I find the cause of the problem, but I cannot find a solution to solve it reliable.
BIND9 is configured to "allow-recursion" and "allow-query-cache" only from trusted clients, but the VPN is not in the acl:
/etc/bind/named.conf.local
acl "trusted" {
localhost;
localnets;
};
....
Adding the vpn network solve the dns resolv problem:
/etc/bind/named.conf.local
acl "trusted" {
localhost;
localnets;
172.20.20.0/24;
};
....
Problem now: It only keeps this settings, if I manually restart bind9 via "service bind9 restart". Restarting it from the GUI or changing the DNS configuration will be overwrite this setting.
How I am be able to set it permanently? Is this a bug?