How to allow OpenVPN (W10) client to use DNS server (BIND9) that resides on (Ubuntu 16.04) OpenVPN server?

Hello!
I have Ubuntu 16.04 (Desktop Edition) with OpenVPN server and BIND9 installed. I used a script when I installed OpenVPN. My OpenVPN client is a W10 netbook with 4G USB modem.
When I choose to use Google DNS during OpenVPN installation then I can surf the Internet via OpenVPN just fine (on my OpenVPN client W10 machine). But if I choose to use a current DNS settings (ie. my own BIND9 server), then I can connect from client to server, but DNS doesn’t work. I know that I must edit config file of OpenVPN server server.conf AND to also edit client.ovpn client’s OpenVPN file too. And I don’t know exactly whether my DNS server (BIND9) is properly configured to play this kind of role.
When I go to W10’s CMD and do ipconfig /all I do see DNS server with a correct IP of my BIND9 (it’s a public IP of my Ubuntu machine, actually). Nevertheless, DNS doesn’t work on a client machine and I couldn’t find a complete step-by-step manual how to enable this scheme.

Few possibilities:

  • Bind is bound (no pun intented) to the local IP (127.0.0.1) only. See if you can find any configuration for this and if so change it to 0.0.0.0 and restart BIND (sudo service bind restart)
  • IPTables (or similar) is blocking access from external machines to port 53. In order to check that you can run iptables -L -n to get an overview of existing rules. When INPUT ends with a rejection then that’s probably it.

Thanks for your reply! No, it’s not the firewall. I haven’t found any REJECT statements considering port 53. As per BIND, I need a step-by-step specific algorithm. I’m not an expert to do it myself.

Well I don’t know where the configuration is, but it’s probably somewhere in the /etc/ directory. Something like /etc/bind.conf or similar.

You can use nano to edit the file.

The question is not where the main BIND config file is, but what to check in regard to what I asked in my first post in this topic and what to change (if anything!)

I added this line to OpenVPN config файл:

push “dhcp-option DNS 10.8.0.1”

And DNS on the client side still doesn’t work.

When I tried to nslookup cnn.com in W10 terminal, then I saw:

*** Unknown can’t find cnn.com: Query refused

When I check two log files of BIND9 I see this lines:

17-Sep-2019 00:17:36.679 queries: info: client 10.8.0.2#64118 (1.0.8.10.in-addr.arpa): query: 1.0.8.10.in-addr.arpa IN PTR + (10.8.0.1)

                               17-Sep-2019 00:17:36.704 queries: info: client 10.8.0.2#64119 (cnn.com): query: cnn.com IN A + (10.8.0.1)

                               17-Sep-2019 00:17:36.737 queries: info: client 10.8.0.2#64120 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)

                               17-Sep-2019 00:17:36.785 queries: info: client 10.8.0.2#64121 (cnn.com): query: cnn.com IN A + (10.8.0.1)

                               17-Sep-2019 00:17:36.804 queries: info: client 10.8.0.2#64122 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)

                               

                               It's after I tried to nslookup CNN site

                               And when I in the browser try to open say BBC site I see those lines:

                               

                               17-Sep-2019 00:21:47.325 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)

                               17-Sep-2019 00:21:47.355 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)

Can you post the full BIND config please?

I’ll omit my real domain name and real public IP though… So I’ll use, say, example.com and 1.2.3.4

Here’s named.conf.local

//
// Do any local configuration here
//

logging {

channel debug_log {
    file "/var/log/named/debug.log";
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
};

channel query_log {
    file "/var/log/named/query.log";
    severity dynamic;
    print-category yes;
    print-severity yes;
    print-time yes;
};


category default { debug_log; };
category queries { query_log; };

};

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918”;

zone “example.com” {
type master;
file “/etc/bind/zones/db.example.com”;
};

zone “16.249.xx.in-addr.arpa” {
type master;
file “/etc/bind/zones/db.xx.249.16”;
};

Here’s named.conf.options

options {
directory “/var/cache/bind”;

forwarders {
	8.8.8.8;	
	8.8.4.4;

};

recursion yes;
allow-recursion { localhost; xx.249.16.253; };
allow-query { any; };
listen-on { any; }; 
allow-transfer {none;};
dnssec-validation auto;
auth-nxdomain no;    # conform to RFC1035
listen-on-v6 { any; };

};

Here’s named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, BEFORE you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;

Do you really want to see a zone file too? Since there’s a lot to hide in it :slight_smile:

I actually found the way after playing around with file etc/bind/named.conf.options. What I did was this…
Added this line to my .ovpn file on W10 client machine:

dhcp-option DNS 10.8.0.1

And in etc/bind/named.conf.options I’ve added before “options” this:

acl my_net { 10.0.0.0/8; };

And then added my_net into allow-recursion

1 Like

Awesome, and thanks for sharing the solution :smiley: