Zentyal refused DNS queries from vpn network

[zentyaltester]

Hello.

I have a zentyal server wich is running within an virtual machine. I want use it for pptp and dns. My pptp clients is assigned a fix ip address and an dns entry.

For example:
PPTP Client:
IP 10.99.99.100
Name: pptp-client1

DNS Entry:
url: pptp-client1.example.com
ip: 10.99.99.100

Everything works fine. Clients can connect and resolve pptp-client1.example.com to 10.99.99.100.
But the client can not resolve external domains like google.com and have no internet connection.
I disabled the firewall and added a dns forwarder with dns server of my provider but with no success.

The primary name server for the pptp server ist 10.99.99.1 and the network 10.99.99.0/24.

When i am connected to pptp server and run following commands:

this will fail:

user@virtual-machine:~$ host google.de
Host google.de not found: 5(REFUSED)

but this will work:

user@virtual-machine:~$ host pptp-client1.example.com
pptp-client1.example.com has address 10.99.99.100

Anybody some ideas?

Thanks in advanced.

[zentyaltester]

Is there a main Problem because pptp clients have no internet?

Route, SNAT and so on....

[zentyaltester]

Now i am able to connect to inet with my pptp clients.

But dns problem is still existing.

Which possibilities exists, why the zentyal dns server can't resolve e.g. google.com?

[zentyaltester]

It is possible this is a network problem.

Zentyal Network: 192.168.122.0/24
VPN Network: 192.168.210.0/24

---------------------------------------------------------------------------------------------------------------------------------------------------------------

Here the results of the nslookup(executed on the client):

pptp-client1@virtual-machine:~$ nslookup google.de
Server:      127.0.1.1
Address:   127.0.1.1#53

** server can't find google.de: REFUSED
---------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS entry(testdomain.zent) in the zentyal DNS Server works fine.

pptp-client1@virtual-machine:~$ nslookup testdomain.zent
Server:      127.0.1.1
Address:   127.0.1.1#53

Name:   testdomain.zent
Address: 192.168.122.209

[zentyaltester]

It's possible that i need Advertised networks. Advertised networks able for openvpn in zentyal.

[zentyaltester]

pptp-client1@virtual-machine:~$ nslookup google.com 192.168.122.209(Zentyal Server)
Server:      192.168.122.209
Address:   192.168.122.209#53

Non-authoritative answer:
Name:   google.com
Address: 173.194.70.102
Name:   google.com
Address: 173.194.70.113
Name:   google.com
Address: 173.194.70.138
Name:   google.com
Address: 173.194.70.139
Name:   google.com
Address: 173.194.70.100
Name:   google.com
Address: 173.194.70.101

pptp-client1@virtual-machine:~$ nslookup google.com 192.168.210.1(VPN Gateway -> works for intern)
Server:      192.168.210.1
Address:   192.168.210.1#53

** server can't find google.com: REFUSED

How you can see, the dns server(i use the vpn address 192.168.210.1) doesn't resolved externals url's.

[zentyaltester]

I'm thinking thats is a dns zone problem. I play around with the zentyal dns stubs.

How can i add my vpn network to the dns zones?

[zentyaltester]

dig returned following output. I used my vpn gateway address 192.168.210.1 for this.

pptp-client1@virtual-machine:~$ dig google.com 192.168.210.1

; <<>> DiG 9.8.1-P1 <<>> google.com 192.168.210.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 27086
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com.                    IN      A

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:38:42 2013
;; MSG SIZE  rcvd: 28

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54292
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.210.1.                 IN      A

;; ANSWER SECTION:
192.168.210.1.          0       IN      A       192.168.210.1

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:38:42 2013
;; MSG SIZE  rcvd: 47

Of course the internal name resolution works perfect.

pptp-client1@virtual-machine:~$ dig zentyal.lan 192.168.210.1

; <<>> DiG 9.8.1-P1 <<>> zentyal.lan 192.168.210.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;zentyal.lan.                   IN      A

;; ANSWER SECTION:
zentyal.lan.            259200  IN      A       192.168.122.209

;; AUTHORITY SECTION:
zentyal.lan.            259200  IN      NS      zentyal.zentyal.lan.

;; ADDITIONAL SECTION:
zentyal.zentyal.lan.    259200  IN      A       192.168.122.209

;; Query time: 1 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:41:31 2013
;; MSG SIZE  rcvd: 83

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.210.1.                 IN      A

;; ANSWER SECTION:
192.168.210.1.          0       IN      A       192.168.210.1

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Wed Mar 20 11:41:31 2013
;; MSG SIZE  rcvd: 47

[zentyaltester]

ok. I fixed the dns problem. It was a hard way.

The next problem is: I have to set an additional route in pptp client for internet. But after setting my route. The dns resolution works anymore. Ok i can edit my resolv.conf and everthings works but i am looking for a better way.

[andrew_seacap]

This is how I fixed it:

1. Open /usr/share/zentyal/stubs/dns/named.conf.local.mas
2. Insert your PPTP subnet in the trusted ACL below the localnets line:

Code: [Select]

acl "trusted" {
% foreach my $intnet (@intnets) {
    <% $intnet %>;
% }
    localhost;
    localnets;
    # PPTP Subnet
    192.168.210.0/24;
};

3. Restart DNS in Zentyal Dashboard
4. Reconnect PPTP client and test with nslookup somedomain.com yourzentyalip

The problem seems to be specific to PPTP clients. OpenVPN clients are automatically considered by Zentyal to be local clients and therefore do not have this problem.

[Zmark]

This is how I fixed it:
(...)

Thanks !!

[firemist]

Brilliant!
I was having this issue using an Amazon VPC (VPN) -- such an easy fix once I tracked it down (which only took 8 hours!).

thanks for posting.

[jfaria]

Great, It also worked for me on zentyal 4.1  .

I would like to know if this file (/usr/share/zentyal/stubs/dns/named.conf.local.mas) will be re-writed or not by Zentyal after an upgrade or so. Anyone to clarify this? If so, what would be the right file to declare the subnets?

[jbahillo]

As answered in another topic, yes, it will be rewritten.

Correct solution is adding involved nets to /etc/zentyal/dns.conf to intnets

[Tomvbr]

Thanks for this. I was looking for this solution.  Old but gold!