Openvpn dns server not resolving forwarded DNS lookups after connecting, only local

binddomain-name-systemopenvpn

I am using OpenVPN server (on an Ubuntu server 14.04) with Mac OS X Yosemite client (using TunnelBlick v 3.50 build 4265).
It works well except for the DNS server from the VPN server which although it is being set on the client, it is only resolving the DNS queries for the local intranet and not being forwarded to the resolver for internet lookups. The same DNS server (bind) works fine in the local intranet and on the OpenVPN server.

Here is one dig output once the vpn is connected.

$ dig -x www.google.com

; <<>> DiG 9.8.3-P1 <<>> -x www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 12157
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;com.google.www.in-addr.arpa.   IN  PTR

;; Query time: 1884 msec
;; SERVER: 10.0.0.9#53(10.0.0.9)
;; WHEN: Fri May  8 10:32:22 2015
;; MSG SIZE  rcvd: 45

Best Answer

Another solution, add recursion to 10.1.0.0/24 net, by adding this line in /etc/bind/named.conf.options, as follow:

allow-recursion { 10.1.0.0/24; };

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

CentOS BIND DNS Troubleshooting

Some suggestions:

Remove the two google nameservers from your resolv.conf. Your nameserver is failing, but you're not getting much useful information because nslookup is falling through to the next nameserver.

Use dig instead if nslookup. The status response from dig is helpful in troubleshooting.

dig @192.168.100.10 mac1.max.app. a
dig @192.168.100.10 max.app. ns

Make sure you check your logs to see if your zone is actually loading.

Check netstat to make sure named is listening on port 53 of the appropriate interface.

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

CentOS BIND DNS Troubleshooting

Related Topic