DNS push works sporadically

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
mrubin
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 28, 2019 10:47 pm

DNS push works sporadically

Post by mrubin » Mon Jan 28, 2019 11:00 pm

I am trying out OpenVPN with the server running in AWS (the Marketplace Ubuntu AMIs) and the clients all running on Mac OS. I have followed this setup to allow my developers to access a private hosted zone in Route 53 - https://hirelofty.com/blog/use-aws-rout ... t-machine/. It works, but then sometimes has a hiccup where a DNS name does not resolve.. trying again will get it to resolve again. I don't see any errors in the OpenVPN logs or the bind server's logs. I have tried with and without specifying the internal domain. My VPN is not carrying all traffic, just traffic to the private environment.

How can I debug why sometimes a private DNS name does not resolve?

Thank you for any tips.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5582
Joined: Fri Jun 03, 2016 1:17 pm

Re: DNS push works sporadically

Post by TinCanTech » Mon Jan 28, 2019 11:26 pm

Which version is that ?

viewtopic.php?f=30&t=22603

mrubin
OpenVpn Newbie
Posts: 2
Joined: Mon Jan 28, 2019 10:47 pm

Re: DNS push works sporadically

Post by mrubin » Tue Jan 29, 2019 5:21 am

I believe this - from the linked tutorial - is incorrect:

"Note B: Your DNS queries will hit the AWS DNS server in the first line first, if it returns nothing, it’ll fall back to the standard Google DNS servers. This allows you to query your local DNS names as well as anything on the internet."

We found the following - https://serverfault.com/questions/46636 ... y-priority - which states:

"BIND8 and onward consider each of the forwarders begin with "equal weight". Based on the SRTT of the responses, the nameserver begins to favor one over the other. A certain percentage of queries will always hit the one with higher latency, to retest the waters and keep the calculated weight preference fair. (bearing in mind that once a record is cached, the forwarders will not be consulted for it again until the TTL has expired)

In short, the forwarders directive is designed with redundancy and minimized latency in mind -- not in an active-standby failover model. This will not do what you want it to, and I am not aware of any BIND directives to reconfigure this behavior. I end up staring at BIND documentation a fair bit in my line of work so I feel pretty confident about this statement."

Post Reply