How to allow OpenVPN (W10) client to use DNS server (BIND9) that resides on (Ubuntu 16.04) OpenVPN server?

Grigooriy Kotkovskiy
Grigooriy Kotkovskiy used Ask the Experts™
on
Hello!
I have Ubuntu 16.04 (Desktop Edition) with OpenVPN server and BIND9 installed. I used a script when I installed OpenVPN. My OpenVPN client is a W10 netbook with 4G USB modem.
When I choose to use Google DNS during OpenVPN installation then I can surf the Internet via OpenVPN just fine (on my OpenVPN client W10 machine). But if I choose to use a current DNS settings (ie. my own BIND9 server), then I can connect from client to server, but DNS doesn't work. I know that I must edit config file of OpenVPN server server.conf AND to also edit client.ovpn client's OpenVPN file too. And I don't know exactly whether my DNS server (BIND9) is properly configured to play this kind of role.
When I go to W10's CMD and do ipconfig /all I do see DNS server with a correct IP of my BIND9 (it's a public IP of my Ubuntu machine, actually). Nevertheless, DNS doesn't work on a client machine and I couldn't find a complete step-by-step manual how to enable this scheme.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
The openvpn server configuration side shoukd be pushing the name server records, routes along with the VPN ip.

When VPN connection is established, check the route table
Ipconfig /all
route print

You should be able to query your local bind
Distinguished Expert 2017

Commented:
One question, is your internet connection shared
I.e. Your w10 is running sharing the Internet connection?

Check whether your LAN/share ip is the same/overlaps with the openvpn one
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
You can have only one DNS server active, and that needs to be able to resolve all address, local or public. Hence your BIND9 DNS server is to be used if you want to work with internal aldresses,
and it has to keep all necessary private DNS records,
and additionally forward public DNS requests to a public DNS server.

You set up the private IP address of your DNS server, so DNS requests are passed over OpenVPN (and kept private). All you have to do for that is to add something like
push "dhcp-option DNS 10.10.10.10"

Open in new window

to the server's OpenVPN config file.
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

David FavorFractional CTO
Distinguished Expert 2018

Commented:
You said, "But if I choose to use a current DNS settings (ie. my own BIND9 server), then I can connect from client to server, but DNS doesn't work."

1) Test your DNS to determine if it's actually working.

dig google.com a @your-dns-ip

Open in new window


2) If #1 works, then likely you're getting caught up in the continual broken-ness of systemd-resolved.

If #1 works, open another ticket about how to completely nuke systemd-resolved off your machine.

Note: The first action I always take setting up a new physical machine or container is to nuke (remove all traces) of systemd-resolved, then instruct systemd never to use resolved again... ever... period...
arnold,
Thanks for your reply!
W10 on my netbook doesn't share anything. It just has a 4G USB modem with its own DNS servers etc. from our mobile ISP.
Qlemo,
Thanks for your reply!
OK, I'll try that. You see, I always used my DNS server's PUBLIC IP. Hence on my W10 netbook (OpenVPN client side, that is) when I went to CMD (Command line prompt), ipconfig /all showed me in "DNS server" public IP of my Ubuntu machine where BIND9 resides.
Qlemo,
What I don't understand is this:
When I do ifconfig in Ubuntu terminal, then under tun0 (which is my OpenVPN, right?) I see an IP address 10.8.0.1 and in file etc/openvpn/server.conf it says "server 10.8.0.0 255.255.255.0". Then what should I put in "push "dhcp-option DNS" 10.8.0.1 OR 10.8.0.0?
And also there's a line in that same file, this one:
push "redirect-gateway def1 bypass-dhcp"
Should I just leave it as is?
David Favor,
Thanks for your reply!
I want to ask your the same question that I've raised in my previous post in reply to Qlemo... What is my DNS server's PRIVATE IP address (since if I understand that in this whole OpenVPN scheme I should only use private address and not the public static IP that I get from my Ubuntu machine's ISP). Is it 10.8.0.1 (output of ifconfig tun0) or what's written in server.conf file (server 10.8.0.0)?
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
The server option defines a network address, and the server uses the first address of that range for itself. So 10.8.0.1 is the one to use for gateway, DNS etc.

The redirect-gateway option modifies the client so all traffic is sent over the VPN (by changing the default getway). It's your decision whether you want to do that.
Qlemo,
What happens is that I do see 10.8.0.1 address as a DNS server in ipconfig /all output in W10, but DNS still doesn't work in OpenVPN client W10 computer. There must be more to that than what I've done.
David Favor, Qlemo
I tried to use a dig command on Windows, completely forgotten that it's a Linux only command :-)
BUT.. what happens is when I do nslookup cnn.com
I get this:
Server:unknown
Address: 10.8.0.1 (it's my DNS server private IP within this OpenVPN scheme)

*** Unknown can't find cnn.com: Query refused

So does that mean that BIND9 simply REFUSES to work for my OpenVPN client? How that should be adjusted?
In BIND9's quiry log file I do see these lines:

17-Sep-2019 00:17:36.679 queries: info: client 10.8.0.2#64118 (1.0.8.10.in-addr.arpa): query: 1.0.8.10.in-addr.arpa IN PTR + (10.8.0.1)
17-Sep-2019 00:17:36.704 queries: info: client 10.8.0.2#64119 (cnn.com): query: cnn.com IN A + (10.8.0.1)
17-Sep-2019 00:17:36.737 queries: info: client 10.8.0.2#64120 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)
17-Sep-2019 00:17:36.785 queries: info: client 10.8.0.2#64121 (cnn.com): query: cnn.com IN A + (10.8.0.1)
17-Sep-2019 00:17:36.804 queries: info: client 10.8.0.2#64122 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)

It's after I tried to nslookup CNN site
And when I in the browser try to open say BBC site I see those lines:

17-Sep-2019 00:21:47.325 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)
17-Sep-2019 00:21:47.355 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)
And BTW in BIND9's debug log file I see these lines:

17-Sep-2019 00:21:37.285 security: info: client 10.8.0.2#51516 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
17-Sep-2019 00:21:37.290 security: info: client 10.8.0.2#51516 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
17-Sep-2019 00:21:47.325 security: info: client 10.8.0.2#56585 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
17-Sep-2019 00:21:47.355 security: info: client 10.8.0.2#56585 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied

AND

7-Sep-2019 00:17:20.944 security: info: client 10.8.0.2#64114 (cnn.com): query (cache) 'cnn.com/A/IN' denied
17-Sep-2019 00:17:20.976 security: info: client 10.8.0.2#64115 (cnn.com): query (cache) 'cnn.com/AAAA/IN' denied
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Are you shure the server DNS service resolves at all when you are on LAN?
If yes, there is probably an client IP filter to inhibit "illegal" DNS requests.
Distinguished Expert 2017

Commented:
what is the IP of your bind system?
Since you mentioned that you are using a USB 4G it suggests that this system shares its ethernet feed with the ubuntu but when the openVPN session is on, the openVPN might be redirecting traffic, but the 192.168.x.x that is likely the IP of your Ubuntu system is not being returned to you or is not being allowed out.
arnold,
You didn't get it. Re-read my first post. USB 4G modem has nothing to do whatsoever with Ubuntu or BIND9, which resides in it. That modem is used for infrastructure purpose (so there would be a PHYSICAL link between my client and server).

Moreover, when I choose to use Google DNS, then on a client side everything works fine, ie. no problems with my mobile ISP's DNS servers etc.
Qlemo,
First of all, I'm not sure about anything, since I'm no expert in this field. Ask me to perform a concrete check or to run a particular command, then I'll let you know the results and the outputs. All I know is that BIND9 work OK when it receives queries from THE SAME physical machine it resides on, ie Ubuntu 16.04 Not LAN, but the one and only Ubuntu system where BIND9 was installed originally.
arnold,
BIND system (ie Ubuntu PC with OpenVPN SERVER on it) has TWO IP's. One is the static PUBLIC IP that I use to get online. It's from the wired link to my ISP (Ethernet). AND since I've installed OpenVPN now Ubuntu has an extra tun0 IP which is 10.8.0.1 Whereas W10 OpenVPN client gets an IP 10.8.0.2 from OpenVPN DHCP.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Ok then. DNS works if using it locally on the Ubuntu machine.
But why do you want to use the DNS server for OpenVPN?
And do you want to run all traffic thru the server when connected per OpenVPN, as that is how it is currently?
Qlemo,
Like I said in my original post, to use OpenVPN I don't have to use my own DNS server, I can just use Google's. But since I do have DNS server and it does work, then why to use 3rd party DNS? It comes down to a proper configuration. I don't understand your last sentence. What I want is to use my own DNS server for OpenVPN client's DNS queries. As simple as that...Plus of course my own DNS server would serve its local queries (as it's always been)... By "local" I mean Ubuntu's queries
Distinguished Expert 2017

Commented:
Ok.

You have isp <=>. Adapter <=> Ubuntu

Oh,

Looking at the wrong thing, check your named.conf in the Ubuntu and make sure you have allow-query (126.0.0.1; 10.8.0.0/24;);
Rndc reload/reconfig after change or you may gave to restart bind for the above referenced

Or however you defined the openvpn segment.

Bind is denying the request from the client as unauthorized.
arnold,
To make things clearer... I have TWO ISP's. A "wired one" over Ethernet cable which goes into Ubuntu server PC. And the other one is a mobile ISP that provides the Internet access via 4G USB modem which I attach to my W10 client PC. The only reason I need the latter is to have some link between two computers, since they wouldn't be connected otherwise (nothing physical connects them together!). The difference is... I DO NOT use my "wired" ISP's DNS servers since I've got my own on Ubuntu. But I do use mobile ISP's DNS servers when I surf the Internet using my W10 machine. But those mobile DNS servers are irrelevant since when I connect my OpenVPN client then they're blocked. I mean, I do use Google DNS fine when I choose to use them if I configure OpenVPN like that. The only real issue is two config files and BIND9's configuration.
arnold,
Just so you know... I do have this:

allow-query { any; };

In etc/bind/named.conf.options
Distinguished Expert 2017

Commented:
You have to make sure

The notice is for client:10.8.0.2 denied.


Check the named.con itself to make sure sonething there does not override this, or the include line for the options is commented out.

Try the following on the Ubuntu box

Nslookup www.cnn.com 10.8.0.1
And see whether your a response or a similar denial for the client 10.8.0.1
Distinguished Expert 2017

Commented:
Point, most likely the /etc/resolv.conf
Has nameserver 127.0.0.1
Which is why local lookups work.
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Sony, but "But since I do have DNS server and it does work, then why to use 3rd party DNS?" is nonsense. Your own DNS server can only resolve local address immediately, everything else is done by asking the ISP DNS server (and caching the result for some time). So the whole advantage for your environment as I see it is that repeated DNS queries are serviced by the cache. That is not really a big one...
arnold,
kot@mail:~$ nslookup cnn.com 10.8.0.1
Server:            10.8.0.1
Address:      10.8.0.1#53

Non-authoritative answer:
Name:      cnn.com
Address: 151.101.65.67
Name:      cnn.com
Address: 151.101.129.67
Name:      cnn.com
Address: 151.101.1.67
Name:      cnn.com
Address: 151.101.193.67
Qlemo,
I can just use Google's DNS for OpenVPN. But I want to use my own, not because it has any advantages. But I want to know how to do it.
And why do you say that my own DNS server has to ask my ISP's DNS server? Why my DNS server can't do the whole work all by itself? What ISP's DNS server has that mine doesn't?
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Your DNS server only manages a part of all possible DNS records. That does also apply to the ISP DNS server. If a DNS server has no record fitting to the request, because it is neither in the cache nora local name, it has to ask the next DNS server, responsible for a greater range of adresses.

Let's say your local DNS domain is domain.local, and the ISP domain is isp.com.
Asking for "a" will have to be resolved by your DNS server (because domain.com is assumed).
The same for "a.domain.com".
"www.google.com" cannot be resolved locally if asked for the first time within a certain cache hold time (say 30 min.), so the ISP DNS is asked next. which will ether have a cache entry, or ask the DNS server for google.com.
A second request for the same DNS name within the cache hold time will be kept local.
Qlemo,
But why my DNS server can't ask itself the DNS server of Google? Why is must first inquire with ISP's DNS server? Why my DNS server is inferior vs. ISP's server? How they are different?
I actually found the way after playing around with file etc/bind/named.conf.options. What I did was this...
Added this line to my .ovpn file on W10 client machine:

dhcp-option DNS 10.8.0.1

And in etc/bind/named.conf.options I've added before "options" this:

acl my_net { 10.0.0.0/8; };

And then added my_net into allow-recursion
Qlemo"Batchelor", Developer and EE Topic Advisor
Top Expert 2015

Commented:
Wether your DNS server asks Google DNS or the ISP's one does not matter much, and depends on how your DNS is configured. It is a convention that you use a DNS server "nearby", to distribute DNS traffic over many nodes and keep traffic as local as possible.
Thank you all!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial