Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: dirkey on October 05, 2017, 03:24:08 pm

Title: VPN Client cannot resolv external urls
Post by: dirkey on October 05, 2017, 03:24:08 pm
Hi,

I configure a new zentyal server. Setup dns with forwarders and internaly anything works fine. But if I connected via VPN i cannot resolv external urls (i.e. www.google.de). Internal urls are fine, but no url ouside my internal domain will be resolved. I configure vpn to use the zentyal server as the primary dns and add the search domain to the internal domain name.

Thanks,
Dirk
Title: Re: VPN Client cannot resolv external urls
Post by: dirkey on October 09, 2017, 09:32:20 pm
I find the cause of the problem, but I cannot find a solution to solve it reliable.

BIND9 is configured to "allow-recursion" and "allow-query-cache" only from trusted clients, but the VPN is not in the acl:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
};
....

Adding the vpn network solve the dns resolv problem:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
    172.20.20.0/24;
};
....

Problem now: It only keeps this settings, if I manually restart bind9 via "service bind9 restart". Restarting it from the GUI or changing the DNS configuration will be overwrite this setting.

How I am be able to set it permanently? Is this a bug?
Title: Re: VPN Client cannot resolv external urls
Post by: jgould on November 21, 2019, 09:11:14 pm
I find the cause of the problem, but I cannot find a solution to solve it reliable.

BIND9 is configured to "allow-recursion" and "allow-query-cache" only from trusted clients, but the VPN is not in the acl:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
};
....

Adding the vpn network solve the dns resolv problem:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
    172.20.20.0/24;
};
....

Problem now: It only keeps this settings, if I manually restart bind9 via "service bind9 restart". Restarting it from the GUI or changing the DNS configuration will be overwrite this setting.

How I am be able to set it permanently? Is this a bug?

Came across this and wanted to provide for others.

You want to edit /usr/share/zentyal/stubs/dns/named.conf.local.mas and find section acl" trusted" and add in your networks to sustain reboots.

Code: [Select]
/usr/share/zentyal/stubs/dns/named.conf.local.mas

acl "trusted" {
% foreach my $intnet (@intnets) {
    <% $intnet %>;
% }
    172.20.20.0/24;
    localhost;
    localnets;
};


there might be a method to add this via the DNS GUI tools. I don't know. I've had to do similar tweaks for DNS forwarding to other domains.
Title: Re: VPN Client cannot resolv external urls
Post by: B8emg on November 25, 2019, 06:15:53 am
Proper way of doing that is editing /etc/zentyal/dns.conf and setting intnets to fit your needs.

# Internal networks allowed to do recursive queries
# to Zentyal DNS caching server. Local networks are already
# allowed and this setting is intended to networks
# reachables through static routes.
# Example: intnets = 192.168.99.0/24,192.168.98.0/24
intnets =