Home/ Questions/Q 8130867
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-06T08:53:19+00:00

I need to setup a DNS server only to resolve the name of our

  • 0

I need to setup a DNS server only to resolve the name of our network servers when a user connects on our VPN (OpenVPN). I can successfully “push” the DNS server’ IP address to the client. I was in the illusion that it’s easy to setup a DNS server using Bind9 for a local network. I was wrong. First, every samples I’ve found from Google are based on fully qualified domains, not local names. What I call a local name is something like “server1”, not “server1.my.company.com”. But I’ve discovered the famous “@”.

Now I have another problem. When I try “server1” with “ping” or “nslookup”, it does exactly what I want. It resolves “server1” to our internal IP. Great. But when I try “www.google.com”, it fails to resolve the IP. That means that the client tries to solve “www.google.com” using my DNS server, instead of its internet provider DNS servers which are still in the list of DNS servers.

Is there a way to tell to the client machine : I don’t know this person, see someone else ?

I’ve noticed that “auth-nxdomain” is set to “no” by default. I tried to set it to “yes”, but it doesn’t do the job.

There are my config files for Bind9 under Ubuntu 9.04 :

/etc/bind/named.conf.options

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //auth-nxdomain no;    # conform to RFC1035
    auth-nxdomain yes;
    listen-on-v6 { any; };

    // To prevent the error ";; Got recursion not available from 10.8.0.1, trying next server"
    allow-recursion { 10.8.0.0/24; };
};

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

// This is the zone definition.
zone "@" {
 type master;
 file "/etc/bind/zones/vpn.db";
};

// This is the zone definition for reverse DNS.
zone "0.8.10.in-addr.arpa" {
 type master;
 file "/etc/bind/zones/rev.0.8.10.in-addr.arpa";
};

/etc/bind/zones/vpn.db

@  IN      SOA    vpn.local. admin.local. (
  2011041608  ; Serial
      604800  ; Refresh
       86400  ; Retry
     2419200  ; Expire
      604800  ; Negative Cache TTL
);

@  IN      NS     vpn.local.

server1         IN      A      10.8.0.1

/etc/bind/zones/rev.0.8.10.in-addr.arpa

@  IN      SOA    vpn.local. admin.local. (
  2011041608  ; Serial
      604800  ; Refresh
       86400  ; Retry
     2419200  ; Expire
      604800  ; Negative Cache TTL
);

@  IN      NS     vpn.local.
1  IN      PTR    mrsvn

I don’t understand anything about “SOA”. I’ve copied the numbers from an example. And I’m not sure about “vpn.local.” and “admin.local.”. Anyway, the DNS server works. Because I have to do many things, I don’t have the time to read 1000 pages of text before being able to execute a so simple task. Do I need to forward requests to my own DNS servers on the server side ? I’ve tried it by changing “forwarders {…}” in the options file but it doesn’t work. And I don’t like the idea to do every DNS resolutions through the VPN. Do you have a solution ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I found the solution. First, the forwarders didn’t get involved before I was defining my zone as the root zone. The zone “@” refers to the zone “.”, which is the root zone. When I discovered it, after some reflections, I’ve remembered that the DNS client can be configured which search domains.

    So first, I have changed the following line of the file /etc/bind/named.conf.local :

    zone "@" {

    to

    zone "vpn.my.company.com." {

    After, for /etc/bind/zones/vpn.db and /etc/bind/zones/rev.0.8.10.in-addr.arpa I’ve replaced “vpn.local.” by “vpn.my.company.com.” and “admin.local.” by “admin.my.company.com”.

    Finally, in the configuration file of OpenVPN, I’ve add the following line :

    push "dhcp-option DOMAIN vpn.my.company.com"

    I’ve restarted everything… And that’s it ! Now everything gets resolved.

    Edit: I’ve prevented name resolution for other domains then mine by the VPN’ DNS server doing this in the file /etc/bind/named.conf :

    // prime the server with knowledge of the root servers
zone "." {
        type master;
        //type hint;
        file "/etc/bind/db.root";
        allow-query { 127.0.0.0/8; 192.168.0.0/16; };
};

    This way, other domains get resolved from the client’s Internet provider DNS servers.

    • 0