VPN and DNS
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
VPN and DNS
Region : Austria
Model : TL-ER6020
Hardware Version : V1
Firmware Version : 1.0.0 Build 20120807 Rel.34348
ISP : UPC Telekabel Vienna
Hi all !
To be honest, I don't know if this is the right place for my question ... but I'm a little bit lost so I thought I give it a shot, perhaps someone has an idea ...
I'm using a TL-ER6020 with both WANs connected and set up in failover mode.
I have a virtual machine acting as a domain controller based on samba4 with bind9-dlz.
The DNS server (bind9-dlz) has a "forwarder" pointing to the router IP which holds the ip addresses of my ISP's DNS servers (for zones it is not authorative for...)
I'm using L2TP over IPsec VPN and set it up by following one of the provided tutorials and the connection seems to work.
When I'm connected to my LAN directly DNS works for internal and external name resolution.
When I connect via VPN to my LAN only internal names are resolved. (I do connect from an outside network)
In both cases I entered the domain controller/DNS server IP manually in the corresponding network settings and did nslookup.
The option "VPN-to-Internet" is enabled.
----------------------------------------------------------------
internal names:
LAN:
----------------
„Lookup“ wurde gestartet …
Trying "adc.lan.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;adc.lan.example.com. IN ANY
;; ANSWER SECTION:
adc.lan.example.com. 900 IN A 192.168.60.11
;; AUTHORITY SECTION:
lan.example.com. 900 IN NS adc.lan.example.com.
Received 62 bytes from 192.168.60.11#53 in 4 ms
----------------
VPN:
----------------
„Lookup“ wurde gestartet …
Trying "adc.lan.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46756
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;adc.lan.example.com. IN ANY
;; ANSWER SECTION:
adc.lan.example.com. 900 IN A 192.168.60.11
;; AUTHORITY SECTION:
lan.example.com. 900 IN NS adc.lan.example.com.
Received 62 bytes from 192.168.60.11#53 in 53 ms
----------------
----------------------------------------------------------------
external names:
LAN:
----------------
„Lookup“ wurde gestartet …
Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26875
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN ANY
;; ANSWER SECTION:
google.com. 55489 IN NS ns4.google.com.
google.com. 55489 IN NS ns3.google.com.
google.com. 55489 IN NS ns2.google.com.
google.com. 55489 IN NS ns1.google.com.
;; AUTHORITY SECTION:
google.com. 55489 IN NS ns2.google.com.
google.com. 55489 IN NS ns1.google.com.
google.com. 55489 IN NS ns3.google.com.
google.com. 55489 IN NS ns4.google.com.
Received 156 bytes from 192.168.60.11#53 in 53 ms
----------------
VPN:
----------------
„Lookup“ wurde gestartet …
Trying "google.com"
Received 28 bytes from 192.168.60.11#53 in 53 ms
Trying "google.com.lan.example.com"
Host google.com not found: 3(NXDOMAIN)
Received 90 bytes from 192.168.60.11#53 in 9 ms
----------------
----------------------------------------------------------------
additional:
VPN (using the router's LAN IP as DNS server in network settings):
(192.168.80.5 is the routers external IP)
----------------
„Lookup“ wurde gestartet …
Trying "google.com"
;; reply from unexpected source: 192.168.80.5#53, expected 192.168.60.1#53
;; reply from unexpected source: 192.168.80.5#53, expected 192.168.60.1#53
;; connection timed out; no servers could be reached
----------------
Does this make sense to one of you ?
Any help, suggestions and hints are highly appreciated !
Thanks,
Oliver
EDIT:
I was able to figure out that it was a BIND configuration problem.
For all who have a similar setup (although it seems there are extremely few hence the lack of any views or replies ...) here is my solution:
It seems that BIND (installed via debian packages) in its default configuration only serves queries for non-authorative zones for clients coming from the same sub net.
Because I'm from a different net/sub-net when connecting via VPN my requests therefore get refused.
Thus allowing other nets enables these clients to get served.
add following to your named.conf.options
allow-query { localhost; 192.168.0.0/16; };
allow-query-cache { localhost; 192.168.0.0/16; };
in my case I changed my VPN settings (IP pool: 192.168.x.m-192.168.x.n) and widened the accepted sub nets by using a subnet mask of 16 (255.255.0.0).
Of course you could simply add other networks as well I guess.
Well ... that's all folks ...
Oliver
Model : TL-ER6020
Hardware Version : V1
Firmware Version : 1.0.0 Build 20120807 Rel.34348
ISP : UPC Telekabel Vienna
Hi all !
To be honest, I don't know if this is the right place for my question ... but I'm a little bit lost so I thought I give it a shot, perhaps someone has an idea ...
I'm using a TL-ER6020 with both WANs connected and set up in failover mode.
I have a virtual machine acting as a domain controller based on samba4 with bind9-dlz.
The DNS server (bind9-dlz) has a "forwarder" pointing to the router IP which holds the ip addresses of my ISP's DNS servers (for zones it is not authorative for...)
I'm using L2TP over IPsec VPN and set it up by following one of the provided tutorials and the connection seems to work.
When I'm connected to my LAN directly DNS works for internal and external name resolution.
When I connect via VPN to my LAN only internal names are resolved. (I do connect from an outside network)
In both cases I entered the domain controller/DNS server IP manually in the corresponding network settings and did nslookup.
The option "VPN-to-Internet" is enabled.
----------------------------------------------------------------
internal names:
LAN:
----------------
„Lookup“ wurde gestartet …
Trying "adc.lan.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;adc.lan.example.com. IN ANY
;; ANSWER SECTION:
adc.lan.example.com. 900 IN A 192.168.60.11
;; AUTHORITY SECTION:
lan.example.com. 900 IN NS adc.lan.example.com.
Received 62 bytes from 192.168.60.11#53 in 4 ms
----------------
VPN:
----------------
„Lookup“ wurde gestartet …
Trying "adc.lan.example.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46756
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;adc.lan.example.com. IN ANY
;; ANSWER SECTION:
adc.lan.example.com. 900 IN A 192.168.60.11
;; AUTHORITY SECTION:
lan.example.com. 900 IN NS adc.lan.example.com.
Received 62 bytes from 192.168.60.11#53 in 53 ms
----------------
----------------------------------------------------------------
external names:
LAN:
----------------
„Lookup“ wurde gestartet …
Trying "google.com"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26875
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN ANY
;; ANSWER SECTION:
google.com. 55489 IN NS ns4.google.com.
google.com. 55489 IN NS ns3.google.com.
google.com. 55489 IN NS ns2.google.com.
google.com. 55489 IN NS ns1.google.com.
;; AUTHORITY SECTION:
google.com. 55489 IN NS ns2.google.com.
google.com. 55489 IN NS ns1.google.com.
google.com. 55489 IN NS ns3.google.com.
google.com. 55489 IN NS ns4.google.com.
Received 156 bytes from 192.168.60.11#53 in 53 ms
----------------
VPN:
----------------
„Lookup“ wurde gestartet …
Trying "google.com"
Received 28 bytes from 192.168.60.11#53 in 53 ms
Trying "google.com.lan.example.com"
Host google.com not found: 3(NXDOMAIN)
Received 90 bytes from 192.168.60.11#53 in 9 ms
----------------
----------------------------------------------------------------
additional:
VPN (using the router's LAN IP as DNS server in network settings):
(192.168.80.5 is the routers external IP)
----------------
„Lookup“ wurde gestartet …
Trying "google.com"
;; reply from unexpected source: 192.168.80.5#53, expected 192.168.60.1#53
;; reply from unexpected source: 192.168.80.5#53, expected 192.168.60.1#53
;; connection timed out; no servers could be reached
----------------
Does this make sense to one of you ?
Any help, suggestions and hints are highly appreciated !
Thanks,
Oliver
EDIT:
I was able to figure out that it was a BIND configuration problem.
For all who have a similar setup (although it seems there are extremely few hence the lack of any views or replies ...) here is my solution:
It seems that BIND (installed via debian packages) in its default configuration only serves queries for non-authorative zones for clients coming from the same sub net.
Because I'm from a different net/sub-net when connecting via VPN my requests therefore get refused.
Thus allowing other nets enables these clients to get served.
add following to your named.conf.options
allow-query { localhost; 192.168.0.0/16; };
allow-query-cache { localhost; 192.168.0.0/16; };
in my case I changed my VPN settings (IP pool: 192.168.x.m-192.168.x.n) and widened the accepted sub nets by using a subnet mask of 16 (255.255.0.0).
Of course you could simply add other networks as well I guess.
Well ... that's all folks ...
Oliver
