Since we specify the VPN server as the DNS server for clients, we need to run a DNS resolver on the VPN server.

• We can install the bind9 DNS server:

sudo apt install bind9

• Once installed, BIND will automatically start. Check its status with:

systemctl status named

• To start manually:

sudo systemctl start named

• Edit the configuration file:

sudo nano /etc/bind/named.conf.options

• Add the following line to allow VPN clients to send recursive DNS queries:

allow-recursion { 127.0.0.1; 192.168.30.0/24; };

• Save and close the file. Then edit the /etc/default/named files:

sudo nano /etc/default/named

• Add -4 to the OPTIONS to ensure BIND can query root DNS servers:

OPTIONS="-u bind -4"

• Save and close the file.

• By default, BIND enables DNSSEC, which ensures that DNS responses are correct and not tampered with. However, it might not work out of the box due to trust anchor rollover and other reasons. To make it work properly, we can rebuild the managed key database with the following commands:

sudo rndc managed-keys destroy
sudo rndc reconfig

• Restart BIND9 for the changes to take effect:

sudo systemctl restart named

• Then run the following command to allow VPN clients to connect to port 53 firewall:

sudo ufw insert 1 allow in from 192.168.30.0/24