I need to setup a DNS server only to resolve the name of our network servers when a user connects on our VPN (OpenVPN). I can successfully "push" the DNS server' IP address to the client. I was in the illusion that it's easy to setup a DNS server using Bind9 for a local network. I was wrong. First, every samples I've found from Google are based on fully qualified domains, not local names. What I call a local name is something like "server1", not "server1.my.company.com". But I've discovered the famous "@".
Now I have another problem. When I try "server1" with "ping" or "nslookup", it does exactly what I want. It resolves "server1" to our internal IP. Great. But when I try "www.google.com", it fails to resolve the IP. That means that the client tries to solve "www.google.com" using my DNS server, instead of its internet provider DNS servers which are still in the list of DNS servers.
Is there a way to tell to the client machine : I don't know this person, see someone else ?
I've noticed that "auth-nxdomain" is set to "no" by default. I tried to set it to "yes", but it doesn't do the job.
There are my config files for Bind9 under Ubuntu 9.04 :
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//auth-nxdomain no; # conform to RFC1035
auth-nxdomain yes;
listen-on-v6 { any; };
// To prevent the error ";; Got recursion not available from 10.8.0.1, trying next server"
allow-recursion { 10.8.0.0/24; };
};
/etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
// This is the zone definition.
zone "@" {
type master;
file "/etc/bind/zones/vpn.db";
};
// This is the zone definition for reverse DNS.
zone "0.8.10.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.0.8.10.in-addr.arpa";
};
/etc/bind/zones/vpn.db
@ IN SOA vpn.local. admin.local. (
2011041608 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Negative Cache TTL
);
@ IN NS vpn.local.
server1 IN A 10.8.0.1
/etc/bind/zones/rev.0.8.10.in-addr.arpa
@ IN SOA vpn.local. admin.local. (
2011041608 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ; Negative Cache TTL
);
@ IN NS vpn.local.
1 IN PTR mrsvn
I don't understand anything about "SOA". I've copied the numbers from an example. And I'm not sure about "vpn.local." and "admin.local.". Anyway, the DNS server works. Because I have to do many things, I don't have the time to read 1000 pages of text before being able to execute a so simple task. Do I need to forward requests to my own DNS servers on the server side ? I've tried it by changing "forwarders {...}" in the options file but it doesn't work. And I don't like the idea to do every DNS resolutions through the VPN. Do you have a solution ?
You can actually get your internal DNS server to resolve external domains as well. That should solve your problem. I worked on the exact same problem and was using dnsmasq for my internal DNS.
I solved the issue by setting the DNS servers on the VPN gateway machine to use google DNS after trying it's own internal DNS. So the DNS config in /etc/resolv.conf looked like:
nameserver 127.0.0.1
nameserver 8.8.8.8