German Ruiz
Home & Office
Kerio Prefered Partner
Uruguay
  •  
bigmountain

Messages: 115

Karma: 0
Send a private message to this user
Since I wrote the post I have been doing additional troubleshooting and my findings have been similar to germanr. What I noticed after turning on the debug log was that Control was trying resolve the reverse name of our internal private IPs from the local network (in addition to public IPs reaching out to our network). For every 192.168.1.x it would query Google's DNS server (our DNS points to them). Of course it would reply back with no host found. But, with several mail servers, web servers, etc., this creates a lot of unnecessary queries. I don't know if maybe Google was rate limiting the queries or if Control was having too much going on? Anyhow, what I did was:

1. Turn on DNS caching.
2. Setup the hosts table and manually defined the hostname of each private IP on our network.

What I have noticed in the debug log is that all of my internal reverse lookups are now being called up from Control and that a lot of the queries are being pulled up from cache. This extremely cut down on queries to Google's DNS servers and I have not seen the problem reoccur. It has been about 18 hours now.

My question for Kerio is why is Control trying to do reverse lookups for private internal IPs on our local network (it is even doing lookups on local server to local server traffic)? Is there a way to disable reverse lookups on local traffic only instead of disabling reverse lookups entirely as germanr did?

Thanks!

Preferred Kerio Partner and Cloud Solutions Provider - Offering both shared and dedicated Kerio Connect hosting solutions.
Visit us at http://bigmountainmail.com
Previous Topic: license model for private
Next Topic: How to Allow Windows Updates directly from Microsoft?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Apr 30 22:40:55 CEST 2017

Total time taken to generate the page: 0.01769 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.