Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Weird DNS issue when connected to OpenVPN
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Weird DNS issue when connected to OpenVPN

BlazeMuisBlazeMuis Member
edited August 2014 in Help

I'm having a problem with my OpenVPN server, i can not resolve any domains.

This is the "error" i'm getting:

C:\Users\Wesley>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  xxx.xxxx.xx
Address:  128.204.xxx.xxx

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

Yes, i'm using my own DNS server (ad-blocking) which works when i set it manually at my computer. But i also want to use the DNS server when i'm connected to the VPN on my iPad somewhere

Could anyone help me with this?

EDIT:

When i set the nameserver at the resolv.conf on the VPS where the VPN is installed on i get the following error:

 nslookup google.com
;; connection timed out; no servers could be reached

«1

Comments

  • noosVPSnoosVPS Member
    edited August 2014

    push "dhcp-option DNS 192.168.1.1"

    Use this option and set your DNS server ip ^^

  • @noosVPS said:
    push "dhcp-option DNS 192.168.1.1"

    Use this option and set your DNS server ip ^^

    I know that.. and i have done that

  • Are you able to connect to your DNS servers? (is route set properly)?

  • @noosVPS said:
    Are you able to connect to your DNS servers? (is route set properly)?

    Please re-read my OP please.

  • Can you paste your named.conf & named.conf.options? (OS dependant)

  • @Blanoz said:
    Can you paste your named.conf & named.conf.options? (OS dependant)

    Sure.

    named.conf:

    include "/etc/bind/named.conf.options";
    include "/etc/bind/named.conf.local";
    include "/etc/bind/named.conf.default-zones";
    include "/etc/bind/named.conf.blocked";

    named.conf.options:

    options {
            directory "/var/cache/bind";
    
            // If there is a firewall between you and nameservers you want
            // to talk to, you may need to fix the firewall to allow multiple
            // ports to talk.  See http://www.kb.cert.org/vuls/id/800113
    
            // If your ISP provided one or more IP addresses for stable
            // nameservers, you probably want to use them as forwarders.
            // Uncomment the following block, and insert the addresses replacing
            // the all-0's placeholder.
    
            // forwarders {
            //      0.0.0.0;
            // };
    
            //========================================================================
            // If BIND logs error messages about the root key being expired,
            // you will need to update your keys.  See https://www.isc.org/bind-keys
            //========================================================================
            dnssec-validation auto;
    
            auth-nxdomain no;    # conform to RFC1035
            listen-on { any; };
            allow-recursion { any; };
            allow-query { any; };
            allow-query-cache { any; };
    
    };
    
  • joodle said: Please re-read my OP please.

    You are not allowing me to help you. In any case you should be checking your routing table to know the reason. Over and out.

  • noosVPS said: You are not allowing me to help you. In any case you should be checking your routing table to know the reason. Over and out.

    I am, in my OP i already said that i was able to connect to the DNS server using my computer

  • Uncomment forwarders and use Google's 8.8.8.8 or OpenDNS' 208.67.222.222 - whatever your flavor is. And give it another spin. If it fails, sorry, I'm out of ideas.

  • @Blanoz said:
    Uncomment forwarders and use Google's 8.8.8.8 or OpenDNS' 208.67.222.222 - whatever your flavor is. And give it another spin. If it fails, sorry, I'm out of ideas.

    Uncommenting forwarders doesn't solve it. Google's DNS does work (since the beginning) but i really want to use my own DNS server..

  • So even when you're connected to the vpn, you want the dns resolution to be local instead of going through the vpn?

    You can try this (it works for me).

    Check the openvpn server config file and remove any lines that are pushing the DNS servers, i.e.

    push "dhcp-option DNS 8.8.8.8"
    push "dhcp-option DNS 8.8.4.4"
    

    Then reconnect to the vpn.

    If your DNS server is on a different subnet, you may need to change the openvpn client config .ovpn to bypass the vpn for the DNS server addresses, too, though. For example:

    route 8.8.8.8 255.255.255.255 net_gateway
    route 8.8.4.4 255.255.255.255 net_gateway
    
  • david said: So even when you're connected to the vpn, you want the dns resolution to be local instead of going through the vpn?

    The DNS server is not local, it's on an external VPS

  • socialssocials Member
    edited August 2014

    @joodle said:

    >

    Sure

    named.conf.options:

    allow-recursion { any; }

    >

    Good luck with that.

    Also, you should really read up on how to configure a DNS server. You don't even know about forwarders.

    Of course you cannot get anything resolved with your own DNS server if you don't have any forwarders.

  • @socials said:
    Of course you cannot get anything resolved with your own DNS server if you don't have any forwarders.

    Then tell me why it works on my computer, it even works on all devices here when i set the DNS to mine in the router.

  • socialssocials Member
    edited August 2014

    You probably have alternate DNS servers also set. Or your router/computer is using its DNS cache.

    What is the output of

    dig google.com @YOUR-DNS-SERVER-IP

    ?

  • socials said: You probably have alternate DNS servers also set. Or your router/computer is using its DNS cache.

    Nah, i don't think so. I did a ipconfig /flushdns on my computer.

    socials said: What is the output of

    ; <<>> DiG 9.7.3 <<>> google.com @xxx.xxx.xxx.xxx
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    Weird thing is, the DNS server work just fine on my home network.. While the DNS server is hosted on a VPS in NL

  • socialssocials Member
    edited August 2014

    As I said, you need to add forwarders.

    Before doing that, make sure your DNS server is not an open resolver. At the moment it is.

  • socials said: As I said, you need to add forwarders.

    I already tried to do that, didn't work.

  • @joodle said:
    I already tried to do that, didn't work.

    It does work.

    Probably it's your firewall or you didn't restart the named service after modifying the configuration. Also, look at your logs.

  • @socials said:
    Probably it's your firewall or you didn't restart the named service after modifying the configuration. Also, look at your logs.

    Firewall doesn't block anything. I have restarted bind.

    I have added the following at the config:

    
              forwarders {
                    8.8.8.8;
                    8.8.4.4;
              };
  • socialssocials Member
    edited August 2014

    Is named even listening on port 53 and on the right interface?

    $ netstat -tulpn

    And look at your logs!

  • socials said: Is named even listening on port 53 and on the right interface?

    It's running on both localhost and the external ip on port 53.

    There are no error logs from bind/named at the syslog file

  • If you do a

    dig google.com @127.0.0.1

    on your DNS server, does it resolve?

  • @socials said:
    If you do a

    dig google.com 127.0.0.1

    on your DNS server, does it resolve?

    Yep, that works.

  • socialssocials Member
    edited August 2014

    In that case it's most likely a firewall issue.

    Especially if you can't see anything in your logs. It should log failed queries, but it seems the queries never even make it to named.

    Thanked by 1Kris
  • nickyzainickyzai Member, Host Rep

    I think it is your iptables issue bro. Try the commands below on your VPN server and see whether 8.8.8.8 is reachable or not first, before trying to resolve DNS.

    echo 1 > /proc/sys/net/ipv4/ip_forward;
    iptables -t nat -I POSTROUTING -j MASQUERADE;

  • Everything works fine on the VPN server, i can use google's dns and opendns. But the thing is, i can't use my own :(

  • Dies THW DNS request reach your VPS? Check with tcpdump vor iptables' packet counter. If that is true, increase log level and see why you don't get a DNS reply.

  • iptables

  • Just installed bind with the same config on another vps and it's working fine on that one. Seems like it was indeed a firewall issue

This discussion has been closed.