DNS issue: can lookup but not use

[ethrbunny]

I've setup a private DNS server behind the schools firewall that will allow us to address our VPN clients. The address of this server is being pushed out to the various clients.

'ipconfig /all' - I can see the DNS server address on the VPN adapter.
'nslookup <name>' - gives me the appropriate (VPN) address from our DNS server.
'ping <name>' - tells me it can't find the host
'ping <vpn ip>' - doesn't work either


*if* I go to linux box and set the DNS server IP in the /etc/resolv.conf I can ssh, ping, whatever to the VPN client by name or IP.

Its clear that Im not routing properly but I don't know what to set. Suggestions?

server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh2048.pem
server 10.20.0.0 255.255.0.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-to-client
keepalive 10 120
tls-auth ta.key 0
comp-lzo
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append /var/log/openvpn/openvpn.log
verb 3
mute 20
push "dhcp-option DNS 129.95.96.50"


sample client config:
client
dev tun
proto udp
remote fuji.bme.ogi.edu 1194
resolv-retry infinite
keepalive 10 120
nobind
persist-key
persist-tun
ca fuji_ca.crt
cert cassini.crt
key cassini.key
tls-auth fuji_ta.key 1
comp-lzo
verb 4
mute 20

[janjust]

after the VPN client connects, what happens if you
* ping the VPN IP of the server (10.20.0.1)
* ping the DNS server

also, what does the routing table look like?
Does the server use masquerading to hide the VPN IPs? if not, how is routing handled on the server end?

[ethrbunny]

ping 10.20.0.1 - works
ping <dns ip> - works
ping <dns name> - works

Is this actually a BIND problem and not a VPN problem?

C:\Documents and Settings\ethr\Desktop>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 21 9b 5e 38 f3 ...... Broadcom NetXtreme 57xx Gigabit Controller - Pa
0x3 ...00 ff b9 d5 53 52 ...... TAP-Win32 Adapter V8 - Packet Scheduler Minipor
0x10005 ...00 02 72 01 f0 0c ...... Bluetooth Device (Personal Area Network) #1
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.127.24.1 10.127.24.221 10
10.20.0.0 255.255.0.0 10.20.0.9 10.20.0.10 1
10.20.0.8 255.255.255.252 10.20.0.10 10.20.0.10 30
10.20.0.10 255.255.255.255 127.0.0.1 127.0.0.1 30
10.127.24.0 255.255.254.0 10.127.24.221 10.127.24.221 10
10.127.24.221 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.20.0.10 10.20.0.10 30
10.255.255.255 255.255.255.255 10.127.24.221 10.127.24.221 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.20.0.10 10.20.0.10 30
224.0.0.0 240.0.0.0 10.127.24.221 10.127.24.221 10
255.255.255.255 255.255.255.255 10.20.0.10 10.20.0.10 1
255.255.255.255 255.255.255.255 10.20.0.10 10005 1
255.255.255.255 255.255.255.255 10.127.24.221 10.127.24.221 1
Default Gateway: 10.127.24.1
===========================================================================
Persistent Routes:
None

[janjust]

sounds like your "regular" DNS is working but the DNS server which is pushed out by the openvpn server is not - is this true? are you pushing out a DNS setting to the client?

Windows is different from linux in the sense that it has the notion of a DNS setting per adapter - in Linux it's just global. This often causes confusion.

If your VPN server pushes out a DNS IP address to the client, try running
net stop dnscache
net start dnscache
on the VPN afterwards - after that, the VPN DNS server should be used.

[ethrbunny]

I am pushing out an internal DNS to the VPN clients.

Our network is a mix of linux and WinXP. On the linux machines I have changed the /etc/resolv.conf to include the internal DNS and those machines are working. Unf we have far more XP than RH machines so I'd rather not have to make a manual change to each of those.

I did the net stop/start dnscache but it didn't change anything.

Is it possible that I need to push out some amended routing information from the VPN server?

[janjust]

if, on a windows client, the command

Code: Select all

nslookup

uses the VPN-supplied DNS server then the "push" of the DNS server worked.
I'd run something like 'wireshark' and do a 'ping www.google.com' on the win xp client to see if the DNS request is actually sent over the VPN - if it is not, then your local DNS setup is not correct. If it is sent over the VPN but no replies are received , then it is a VPN issue. It's important to know this before further troubleshooting can be done.

[ethrbunny]

Installed wireshark. It does appear that 'ping' requests are not using my DNS.

Sniffing the primary adapter:
If I ping one of our local servers it uses the DNS from my primary adapter. If I ping a VPN host it looks like its trying to use a WINS server after failing (?) the DNS (using the wrong DNS server). In addition I see a number of "ICMP Destination unreachable" messages.

Sniffing the VPN adapter:
Pinging a VPN hosts - I see 3 'Name query NB <host>' messages with no response. Each has a destination address of my current IP (VPN) + 1 (EG Im 10.20.0.10 - its using 10.20.0.11 ). Each packet also says "NetBIOS name service" - makes it appear to be using netbios-ns.


EDIT:
I put my DNS server in the list for the non-VPN adapter and ping works. This doesn't solve the issue of why the DNS Push from VPN didn't set it up correctly but at least it shows that my DNS server works.

[janjust]

try increasing the verbosity , e.g.

Code: Select all

verb 5

in the client config and reconnect.
You can also try playing with

Code: Select all

ip-win32

to see if it makes a difference.

[ethrbunny]

It seems the only way I can get this to work is by manually setting my DNS server entry in the non-vpn IP settings. Otherwise its ignoring it.

Seems like there should be a better way. Still looking...