How to allow OpenVPN (W10) client to use DNS server (BIND9) that resides on (Ubuntu 16.04) OpenVPN server?

[grigory]

Hello!
I have Ubuntu 16.04 (Desktop Edition) with OpenVPN server and BIND9 installed. I used a script when I installed OpenVPN. My OpenVPN client is a W10 netbook with 4G USB modem.
When I choose to use Google DNS during OpenVPN installation then I can surf the Internet via OpenVPN just fine (on my OpenVPN client W10 machine). But if I choose to use a current DNS settings (ie. my own BIND9 server), then I can connect from client to server, but DNS doesn't work. I know that I must edit config file of OpenVPN server server.conf AND to also edit client.ovpn client's OpenVPN file too. And I don't know exactly whether my DNS server (BIND9) is properly configured to play this kind of role.
When I go to W10's CMD and do ipconfig /all I do see DNS server with a correct IP of my BIND9 (it's a public IP of my Ubuntu machine, actually). Nevertheless, DNS doesn't work on a client machine and I couldn't find a complete step-by-step manual how to enable this scheme.

 

[grigory]

I added this line to OpenVPN config файл:

push "dhcp-option DNS 10.8.0.1"

And DNS on the client side still doesn't work.
When I tried to nslookup cnn.com in W10 terminal, then I saw:
*** Unknown can't find cnn.com: Query refused
When I check two log files of BIND9 I see this lines:

In BIND9's quiry log file I do see these lines:

17-Sep-2019 00:17:36.679 queries: info: client 10.8.0.2#64118 (1.0.8.10.in-addr.arpa): query: 1.0.8.10.in-addr.arpa IN PTR + (10.8.0.1)
17-Sep-2019 00:17:36.704 queries: info: client 10.8.0.2#64119 (cnn.com): query: cnn.com IN A + (10.8.0.1)
17-Sep-2019 00:17:36.737 queries: info: client 10.8.0.2#64120 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)
17-Sep-2019 00:17:36.785 queries: info: client 10.8.0.2#64121 (cnn.com): query: cnn.com IN A + (10.8.0.1)
17-Sep-2019 00:17:36.804 queries: info: client 10.8.0.2#64122 (cnn.com): query: cnn.com IN AAAA + (10.8.0.1)

It's after I tried to nslookup CNN site
And when I in the browser try to open say BBC site I see those lines:

17-Sep-2019 00:21:47.325 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)
17-Sep-2019 00:21:47.355 queries: info: client 10.8.0.2#56585 (bbc.co.uk): query: bbc.co.uk IN A + (10.8.0.1)

 

[grigory]

And BTW in BIND9's debug log file I see these lines:

17-Sep-2019 00:21:37.285 security: info: client 10.8.0.2#51516 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
17-Sep-2019 00:21:37.290 security: info: client 10.8.0.2#51516 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
17-Sep-2019 00:21:47.325 security: info: client 10.8.0.2#56585 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied
17-Sep-2019 00:21:47.355 security: info: client 10.8.0.2#56585 (bbc.co.uk): query (cache) 'bbc.co.uk/A/IN' denied

AND

7-Sep-2019 00:17:20.944 security: info: client 10.8.0.2#64114 (cnn.com): query (cache) 'cnn.com/A/IN' denied
17-Sep-2019 00:17:20.976 security: info: client 10.8.0.2#64115 (cnn.com): query (cache) 'cnn.com/AAAA/IN' denied

 

[mxnerd]

What if you add the following statements?

push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 1.1.1.1"

or edit /etc/bind/named.conf.options

        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

So it becomes

forwarders {

              8.8.8.8;
              1.1.1.1;

         };

 

[Red Squirrel]

On the DNS server you may need to add a rule to allow the VPN client IP to do name resolution. In /var/named/chroot/etc/named.conf find this block:
(may have different options)

options {
    listen-on port 53 { 127.0.0.1; 10.1.1.3; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; any; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";
};

Find the option:

allow-query     { localhost; any; };

In the { } brackets it may only be allowing localhost. You can either put "any" (if this is a local DNS) or IP range of the VPN client (the IPs that get assigned to clients). I think you can use CIDR notation, ex: 10.10.1.0/24.

Of course, also double check that DNS queries are working locally on DNS server as well as on the VPN server too just to rule that out.

 

[grigory]

Red Squirrel,
Thanks. But I actually found the way after playing around with file etc/bind/named.conf.options. What I did was this...
Added this line to my .ovpn file on W10 client machine:

dhcp-option DNS 10.8.0.1

And in etc/bind/named.conf.options I've added before "options" this:

acl my_net { 10.0.0.0/8; };

And then added my_net into allow-recursion