[question][kerio2.1.5]DNS Alert

Discussion in 'other firewalls' started by gnwd, Sep 9, 2005.

Thread Status:
Not open for further replies.
  1. gnwd

    gnwd Registered Member

    Aug 15, 2005
    my dns server is
    I am using kerio 2.1.5 with "BZ kerio 2x default replacement"
    after unchecking the "unrestricted DNS (log), and the next line of "DNS Alert (log, alert)" will often alert me with

    Should I allow it?
    NOTE: the two ip are rather similar. I didn't test to see if the latter is also a dns server.
  2. Hyperion

    Hyperion Registered Member

    Sep 29, 2003
    Hmm,it could be that your ISP is changing servers sometimes.Mine does it and Kerio wouldn't connect unless i would edit the rules and insert the new server IPs.Supposing you have XP,the next time you get this alarm,you can open a command prompt and type ipconfig/all . At the bottom of the text,there should be your 2 DNS servers (primary and secondary below it).See if they are the same with the ones you knew.
  3. Texcritter

    Texcritter Registered Member

    May 6, 2005
    Teesside, North East England
    Hi GNWD

    Both addresses belong to the same ISP
    CHINANET Chongqing Province Network

    does this make sense
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Feb 11, 2002
    Oregon, USA
    Wow, people still can't read the posted instructions. :doubt:

    Your supposed to put the listed dns servers in your ip configuration in the firewall settings, and some have isp's with more than two dns servers so I just use the custom address group to hold them, mine actually has 12 rotating dns servers, as long as you verify that your computer started the communication first, and its listed in the ipconfig, its ok.

    It was made to prevent dns tunneling, in or out, and the unrestricted dns rule was setup on logging so you could see the ip addresses of the dns servers your computer talks to until you disabled it for the secure dns rules.
  5. gnwd

    gnwd Registered Member

    Aug 15, 2005
    which instruction do you mean?
    but I think when I was talking with somebody(i.e. some dns server), it should not let others to answer me.
  6. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    I think he would be referring to suggestions for DNS rules in this post:

    It would appear your current DNS rule is blocking responses from another one of your ISP's DNS servers. So in effect your rule is working and blocking responses from a server not permitted by your rule.

    ISP's may use multiple DNS servers and DNS cache servers to share the load and as a result your DNS rule(s) should reflect this and permit these additional servers that your ISP uses. You just need to confirm it is a server belonging to your ISP and trusted before adding it to your list of DNS servers.


  7. yogishree

    yogishree Registered Member

    Jan 15, 2005
    For instance , at one time - on my dial-up, I was having four DNS Servers and did have four separate rules for them . It would be perfectly legitimate to ask your ISP about the addresses of your DNS Servers and incorporate the same in your rule-set.Tightening up of rules includes specifying IP addresses and local/Remote Port Nos to the extent possible.

    In case the ISP is not willing to part with these details , which should not normally happen , then a general 'allow' rule be set and put to log.After watching the logs for some time specific rules could be set. However it is always better to authenticate the details from your ISP.
  8. Rmus

    Rmus Exploit Analyst

    Mar 16, 2005
    When I first set up a custom DNS rule in Kerio, I entered my ISP's 2 IP addresses in the custom addresses list. (I copied these from the information sheet I received from my ISP years ago when I signed up). I also set up an unrestricted DNS rule to log.

    When I logged on for the first time using a custom rule, Kerio alerted that a different DNS address was being asked for.

    I phoned my ISP and was told that they had multiple DNS servers. When I was using the default Kerio rules, Kerio permitted connecting out to any address, and so I never knew what was going on in the background.

    If your ISP has multiple DNS servers, you have checked "Obtain an IP Address automatically" in the TCP/IP properties box of your dialup connection, and for this to work, you will have to find and enter all of the addresses in your Kerio Custom Addresses (or set up a separate rule for each) .

    There is also the option in that Properties box to specify your primary and secondary addresses, and I asked if I could do that and use the 2 addresses that I had instead of allowing for multiple, and was told that would be fine, and that's the way I've done it ever since.

    The NameServer (both primary and secondary addresses) are stored in the Registry in one of the keys at


    If you are set up for multiple nameservers, this value will change depending on what server is being used at any time.


    ~~Be ALERT!!! ~~
Similar Threads
  1. ttomm1946
Thread Status:
Not open for further replies.