Hallo zusammen, ich habe ein Problem mit meinem Bind9 Server in Verbindung mit openVPN.
In meinem lokalen Netzwerk funktioniert der Bind9 Server einwandfrei. Sprich, wenn ich daheim per W-LAN oder LAN verbunden bin.
Jetzt habe ich openVPN eingerichtet und baue damit zu meinem Server, der zu Hause 120km entfernt steht, eine Verbindung per Laptop auf. Das funktioniert soweit wunderbar. Ich gebe dem Client über die "push" Funktion den Domain-Namen als auch die IP meines Bind9 Servers mit.
Er kann mir meine zone "cryptic.local" mit allen Rechner direkt auflösen. Allerdings wenn ich hingehe und möchte z.B. google auflösen lassen funktioniert das nicht. Ich bekomme über nslookup immer die Meldung "server can't find google.de: REFUSED".
Jetzt mache ich einen tail -f auf den syslog und sehe lauter Fehlermeldungen. Ich weiß nicht woran das liegt, dass in den Logs immer WORKSTATION drin vor kommt. Mein Netzwerk hier bei mir in der WG, 120 km entfernt, heißt WORKSTATION.
Was muss ich am Bind9 oder openVPN ändern, damit Clients den DNS nutzen können und nicht immer die Meldung REFUSED kommt.
Gateway Server: IP mit den Diensten openVPN und Bind9
eth0 10.0.0.6
tun0 10.8.0.1
IP meines Notebooks
wlan0 192.168.0.56
tun0 10.8.0.6
Hier ein paar Ausschnitte aus den configs/logs.
Bind9 Server: tail -f /var/log/syslog
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 | May 26 14:29:02 gateway named[4227]: client 10.8.0.6#64547 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#50376 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#50376 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#18092 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#14717 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#65048 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#44722 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#44722 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#45787 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#55923 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#58663 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#24406 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#24406 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#42846 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:03 gateway named[4227]: client 10.8.0.6#24840 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#54729 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#60243 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#60243 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#10411 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#28409 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#39849 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#35097 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#35097 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#12904 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#47426 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#16101 (safebrowsing.google.com): query (cache) 'safebrowsing.google.com/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#63728 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:04 gateway named[4227]: client 10.8.0.6#63728 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:05 gateway named[4227]: client 10.8.0.6#11386 (safebrowsing.google.com.WORKSTATION): query (cache) 'safebrowsing.google.com.WORKSTATION/A/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#38402 (cryptic.systems): query (cache) 'cryptic.systems/A/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#45050 (cryptic.systems): query (cache) 'cryptic.systems/AAAA/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#26307 (cryptic.systems): query (cache) 'cryptic.systems/A/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#33037 (cryptic.systems): query (cache) 'cryptic.systems/AAAA/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#42900 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/A/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#22262 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/AAAA/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#42900 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/A/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#22262 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/AAAA/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#14062 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/A/IN' denied May 26 14:29:07 gateway named[4227]: client 10.8.0.6#12955 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/AAAA/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#38312 (cryptic.systems): query (cache) 'cryptic.systems/A/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#24747 (cryptic.systems): query (cache) 'cryptic.systems/AAAA/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#47114 (cryptic.systems): query (cache) 'cryptic.systems/A/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#1238 (cryptic.systems): query (cache) 'cryptic.systems/AAAA/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#58570 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/A/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#17001 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/AAAA/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#58570 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/A/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#17001 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/AAAA/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#17654 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/A/IN' denied May 26 14:29:39 gateway named[4227]: client 10.8.0.6#36593 (cryptic.systems.WORKSTATION): query (cache) 'cryptic.systems.WORKSTATION/AAAA/IN' denied |
Bind9 Server → named.conf.local
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | include "/etc/bind/rndc.key"; zone "cryptic.local" { type master; file "/etc/bind/db.cryptic.local"; allow-query { any; }; }; zone "0.0.10.in-addr.arpa" { type master; file "/etc/bind/db.0.0.10"; allow-query { any; }; }; |
Bind9 Server → named.conf.options
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 8.8.8.8; 8.8.4.4; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on { 127.0.0.1; 10.0.0.6; 10.8.0.1; }; listen-on-v6 { any; }; }; |
openVPN → server.conf
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 | # Local IP local 10.0.0.6 # Local Port port 1194 # TCP oder UDP ;proto tcp proto udp # Tunnel-Typ ;dev tap dev tun #Speicherort Zertifikate ca ./easy-rsa2/keys/ca.crt cert ./easy-rsa2/keys/server.crt key ./easy-rsa2/keys/server.key # Geheim halten # Diffie-Hellmann Parameter. dh ./easy-rsa2/keys/dh2048.pem # Diffie-Hellman-Parameter # Subnetz des openVPN Servers server 10.8.0.0 255.255.255.0 # Speichern der IPs von Clients, # damit diese bei einer Wiederverbindung die gleiche bekommen ifconfig-pool-persist ipp.txt # Routen Clients bekannt machen # (Achtung gegebenenfalls FritzBox oder dem Default-Gateway auch # eine Route hinzufügen da sonst KOmmunikation scheitert push "route 10.0.0.0 255.255.255.0" # Den Clients mitteilen, dass jeglicher Traffic über den VPN-Tunnel # geschickt werden soll push "redirect-gateway def1 bypass-dhcp" # Clients DNS-Einstellungen bekannt machen # DNS Server push "dhcp-option DNS 10.0.0.6" ;push "dhcp-option DNS 8.8.8.8" # Domainname push "dhcp-option DOMAIN cryptic.local" # Clients sollen untereinander kommunizieren dürfen client-to-client # Lebenszeichen von Clients in Ping Zeiten min = 10, max = 120 keepalive 10 120 # Datenkompression aktivieren comp-lzo # Maximale Anzahl an vpn-Clients ;max-clients 100 # Den Dienst unter bestimmtem User laufen lassen # musst zuerst angelegt werden user openvpn group openvpn # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Statuslog von verbundenen Clients, wird jede Minute überschrieben status openvpn-status.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 3 |
Notebook: tail -f /var/log/syslog
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | May 26 14:39:04 Markus-NB NetworkManager[887]: <info> Starting VPN service 'openvpn'... May 26 14:39:04 Markus-NB NetworkManager[887]: <info> VPN service 'openvpn' started (org.freedesktop.NetworkManager.openvpn), PID 6428 May 26 14:39:04 Markus-NB NetworkManager[887]: <info> VPN service 'openvpn' appeared; activating connections May 26 14:39:04 Markus-NB NetworkManager[887]: <info> VPN plugin state changed: init (1) May 26 14:39:04 Markus-NB NetworkManager[887]: <info> VPN plugin state changed: starting (3) May 26 14:39:04 Markus-NB NetworkManager[887]: <info> VPN connection 'openVPN - Hellenthal' (Connect) reply received. May 26 14:39:04 Markus-NB nm-openvpn[6431]: OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014 May 26 14:39:04 Markus-NB nm-openvpn[6431]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. May 26 14:39:04 Markus-NB nm-openvpn[6431]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts May 26 14:39:04 Markus-NB nm-openvpn[6431]: WARNING: file '/home/markus/openVPN - config/markus-nb.key' is group or others accessible May 26 14:39:04 Markus-NB nm-openvpn[6431]: UDPv4 link local: [undef] May 26 14:39:04 Markus-NB nm-openvpn[6431]: UDPv4 link remote: [AF_INET]193.158.173.235:1194 May 26 14:39:06 Markus-NB nm-openvpn[6431]: [cryptic.systems] Peer Connection Initiated with [AF_INET]193.158.173.235:1194 May 26 14:39:08 Markus-NB nm-openvpn[6431]: TUN/TAP device tun0 opened May 26 14:39:08 Markus-NB nm-openvpn[6431]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper tun0 1500 1542 10.8.0.6 10.8.0.5 init May 26 14:39:08 Markus-NB NetworkManager[887]: SCPlugin-Ifupdown: devices added (path: /sys/devices/virtual/net/tun0, iface: tun0) May 26 14:39:08 Markus-NB NetworkManager[887]: SCPlugin-Ifupdown: device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found. May 26 14:39:08 Markus-NB NetworkManager[887]: <warn> /sys/devices/virtual/net/tun0: couldn't determine device driver; ignoring... May 26 14:39:08 Markus-NB NetworkManager[887]: <info> VPN connection 'openVPN - Hellenthal' (IP Config Get) reply received. May 26 14:39:08 Markus-NB NetworkManager[887]: <info> VPN connection 'openVPN - Hellenthal' (IP4 Config Get) reply received. May 26 14:39:08 Markus-NB NetworkManager[887]: <info> VPN Gateway: 193.158.173.235 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Tunnel Device: tun0 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> IPv4 configuration: May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Internal Gateway: 10.8.0.5 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Internal Address: 10.8.0.6 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Internal Prefix: 32 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Internal Point-to-Point Address: 10.8.0.5 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Maximum Segment Size (MSS): 0 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Static Route: 10.0.0.0/24 Next Hop: 10.0.0.0 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Static Route: 10.8.0.0/24 Next Hop: 10.8.0.0 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Forbid Default Route: no May 26 14:39:08 Markus-NB NetworkManager[887]: <info> Internal DNS: 10.0.0.6 May 26 14:39:08 Markus-NB NetworkManager[887]: <info> DNS Domain: 'cryptic.local' May 26 14:39:08 Markus-NB NetworkManager[887]: <info> No IPv6 configuration May 26 14:39:08 Markus-NB nm-openvpn[6431]: Initialization Sequence Completed May 26 14:39:09 Markus-NB NetworkManager[887]: <info> VPN connection 'openVPN - Hellenthal' (IP Config Get) complete. May 26 14:39:09 Markus-NB NetworkManager[887]: <info> Policy set 'openVPN - Hellenthal' (tun0) as default for IPv4 routing and DNS. May 26 14:39:09 Markus-NB NetworkManager[887]: <info> Policy set 'AS3' (wlan0) as default for IPv6 routing and DNS. May 26 14:39:09 Markus-NB NetworkManager[887]: <info> Writing DNS information to /sbin/resolvconf May 26 14:39:09 Markus-NB dnsmasq[1754]: vorgelagerte Server von DBus gesetzt May 26 14:39:09 Markus-NB dnsmasq[1754]: Benutze Namensserver 10.0.0.6#53 May 26 14:39:09 Markus-NB dbus[722]: [system] Activating service name='org.freedesktop.nm_dispatcher' (using servicehelper) May 26 14:39:09 Markus-NB NetworkManager[887]: <info> VPN plugin state changed: started (4) May 26 14:39:09 Markus-NB dbus[722]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher' May 26 14:39:10 Markus-NB ntpdate[6520]: Can't find host ntp.ubuntu.com: Name or service not known (-2) May 26 14:39:10 Markus-NB ntpdate[6520]: no servers can be used, exiting |
Liebe Grüße Volker