[Solved] DNS - query status refused - subnets not on Zentyal network interfaces

[HomeUser6866]

Dear all,

I have a firewall (UTM) which is connected to the internet and internally to several vlan's with their own subnets. The firewall is routing between the vlan's hence subnets.
I have connected Zentyal as a domain controller on eth0 192.168.30.20 as the service vlan and eth1 192.168.50.20 as the management vlan.

Clients from VLAN Users 192.168.20.x can use the Zentyal DNS to query internal domain names but no public domain names e.g. www.google.com. DNS queries for internet domain names are refused (Dig).

The Zentyal DNS Server has a DNS Forwarder configured and this has been confirmed to work with the network tools of Zentyal.

I suspect that Zentyal regards the subnets not directly connected to Zentyal as not trusted and hence "refuses" the DNS request for internet domain names.

Firewall logs do not show any blocked DNS requests either.

So if my assumption is correct I somehow need to configure in Zentyal my other subnets as trusted.

Can anyone help please / I am lost !!!!

Kind regards

[HomeUser6866]

This is the solution from another post:
The bottom line problem is that the VLAN's if have are on different subnets than Zentyal Domain.

This is how I fixed it:

1. Open /usr/share/zentyal/stubs/dns/named.conf.local.mas
2. Insert your PPTP subnet in the trusted ACL below the localnets line:

Code: [Select]
acl "trusted" {
% foreach my $intnet (@intnets) {
    <% $intnet %>;
% }
    localhost;
    localnets;
    # PPTP Subnet
    192.168.210.0/24;
};

3. Restart DNS in Zentyal Dashboard
4. Reconnect PPTP client and test with nslookup somedomain.com yourzentyalip

The problem seems to be specific to PPTP clients. OpenVPN clients are automatically considered by Zentyal to be local clients and therefore do not have this problem.

[jfaria]

Great, It also worked for me on zentyal 4.1  .

I wonder if this file (/usr/share/zentyal/stubs/dns/named.conf.local.mas) will be re-writed by Zentyal after an upgrade or so.

Anyone to clarify this? If so, what would be the right file to declare the subnets?

note: it has nothing to do with PPTP clients, just a different subnet asking for DNS resolution.

[jbahillo]

Correct solution is editing /etc/zentyal/dns.conf, adding the appropriate network to intnets (networks from which recursive queries, domain transfers etc are allowed)


Editing /usr/share... is not valid as you'll lose changes on module upgrades. Please have a look to doc.zentyal.org and read stubs section on advanced customization appendix