Author Topic: VPN Client cannot resolv external urls  (Read 553 times)

dirkey

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
VPN Client cannot resolv external urls
« on: October 05, 2017, 03:24:08 pm »
Hi,

I configure a new zentyal server. Setup dns with forwarders and internaly anything works fine. But if I connected via VPN i cannot resolv external urls (i.e. www.google.de). Internal urls are fine, but no url ouside my internal domain will be resolved. I configure vpn to use the zentyal server as the primary dns and add the search domain to the internal domain name.

Thanks,
Dirk

dirkey

  • Zen Apprentice
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: VPN Client cannot resolv external urls
« Reply #1 on: October 09, 2017, 09:32:20 pm »
I find the cause of the problem, but I cannot find a solution to solve it reliable.

BIND9 is configured to "allow-recursion" and "allow-query-cache" only from trusted clients, but the VPN is not in the acl:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
};
....

Adding the vpn network solve the dns resolv problem:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
    172.20.20.0/24;
};
....

Problem now: It only keeps this settings, if I manually restart bind9 via "service bind9 restart". Restarting it from the GUI or changing the DNS configuration will be overwrite this setting.

How I am be able to set it permanently? Is this a bug?

jgould

  • Zen Monk
  • **
  • Posts: 51
  • Karma: +6/-0
    • View Profile
Re: VPN Client cannot resolv external urls
« Reply #2 on: November 21, 2019, 09:11:14 pm »
I find the cause of the problem, but I cannot find a solution to solve it reliable.

BIND9 is configured to "allow-recursion" and "allow-query-cache" only from trusted clients, but the VPN is not in the acl:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
};
....

Adding the vpn network solve the dns resolv problem:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
    172.20.20.0/24;
};
....

Problem now: It only keeps this settings, if I manually restart bind9 via "service bind9 restart". Restarting it from the GUI or changing the DNS configuration will be overwrite this setting.

How I am be able to set it permanently? Is this a bug?

Came across this and wanted to provide for others.

You want to edit /usr/share/zentyal/stubs/dns/named.conf.local.mas and find section acl" trusted" and add in your networks to sustain reboots.

Code: [Select]
/usr/share/zentyal/stubs/dns/named.conf.local.mas

acl "trusted" {
% foreach my $intnet (@intnets) {
    <% $intnet %>;
% }
    172.20.20.0/24;
    localhost;
    localnets;
};


there might be a method to add this via the DNS GUI tools. I don't know. I've had to do similar tweaks for DNS forwarding to other domains.

B8emg

  • Zen Apprentice
  • *
  • Posts: 3
  • Karma: +2/-0
    • View Profile
Re: VPN Client cannot resolv external urls
« Reply #3 on: November 25, 2019, 06:15:53 am »
Proper way of doing that is editing /etc/zentyal/dns.conf and setting intnets to fit your needs.

# Internal networks allowed to do recursive queries
# to Zentyal DNS caching server. Local networks are already
# allowed and this setting is intended to networks
# reachables through static routes.
# Example: intnets = 192.168.99.0/24,192.168.98.0/24
intnets =