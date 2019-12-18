Hello!
I have Ubuntu 16.04 (Desktop Edition) with OpenVPN server and BIND9 installed. I used a script when I installed OpenVPN. My OpenVPN client is a W10 netbook with 4G USB modem.
When I choose to use Google DNS during OpenVPN installation then I can surf the Internet via OpenVPN just fine (on my OpenVPN client W10 machine). But if I choose to use a current DNS settings (ie. my own BIND9 server), then I can connect from client to server, but DNS doesn’t work. I know that I must edit config file of OpenVPN server server.conf AND to also edit client.ovpn client’s OpenVPN file too. And I don’t know exactly whether my DNS server (BIND9) is properly configured to play this kind of role.
When I go to W10’s CMD and do ipconfig /all I do see DNS server with a correct IP of my BIND9 (it’s a public IP of my Ubuntu machine, actually). Nevertheless, DNS doesn’t work on a client machine and I couldn’t find a complete step-by-step manual how to enable this scheme.
How to allow OpenVPN (W10) client to use DNS server (BIND9) that resides on (Ubuntu 16.04) OpenVPN server?
Few possibilities:
- Bind is bound (no pun intented) to the local IP (
127.0.0.1) only. See if you can find any configuration for this and if so change it to
0.0.0.0and restart BIND (
sudo service bind restart)
- IPTables (or similar) is blocking access from external machines to port 53. In order to check that you can run
iptables -L -nto get an overview of existing rules. When
INPUTends with a rejection then that’s probably it.
Thanks for your reply! No, it’s not the firewall. I haven’t found any REJECT statements considering port 53. As per BIND, I need a step-by-step specific algorithm. I’m not an expert to do it myself.
Well I don’t know where the configuration is, but it’s probably somewhere in the
/etc/ directory. Something like
/etc/bind.conf or similar.
You can use
nano to edit the file.
The question is not where the main BIND config file is, but what to check in regard to what I asked in my first post in this topic and what to change (if anything!)
I added this line to OpenVPN config файл:
push “dhcp-option DNS 10.8.0.1”
And DNS on the client side still doesn’t work.
When I tried to nslookup cnn.com in W10 terminal, then I saw:
*** Unknown can’t find cnn.com: Query refused
When I check two log files of BIND9 I see this lines:
17-Sep-2019 00:17:36.679 queries: info: client 10.8.0.2#64118 (1.0.8.10.in-addr.arpa): query: 1.0.8.10.in-addr.arpa IN PTR + (10.8.0.1)
17-Sep-2019 00:17:36.704 queries: info: client 10.8.0.2#64119 (cnn.com): query: cnn.com IN A + (10.8.0.1)
17-Sep-2019 00:17:36.737 queries: info: client 10.8.0.2#64120 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)
17-Sep-2019 00:17:36.785 queries: info: client 10.8.0.2#64121 (cnn.com): query: cnn.com IN A + (10.8.0.1)
17-Sep-2019 00:17:36.804 queries: info: client 10.8.0.2#64122 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)
It's after I tried to nslookup CNN site
And when I in the browser try to open say BBC site I see those lines:
17-Sep-2019 00:21:47.325 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)
17-Sep-2019 00:21:47.355 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)
Can you post the full BIND config please?
I’ll omit my real domain name and real public IP though… So I’ll use, say, example.com and 1.2.3.4
Here’s named.conf.local
//
// Do any local configuration here
//
logging {
channel debug_log {
file "/var/log/named/debug.log";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel query_log {
file "/var/log/named/query.log";
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default { debug_log; };
category queries { query_log; };
};
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include “/etc/bind/zones.rfc1918”;
zone “example.com” {
type master;
file “/etc/bind/zones/db.example.com”;
};
zone “16.249.xx.in-addr.arpa” {
type master;
file “/etc/bind/zones/db.xx.249.16”;
};
Here’s named.conf.options
options {
directory “/var/cache/bind”;
forwarders {
8.8.8.8;
8.8.4.4;
};
recursion yes;
allow-recursion { localhost; xx.249.16.253; };
allow-query { any; };
listen-on { any; };
allow-transfer {none;};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Here’s named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, BEFORE you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include “/etc/bind/named.conf.options”;
include “/etc/bind/named.conf.local”;
include “/etc/bind/named.conf.default-zones”;
Do you really want to see a zone file too? Since there’s a lot to hide in it
I actually found the way after playing around with file etc/bind/named.conf.options. What I did was this…
Added this line to my .ovpn file on W10 client machine:
dhcp-option DNS 10.8.0.1
And in etc/bind/named.conf.options I’ve added before “options” this:
acl my_net { 10.0.0.0/8; };
And then added my_net into allow-recursion
Awesome, and thanks for sharing the solution
