A DNS server for my VPN to solve network names only [closed]

Question

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 3 years ago.

Improve this question

I need to setup a DNS server only to resolve the name of our network servers when a user connects on our VPN (OpenVPN). I can successfully "push" the DNS server' IP address to the client. I was in the illusion that it's easy to setup a DNS server using Bind9 for a local network. I was wrong. First, every samples I've found from Google are based on fully qualified domains, not local names. What I call a local name is something like "server1", not "server1.my.company.com". But I've discovered the famous "@".

Now I have another problem. When I try "server1" with "ping" or "nslookup", it does exactly what I want. It resolves "server1" to our internal IP. Great. But when I try "www.google.com", it fails to resolve the IP. That means that the client tries to solve "www.google.com" using my DNS server, instead of its internet provider DNS servers which are still in the list of DNS servers.

Is there a way to tell to the client machine : I don't know this person, see someone else ?

I've noticed that "auth-nxdomain" is set to "no" by default. I tried to set it to "yes", but it doesn't do the job.

There are my config files for Bind9 under Ubuntu 9.04 :

/etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //auth-nxdomain no;    # conform to RFC1035
    auth-nxdomain yes;
    listen-on-v6 { any; };

    // To prevent the error ";; Got recursion not available from 10.8.0.1, trying next server"
    allow-recursion { 10.8.0.0/24; };
};

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// This is the zone definition.
zone "@" {
 type master;
 file "/etc/bind/zones/vpn.db";
};

// This is the zone definition for reverse DNS.
zone "0.8.10.in-addr.arpa" {
 type master;
 file "/etc/bind/zones/rev.0.8.10.in-addr.arpa";
};

/etc/bind/zones/vpn.db

@  IN      SOA    vpn.local. admin.local. (
  2011041608  ; Serial
      604800  ; Refresh
       86400  ; Retry
     2419200  ; Expire
      604800  ; Negative Cache TTL
);

@  IN      NS     vpn.local.

server1         IN      A      10.8.0.1

/etc/bind/zones/rev.0.8.10.in-addr.arpa

@  IN      SOA    vpn.local. admin.local. (
  2011041608  ; Serial
      604800  ; Refresh
       86400  ; Retry
     2419200  ; Expire
      604800  ; Negative Cache TTL
);

@  IN      NS     vpn.local.
1  IN      PTR    mrsvn

I don't understand anything about "SOA". I've copied the numbers from an example. And I'm not sure about "vpn.local." and "admin.local.". Anyway, the DNS server works. Because I have to do many things, I don't have the time to read 1000 pages of text before being able to execute a so simple task. Do I need to forward requests to my own DNS servers on the server side ? I've tried it by changing "forwarders {...}" in the options file but it doesn't work. And I don't like the idea to do every DNS resolutions through the VPN. Do you have a solution ?

Answer 1

I found the solution. First, the forwarders didn't get involved before I was defining my zone as the root zone. The zone "@" refers to the zone ".", which is the root zone. When I discovered it, after some reflections, I've remembered that the DNS client can be configured which search domains.

So first, I have changed the following line of the file /etc/bind/named.conf.local :

zone "@" {

to

zone "vpn.my.company.com." {

After, for /etc/bind/zones/vpn.db and /etc/bind/zones/rev.0.8.10.in-addr.arpa I've replaced "vpn.local." by "vpn.my.company.com." and "admin.local." by "admin.my.company.com".

Finally, in the configuration file of OpenVPN, I've add the following line :

push "dhcp-option DOMAIN vpn.my.company.com"

I've restarted everything... And that's it ! Now everything gets resolved.

Edit: I've prevented name resolution for other domains then mine by the VPN' DNS server doing this in the file /etc/bind/named.conf :

// prime the server with knowledge of the root servers
zone "." {
        type master;
        //type hint;
        file "/etc/bind/db.root";
        allow-query { 127.0.0.0/8; 192.168.0.0/16; };
};

This way, other domains get resolved from the client's Internet provider DNS servers.

Answer 2

You can actually get your internal DNS server to resolve external domains as well. That should solve your problem. I worked on the exact same problem and was using dnsmasq for my internal DNS.

I solved the issue by setting the DNS servers on the VPN gateway machine to use google DNS after trying it's own internal DNS. So the DNS config in /etc/resolv.conf looked like:

nameserver 127.0.0.1
nameserver 8.8.8.8

Answer 3

To make Bind forward queries it can't answer to other name servers, you need to put the IP addresses of other DNS servers in the forwarders section of /etc/bind/named.conf.options.

This section is commented out in your file, so Bind doesn't know where to forward queries.

// forwarders {
//      0.0.0.0;
// };

For example you could use your ISP's DNS servers or the Google Public DNS servers:

forwarders {
       //Google public DNS
       8.8.8.8;
       8.8.4.4;
};

You can put as many entries in this section as you like.