You are not logged in.
Hi guys,
I have a vps with archlinux hosted by OVH and setup a vpn with openvpn and use ufw as firewall.
I now want to have all my dns request answered by my vps through my vpn.
Unbound is working fine for dns request in local (on the vps), but I couldn't manage to have it working with my openvpn clients.
I know that's not ufw which block request.
I set my tun0 server ip address as dhcp-option in my openvpn server config file to redirect dns request on my client, and my interface is set to 0:0:0:0 in my unbound config file.
I don't find what I missed. Any clue?
Thanks, Math
Last edited by Ellypsis (2019-04-09 16:09:26)
Offline
First you need to identify where the problem lies, I would suggest you to use tcpdump/wireshark to check if DNS requests are received by your VPS. If not, this is either a routing issue, a DNS configuration issue or a firewall issue. Else it might be an access list in your DNS Resolver (unbound) configuration.
Offline
Hi @apollo22, thank's for your help.
My VPS received the DNS request. I used tcpdump to check :
user > sudo tcpdump -nt -i tun0 udp port 53
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
IP 10.8.0.6.55227 > 10.8.0.1.53: 54288+ A? www.test.ovh. (33)
IP 10.8.0.6.55227 > 10.8.0.1.53: 11293+ AAAA? www.test.ovh. (33)
IP 10.8.0.1.53 > 10.8.0.6.55227: 54288 Refused- [0q] 0/0/0 (12)So I guess the problem comes from my unbound configuration.
Last edited by Ellypsis (2019-04-09 14:34:07)
Offline
Here is my unbound config file, based on Unbound DNS Tutorial
## Simple recursive caching DNS, UDP port 53
## unbound.conf -- https://calomel.org
#
server:
# from archwiki about unbound
do-daemonize: no
# log verbosity
verbosity: 1
# specify the interfaces to answer queries from by ip-address. The default
# is to listen to localhost (127.0.0.1 and ::1). specify 0.0.0.0 and ::0 to
# bind to all available interfaces. specify every interface[@port] on a new
# 'interface:' labeled line. The listen interfaces are not changed on
# reload, only on restart.
interface: 0.0.0.0
interface: 10.8.0.1
interface: ::0
# port to answer queries from
port: 53
# Enable IPv4, "yes" or "no".
do-ip4: yes
# Enable IPv6, "yes" or "no".
do-ip6: yes
# Enable UDP, "yes" or "no".
do-udp: yes
# Enable TCP, "yes" or "no". If TCP is not needed, Unbound is actually
# quicker to resolve as the functions related to TCP checks are not done.i
# NOTE: you may need tcp enabled to get the DNSSEC results from *.edu domains
# due to their size.
do-tcp: yes
# control which client ips are allowed to make (recursive) queries to this
# server. Specify classless netblocks with /size and action. By default
# everything is refused, except for localhost. Choose deny (drop message),
# refuse (polite error reply), allow (recursive ok), allow_snoop (recursive
# and nonrecursive ok)
access-control: 10.8.0.0/32 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allow
# Read the root hints from this file. Default is nothing, using built in
# hints for the IN class. The file has the format of zone files, with root
# nameserver names and addresses only. The default may become outdated,
# when servers change, therefore it is good practice to use a root-hints
# file. get one from https://www.internic.net/domain/named.root
root-hints: root.hints
# enable to not answer id.server and hostname.bind queries.
hide-identity: yes
# enable to not answer version.server and version.bind queries.
hide-version: yes
# Will trust glue only if it is within the servers authority.
# Harden against out of zone rrsets, to avoid spoofing attempts.
# Hardening queries multiple name servers for the same data to make
# spoofing significantly harder and does not mandate dnssec.
harden-glue: yes
# Require DNSSEC data for trust-anchored zones, if such data is absent, the
# zone becomes bogus. Harden against receiving dnssec-stripped data. If you
# turn it off, failing to validate dnskey data for a trustanchor will trigger
# insecure mode for that zone (like without a trustanchor). Default on,
# which insists on dnssec data for trust-anchored zones.
harden-dnssec-stripped: yes
# Use 0x20-encoded random bits in the query to foil spoof attempts.
# http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00
# While upper and lower case letters are allowed in domain names, no significance
# is attached to the case. That is, two names with the same spelling but
# different case are to be treated as if identical. This means calomel.org is the
# same as CaLoMeL.Org which is the same as CALOMEL.ORG.
use-caps-for-id: yes
# the time to live (TTL) value lower bound, in seconds. Default 0.
# If more than an hour could easily give trouble due to stale data.
cache-min-ttl: 3600
# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 86400
# perform prefetching of close to expired message cache entries. If a client
# requests the dns lookup and the TTL of the cached hostname is going to
# expire in less than 10% of its TTL, unbound will (1st) return the ip of the
# host to the client and (2nd) pre-fetch the dns request from the remote dns
# server. This method has been shown to increase the amount of cached hits by
# local clients by 10% on average.
prefetch: yes
# number of threads to create. 1 disables threading. This should equal the number
# of CPU cores in the machine. Our example machine has 4 CPU cores.
num-threads: 4
## Unbound Optimization and Speed Tweaks ###
# the number of slabs to use for cache and must be a power of 2 times the
# number of num-threads set above. more slabs reduce lock contention, but
# fragment memory usage.
msg-cache-slabs: 8
rrset-cache-slabs: 8
infra-cache-slabs: 8
key-cache-slabs: 8
# Increase the memory size of the cache. Use roughly twice as much rrset cache
# memory as you use msg cache memory. Due to malloc overhead, the total memory
# usage is likely to rise to double (or 2.5x) the total cache memory. The test
# box has 4gig of ram so 256meg for rrset allows a lot of room for cacheed objects.
rrset-cache-size: 256m
msg-cache-size: 128m
# buffer size for UDP port 53 incoming (SO_RCVBUF socket option). This sets
# the kernel buffer larger so that no messages are lost in spikes in the traffic.
so-rcvbuf: 1m
## Unbound Optimization and Speed Tweaks ###
#include: "/etc/unbound/resolvconf.conf"
# Enforce privacy of these addresses. Strips them away from answers. It may
# cause DNSSEC validation to additionally mark it as bogus. Protects against
# 'DNS Rebinding' (uses browser as network proxy). Only 'private-domain' and
# 'local-data' names are allowed to have these private addresses. No default.
private-address: 192.168.0.0/16
#private-address: 172.16.0.0/12
#private-address: 10.8.0.0/32
# Allow the domain (and its subdomains) to contain private addresses.
# local-data statements are allowed to contain private addresses too.
private-domain: "yunohost.local"
# If nonzero, unwanted replies are not only reported in statistics, but also
# a running total is kept per thread. If it reaches the threshold, a warning
# is printed and a defensive action is taken, the cache is cleared to flush
# potential poison out of it. A suggested value is 10000000, the default is
# 0 (turned off). We think 10K is a good value.
unwanted-reply-threshold: 10000
# IMPORTANT FOR TESTING: If you are testing and setup NSD or BIND on
# localhost you will want to allow the resolver to send queries to localhost.
# Make sure to set do-not-query-localhost: yes . If yes, the above default
# do-not-query-address entries are present. if no, localhost can be queried
# (for testing and debugging).
do-not-query-localhost: no
# File with trusted keys, kept up to date using RFC5011 probes, initial file
# like trust-anchor-file, then it stores metadata. Use several entries, one
# per domain name, to track multiple zones. If you use forward-zone below to
# query the Google DNS servers you MUST comment out this option or all DNS
# queries will fail.
# auto-trust-anchor-file: "/var/unbound/etc/root.key"
trust-anchor-file: trusted-key.key
# Should additional section of secure message also be kept clean of unsecure
# data. Useful to shield the users of this validator from potential bogus
# data in the additional section. All unsigned data in the additional section
# is removed from secure messages.
val-clean-additional: yes
# Blocking Ad Server domains. Google's AdSense, DoubleClick and Yahoo
# account for a 70 percent share of all advertising traffic. Block them.
local-zone: "doubleclick.net" redirect
local-data: "doubleclick.net A 127.0.0.1"
local-zone: "googlesyndication.com" redirect
local-data: "googlesyndication.com A 127.0.0.1"
local-zone: "googleadservices.com" redirect
local-data: "googleadservices.com A 127.0.0.1"
local-zone: "google-analytics.com" redirect
local-data: "google-analytics.com A 127.0.0.1"
local-zone: "ads.youtube.com" redirect
local-data: "ads.youtube.com A 127.0.0.1"
local-zone: "adserver.yahoo.com" redirect
local-data: "adserver.yahoo.com A 127.0.0.1"
local-zone: "ask.com" redirect
local-data: "ask.com A 127.0.0.1"
# Unbound will not load if you specify the same local-zone and local-data
# servers in the main configuration as well as in this "include:" file. We
# suggest commenting out any of the local-zone and local-data lines above if
# you suspect they could be included in the unbound_ad_servers servers file.
#include: "/etc/unbound/unbound_ad_servers"
# locally served zones can be configured for the machines on the LAN.
#local-zone: "home.lan." static
#local-data: "firewall.home.lan. IN A 10.0.0.1"
#local-data: "laptop.home.lan. IN A 10.0.0.2"
#local-data: "xboxone.home.lan. IN A 10.0.0.3"
#local-data: "ps4.home.lan. IN A 10.0.0.4"
#local-data: "dhcp5.home.lan. IN A 10.0.0.5"
#local-data: "dhcp6.home.lan. IN A 10.0.0.6"
#local-data: "dhcp7.home.lan. IN A 10.0.0.7"
#local-data-ptr: "10.0.0.1 firewall.home.lan"
#local-data-ptr: "10.0.0.2 laptop.home.lan"
#local-data-ptr: "10.0.0.3 xboxone.home.lan"
#local-data-ptr: "10.0.0.4 ps4.home.lan"
#local-data-ptr: "10.0.0.5 dhcp5.home.lan"
#local-data-ptr: "10.0.0.6 dhcp6.home.lan"
#local-data-ptr: "10.0.0.7 dhcp7.home.lan"
# Unbound can query your NSD or BIND server for private domain queries too.
# On our NSD page we have NSD configured to serve the private domain,
# "home.lan". Here we can tell Unbound to connect to the NSD server when it
# needs to resolve a *.home.lan hostname or IP.
#
# private-domain: "home.lan"
# local-zone: "0.0.10.in-addr.arpa." nodefault
# stub-zone:
# name: "home.lan"
# stub-addr: 10.0.0.111@53
# If you have an internal or private DNS names the external DNS servers can
# not resolve, then you can assign domain name strings to be redirected to a
# seperate dns server. For example, our comapny has the domain
# organization.com and the domain name internal.organization.com can not be
# resolved by Google's public DNS, but can be resolved by our private DNS
# server located at 1.1.1.1. The following tells Unbound that any
# organization.com domain, i.e. *.organization.com be dns resolved by 1.1.1.1
# instead of the public dns servers.
#
# forward-zone:
# name: "organization.com"
# forward-addr: 1.1.1.1 # Internal or private DNS
# Use the following forward-zone to forward all queries to Google DNS,
# OpenDNS.com or your local ISP's dns servers for example. To test resolution
# speeds use "drill calomel.org @8.8.8.8" and look for the "Query time:" in
# milliseconds.
#
forward-zone:
name: "."
forward-addr: 1.1.1.1@53#one.one.one.one
forward-addr: 8.8.8.8@53#dns.google
forward-addr: 9.9.9.9@53#dns.quad9.net
forward-addr: 1.0.0.1@53#one.one.one.one
forward-addr: 8.8.4.4@53#dns.google
forward-addr: 149.112.112.112@53#dns.quad9.net
#
#
## Authoritative, validating, recursive caching DNS
## unbound.conf -- https://calomel.orgMy VPN server is on 10.8.0.1 local address, and my clients on 10.8.0.2/32
Offline
access-control: 10.8.0.0/32 allowDon't you mean /24 ?
Also, you don't need to specify " interface: 10.8.0.1", you are already listening on all interfaces with " interface: 0.0.0.0"
Last edited by apollo22 (2019-04-09 15:42:46)
Offline
Hi,
I finally manage to have it working.
It seems that I misunderstood the "/" in ip range.
I though that
10.8.0.0/32 means all ip address form 10.8.0.0 to 10.8.0.32, and it's not.
I remark it when I add some IP address my vpn clients could take to the access-control list, included the one which I use for test :
access-control: 10.8.0.0/32 allow
access-control: 10.8.0.1/32 allow
access-control: 10.8.0.3/32 allow
access-control: 10.8.0.4/32 allow
access-control: 10.8.0.5/32 allow
access-control: 10.8.0.6/32 allow
access-control: 10.8.0.7/32 allow
access-control: 127.0.0.0/8 allow
access-control: 192.168.0.0/16 allowIs it a workaround to avoid adding all the ip addresses?
[Edit]
I found my answer. /32 means the netmask. So I just have to set /24, as you suggested, so every ip from 10.8.0.x will be answered by unbound.
I think I jump few basic steps before learning how a network works...
Thanks again apollo22!
Last edited by Ellypsis (2019-04-09 16:08:19)
Offline