0

Recently I was setting up a VPN node with OpenVPN server and Bind9 to prevent DNS leaks and got a problem with Bind9. Setting up OpenVPN server was mostly easy, but bind9 is a bit more tricky apparently, so this is where I got stuck. When I'm using "dig" command on the client machine it works perfectly fine - ping is normal, no lags or anything, clients gets needed IP addresses. Here is how this request looks from the server side (command on the client: dig @10.8.0.1 ya.ru):

15:30:47.728737 IP 10.8.0.78.54465 > 10.8.0.1.domain: 18060+ [1au] A? ya.ru. (34)
15:30:47.729432 IP 10.8.0.1.domain > 10.8.0.78.54465: 18060 1/2/5 A 87.250.250.242 (201)

But if I'm using wget or curl - I hit a long delay, bind works incorrectly, and after a timeout (supposedly 5 seconds) client sends DNS request to isp servers therefore making a DNS leak. This is what happens on server when client executes "wget youtube.com":

15:35:55.463780 IP 10.8.0.78.33465 > 10.0.8.1.domain: 9299+ A? youtube.com. (29)
15:35:55.463932 IP 10.8.0.78.33465 > 10.0.8.1.domain: 47722+ AAAA? youtube.com. (29)
15:36:02.336465 IP 10.8.0.78.46473 > 10.0.8.1.domain: 47830+ A? www.youtube.com. (33)
15:36:02.336828 IP 10.8.0.78.46473 > 10.0.8.1.domain: 41320+ AAAA? www.youtube.com. (33)

Main difference that I noticed is that in this case requests go only from client to server and not back and forth like in the first example. Same thing happens when client tries to load a page in browser. The DNS resolution takes 5+ seconds and uses isp's DNS servers after all. I'm not sure whether it is OpenVPN or Bind9 misconfiguration, I tried a lot of different variations, but still no progress. OS - Debian 10. Also I tried both with and without the firewall. If you had same or related issue and you know what might be a problem - please help, or at least direct me towards the possible error. Thank you!

Here are configuration files:

OpenVPN Server:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.8.1"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
management 127.0.0.1 7505
ccd-exclusive
client-config-dir /etc/openvpn/ccd

OpenVPN client:

client
dev tun
proto udp
remote 123.123.123.123 1194 # IP ноды
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3

Bind9 config:

acl vpn {10.8.0.0/24; 127.0.0.1;};
options {
  directory "/var/cache/bind";
  allow-query {vpn;};
  max-ncache-ttl 3600;
  max-cache-ttl 3600;
  dnssec-validation no;
  auth-nxdomain no;
  listen-on-v6 {none;};
};
hancack
  • 21
  • 1
  • 3
  • `push "dhcp-option DNS 10.8.0.1" `should be right, i also used `dhcp-option DNS 10.8.0.1` in the client.conf – djdomi Feb 16 '21 at 18:34
  • @djdomi Those two lines do basically the same function with one difference: when `dhcp-option DNS 10.8.0.1` in the client.conf is hardcoded in the client configuration file and can be changed only after downloading new config, the `push "dhcp-option DNS 10.8.0.1"` from the server side sends this parameter when connecting to the node therefore can be easily changed without any additional hassle for user. – hancack Feb 17 '21 at 22:45
  • i am aware of this as this configuration is only used by my self, but for testing would be a good choice – djdomi Feb 18 '21 at 18:17

0 Answers0