I was playing today a little with bind9. My goal was to resolve intranet and global domain names through one server that would be inside of openvpn intranet.

I configured all the necessary zones, and all was working fine directly from server (that is a server for both openvpn and bind9). After setting up the DNS to be vpn/bind server a  problem occured – I was not able to  resolve any domain name (neither intranet nor internet), from none of machines that were connected to vpn network.

In the /var/log/syslog I was getting

named[xxxx]: client 10.12.12.3#53461 query ’some.domain.name/A/IN’ denied

Long story short, if you encounter such problem there is one simple solution. In your bind/named configuration (it will probably be /etc/bind/named.conf.options) set up following:

listen-on { any; };
allow-query { any; };

Of course you can switch “any” to any other IP address.

Funny thing is that “any” should be the default values for both options. It was’t for me.