DNS issue when using vpn

scorcher9

Hey,

I have imported .ovpn config into the network manager and it works alright except for some websites I get error:

domain.com’s server IP address could not be found.
DNS_PROBE_FINISHED_NXDOMAIN

Any ideas why this is happening?

vmp32k

@mailinabox said:
Try

Sigavpn.org

O.o that's like saying:

"The GPS in my car sometimes doesn't work" - "try driving a mercedes"

scorcher9

@mailinabox seriously?

birchbeer

@scorcher9 said:
Any ideas why this is happening?

are you routing DNS queries through the VPN? If so - which DNS server are you using? If you don't mind having DNS leakage when you test, try disabling redirect-gateway feature and see if you still having this issue. What domains aren't resolving?

scorcher9

birchbeer said: are you routing DNS queries through the VPN? If so - which DNS server are you using?

I am not sure.

This was the conf I imported

client
dev tun
proto udp
sndbuf 0
rcvbuf 0
remote x.x.x.x xxxxx
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA512
cipher AES-256-CBC
comp-lzo
setenv opt block-outside-dns
key-direction 1
verb 3

[...]

What domains aren't resolving?

Let's just say some domains

birchbeer

@scorcher9 said:
Let's just say some domains

Are you certain those domains exists and that there are records to resolve? If you try to resolve them using an online tool like MXtoolbox, do they resolve? If you do a whois lookup, are there name servers for that domain?

Also - from your ovpn, I can't tell if are resolving through your local connection or proxying DNS query's through your VPN. If you are using Windows, quick way to check resolution is to use nslookup and do a "set debug". And then type in the hostname, you are trying to resolve.

Sounds like you may be using a DNS server which is denying access if those are domains which are sketchy.

drivex

Do you push dns servers in the openvpn server config?

scorcher9

birchbeer said: Are you certain those domains exists and that there are records to resolve? If you try to resolve them using an online tool like MXtoolbox, do they resolve? If you do a whois lookup, are there name servers for that domain?

Yes, the domains exist and resolve.

birchbeer said: Also - from your ovpn, I can't tell if are resolving through your local connection or proxying DNS query's through your VPN.

I am on linux and if I run dig domain.com the result says SERVER: 127.0.1.1#53(127.0.1.1) so I guess it's using the local connection.

birchbeer said: Sounds like you may be using a DNS server which is denying access if those are domains which are sketchy.

Here is the thing, the domains I am talking about are blocked in my country so it could be on the DNS level, I am not sure. I wouldn't say all the domains are sketchy, at one point even youtube was blocked. Anyway that's a completely different topic.

Btw, thank you for looking into this

@drivex said:
Do you push dns servers in the openvpn server config?

I believe yes, this is from the server config

# /etc/openvpn/server.conf

...
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
...

birchbeer

@scorcher9 said:
I am on linux and if I run dig domain.com the result says SERVER: 127.0.1.1#53(127.0.1.1) so I guess it's using the local connection.

That's because you are using a Linux distro that's using the systemd-resolved daemon.

I was going to ask you to try a +trace on dig but unfortunately resolved has a problem that breaks dig's trace capability.

# /etc/openvpn/server.conf

...
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"

If I remember how openvpn works, that's going to cause your Linux box to use those two Google public DNS servers instead of routing your DNS queries through the VPN. That kinda makes sense why those hostnames are not resolving if DNS queries are being intercepted.

You have to push a DNS proxy address. Normally, that would be the VPN server private internal address. The address would be a 10.x.x.x or similar RFC1918 address.

scorcher9

I tried the same configuration on android with OpenVPN Connect app and everything seems to be working fine so I guess there is something wrong with the desktop, not the server.

seanho

If you're using systemd-resolved, you're probably going to have to reference your VPN's DNS server in a .network file under /etc/systemd/network/. You could also override your global DNS settings in /etc/systemd/resolved.conf; that's simpler, but if your VPN goes down, name resolution goes down with it.

You can check what DNS servers systemd-resolved is using at /run/systemd/resolved/resolv.conf, or run resolvectl status or systemd-resolve --status.

Or just dump systemd-resolved altogether and use the tried-and-true /etc/resolv.conf.

scorcher9

Okay so I was using NetworkManager, and not systemd-resolved. The /etc/resolv.conf is being generated automatically by the NM and not a good idea to edit directly.

While searching, I found out 2 ways to get around this. One, there is update-resolv-conf script for openvpn. It basically gets the pushed dns servers and adds them to resolv.conf. Have to launch openvpn from the terminal for this to work. And second, was to disable dnsmasq for NM. I don't know if there are any consequences for this but I guess we'll find out soon.

Anyway it's all good now. @birchbeer @drivex @seanho thanks so much for giving me the direction.