How to allow OpenVPN (W10) client to use DNS server (BIND9) that resides on (Ubuntu 16.04) OpenVPN server?

I have Ubuntu 16.04 (Desktop Edition) with OpenVPN server and BIND9 installed. I used a script when I installed OpenVPN. My OpenVPN client is a W10 netbook with 4G USB modem.
When I choose to use Google DNS during OpenVPN installation then I can surf the Internet via OpenVPN just fine (on my OpenVPN client W10 machine). But if I choose to use a current DNS settings (ie. my own BIND9 server), then I can connect from client to server, but DNS doesn’t work. I know that I must edit config file of OpenVPN server server.conf AND to also edit client.ovpn client’s OpenVPN file too. And I don’t know exactly whether my DNS server (BIND9) is properly configured to play this kind of role.
When I go to W10’s CMD and do ipconfig /all I do see DNS server with a correct IP of my BIND9 (it’s a public IP of my Ubuntu machine, actually). Nevertheless, DNS doesn’t work on a client machine and I couldn’t find a complete step-by-step manual how to enable this scheme.

Few possibilities:

  • Bind is bound (no pun intented) to the local IP ( only. See if you can find any configuration for this and if so change it to and restart BIND (sudo service bind restart)
  • IPTables (or similar) is blocking access from external machines to port 53. In order to check that you can run iptables -L -n to get an overview of existing rules. When INPUT ends with a rejection then that’s probably it.

Thanks for your reply! No, it’s not the firewall. I haven’t found any REJECT statements considering port 53. As per BIND, I need a step-by-step specific algorithm. I’m not an expert to do it myself.

Well I don’t know where the configuration is, but it’s probably somewhere in the /etc/ directory. Something like /etc/bind.conf or similar.

You can use nano to edit the file.

The question is not where the main BIND config file is, but what to check in regard to what I asked in my first post in this topic and what to change (if anything!)

I added this line to OpenVPN config файл:

push “dhcp-option DNS”

And DNS on the client side still doesn’t work.

When I tried to nslookup in W10 terminal, then I saw:

*** Unknown can’t find Query refused

When I check two log files of BIND9 I see this lines:

17-Sep-2019 00:17:36.679 queries: info: client ( query: IN PTR + (

                               17-Sep-2019 00:17:36.704 queries: info: client ( query: IN A + (

                               17-Sep-2019 00:17:36.737 queries: info: client ( query: IN AAAA + (

                               17-Sep-2019 00:17:36.785 queries: info: client ( query: IN A + (

                               17-Sep-2019 00:17:36.804 queries: info: client ( query: IN AAAA + (


                               It's after I tried to nslookup CNN site

                               And when I in the browser try to open say BBC site I see those lines:


                               17-Sep-2019 00:21:47.325 queries: info: client ( query: IN A + (

                               17-Sep-2019 00:21:47.355 queries: info: client ( query: IN A + (

Can you post the full BIND config please?

I’ll omit my real domain name and real public IP though… So I’ll use, say, and

Here’s named.conf.local

// Do any local configuration here

logging {

channel debug_log {
    file "/var/log/named/debug.log";
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;

channel query_log {
    file "/var/log/named/query.log";
    severity dynamic;
    print-category yes;
    print-severity yes;
    print-time yes;

category default { debug_log; };
category queries { query_log; };


// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918”;

zone “” {
type master;
file “/etc/bind/zones/”;

zone “” {
type master;
file “/etc/bind/zones/db.xx.249.16”;

Here’s named.conf.options

options {
directory “/var/cache/bind”;

forwarders {;;


recursion yes;
allow-recursion { localhost; xx.249.16.253; };
allow-query { any; };
listen-on { any; }; 
allow-transfer {none;};
dnssec-validation auto;
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };


Here’s named.conf

// This is the primary configuration file for the BIND DNS server named.
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, BEFORE you customize
// this configuration file.
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

Do you really want to see a zone file too? Since there’s a lot to hide in it :slight_smile:

I actually found the way after playing around with file etc/bind/named.conf.options. What I did was this…
Added this line to my .ovpn file on W10 client machine:

dhcp-option DNS

And in etc/bind/named.conf.options I’ve added before “options” this:

acl my_net {; };

And then added my_net into allow-recursion

1 Like

Awesome, and thanks for sharing the solution :smiley: