HOW TO: Create a flexible VPN client setup using Ubuntu, Part 2: DNS

This weekend, I posted part one of this tutorial about setting up VPN connections and routing to allow one to access the local network and internet without using the VPN tunnel.

In part 2, I will discuss setting up a local DNS server using BIND9 to avoid sending all your DNS queries to your remote DNS server.

Not everyone will need to set this up.  There are a few reasons that it becomes a good idea.  First, the DNS server on your VPN network might be local-only, so internet addresses can’t be resolved.  Second, you may have a local network with its own DNS whose entries are not available through the net.  Third, you may be running a process that does a lot of DNS lookups, and you don’t want to send those queries and overburden the VPN network’s server.  And, finally, you may want to access pages which are forbidden from within your VPN network, and don’t want to do the lookups for them, either.

If you can do all your lookups from your standard servers (say, all your remote network’s computers are behind a firewall but have publicly known names and IPs), you don’t need to set up a local BIND server and can skip to Step 3.

Step 1:  Installing BIND9

In Ubuntu, installing BIND is pretty much child’s play.
sudo apt-get install bind9 bind9utils
That’s pretty much all there is to it.  Unfortunately, you now have a name server that isn’t really good for much, so we’ll have to make a few changes.

Step 2:  BIND9 Setup

The configuration files for BIND9 live in the /etc/bind directory.  They are only editable by the root user, so you have to use sudo to edit them.  If you like to use gedit, just issue this command for each file:
gksudo gedit /etc/bind/<config file>
For editors in a terminal, just use the “sudo” command with your favorite editor.

The first thing we need to do is tell the DNS server how to resolve general addresses.  So, open up named.conf.options and add the following lines:
forwarders {
192.168.1.70; // Replace with your own normal DNS server(s), one per line, ending in a semicolon.
};

The address listed in the example is my own internal DNS server. It has forwarders set up to my ISP, so all the queries can run through it.

Now we need to filter out the requests for our VPN network’s addresses.  Generally speaking, BIND9 configurations separate each domain into its own file, but since this will be a simple forwarding domain, I just put it int my named.conf.
zone "work.org" {
type forward;
forwarders {
123.123.123.123;
234.234.234.234;
}; //notice the semicolon.
}; //be sure not to forget to close ALL your braces!

This configuration will forward all requests for *.work.org to the forwarders listed.  Be sure to replace the values here with the correct ones for your remote network.

If you have more than one DNS domain on your VPN, you may want to go ahead and create a separate file for them.

This configuration is great for forward lookups, but it’s worthless for reverse lookups.  There are more than a couple of different ways that a reverse lookup could be useful when working remote, so lets add those to the named.conf as well.

For the remote systems:zone "123.in-addr.arpa" {
type forward;
forwarders {
123.123.123.123;
234.234.234.234;
};
};

(I am assuming that my remote network is a class A starting with “123.” If it were a remote, non routed network, the block might start 192.168.14.in-addr.arpa.)

Your regular DNS server setup should handle the basics of internet reverse lookup. If you have a local network with a DNS server, you will want to add a reverse lookup zone for it as well.

Once you have all your lookup zones listed in your config files, you can run named-checkconf named.conf to check your configuration.  the named-check* utilities are a great resource any time you are setting up BIND.

When you are ready to go, just restart BIND9:sudo /etc/init.d/bind9 restart

Step 3: Configuring the VPN Connection

Now that our local DNS server is running, we have to tell the system to use it.

In System->Preferences->Network Configuration, choose to edit your VPN connection.  On the “IPv4 Settings” tab, select “Automatic (VPN) Addresses Only” from the Method drop-down.  This leaves us able to enter our localhost as the DNS server, and put in the work domain and our own domain as search domains.  (See below)

Setting up your VPN to use local DNS

Setting up your VPN to use local DNS

If your skipped steps 1 and 2, then you should just put in the DNS servers that you normally use (either local or Internet) in place of 127.0.0.1 above.

That’s all there is to it.  It’s a pretty simple solution that requires no thought from us later on.  There are no scripts to run or files to copy, it’s all set up automatically.  If you spend a lot of time connecting through VPN like I do, it’s a lifesaver.

Advertisements

One Response to “HOW TO: Create a flexible VPN client setup using Ubuntu, Part 2: DNS”


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: