Unbound DNS in recursive mode doesn't work through the vpn connection.

[sprokkel78]

After trying several times I come to the conclusion that unbound dns in recursive mode doesn't work though the vpn-connection. Only when I configure forward zones to e.g. 1.1.1.1 and 1.0.0.1 or google's dns , then the dns-requests work through the vpn-connection. But recursive with vpn-connection is not working. Could this be that nordvpn traffic is blocked to the root dns servers?

A workaround is to run the Unbound DNS server on a separate internet connection without vpn-connection to make it run recursive.

Edit: added unbound.conf

server:
verbosity: 1
interface: 192.168.1.100
port: 53
access-control: 192.168.1.0/24 allow
access-control: 172.20.10.0/28 allow
access-control: 127.0.0.0/8 allow

do-ip4: yes
do-ip6: no
do-udp: yes
do-tcp: yes

log-queries: yes
log-replies: yes

root-hints: "/etc/unbound/root.hints"

hide-identity: yes
hide-version: yes
harden-glue: yes
harden-dnssec-stripped: yes
use-caps-for-id: yes
num-threads: 1
so-reuseport: yes

# Cache instellingen
cache-max-ttl: 86400
cache-min-ttl: 3600

prefetch: no
prefetch-key: no

Tested and reproduced on Ubuntu24.04 and Fedora F40 (asahi)

[mariusSincovici]

Hi,
Thanks for your feedback.
Could you please let us know what error are you receiving regarding the recursive mode? Also how is the NordVPN app DNS configured?

[sprokkel78]

Hi,

The Dns Server is running on LAN IP Address 192.168.1.100 which is the same computer that initiates the nordvpn connection with the nordvpn client , so I've configured the NordVPN client to set DNS to 192.168.1.100
.
(In recursive mode) - The error I'm getting is when I do a nslookup or a dig for any domainname : Communications error to 192.168.1.100#53.
(With forward zones) - nslookup and dig return the desired results. (no error)

Oh yes: when I disconnect from nordvpn (with killswitch off) then nslookup and dig return the desired results (in recursive mode) - the moment I turn the nordvpn connection on again, I get the communications error.

[mariusSincovici]

While connected to VPN can you ping/access 192.168.1.100 or it is not reachable at all?

[sprokkel78]

I can ping the lan while connected to VPN. (using Lan-Discovery or Whitelist subnet 192.168.1.0/24 (whitelisting no longer works in 3.18.3 tho)

[mariusSincovici]

Yes, that's what I wanted to see if you're not affected by #512.
Thanks for the info, we'll try to reproduce this on our side and let you know in case we need more info.
Before could you also write what disto are you using?

[sprokkel78]

in conclusion:

connected to vpn with unbound dns in recursive mode (killswitch on):

nslookup www.peer.be

;; communications error to 192.168.1.100#53: timed out
;; communications error to 192.168.1.100#53: timed out
;; communications error to 192.168.1.100#53: timed out
;; communications error to 192.168.1.100#53: timed out
;; communications error to 192.168.1.100#53: timed out
;; no servers could be reached

disconnected from vpn with unbound in recursive mode (killswitch off)

nslookup www.peer.be

Server: 192.168.1.100
Address: 192.168.1.100#53

Non-authoritative answer:
www.peer.be canonical name = peer.be.
Name: peer.be
Address: 193.110.252.8

I'm using both Fedora F40 (asahi) and Ubuntu 24.04 as distro's.

[sprokkel78]

nordvpn settings
Technology: OPENVPN
Protocol: TCP
Firewall: enabled
Firewall Mark: 0x2
Routing: enabled
Analytics: disabled
Kill Switch: enabled
Threat Protection Lite: disabled
Obfuscate: disabled
Notify: disabled
Tray: enabled
Auto-connect: disabled
IPv6: disabled
Meshnet: disabled
DNS: 192.168.1.100
LAN Discovery: enabled
Virtual Location: enabled

I can see dns traffic on wireshark from 10.100.0.2 to 192.168.1.100 back and forth.

[backspacedodge]

I have the exact same issue. Unbound is running on port 5335 locally and turning VPN on results in all DNS results from Unbound to be throwaway. Turning off VPN results in successful resolution from unbound. On VPN when I run dig:

~ > dig @127.0.0.1 -p 5335 www.google.com

; <<>> DiG 9.18.27 <<>> @127.0.0.1 -p 5335 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 51419
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; Query time: 569 msec
;; SERVER: 127.0.0.1#5335(127.0.0.1) (UDP)
;; WHEN: Thu Aug 01 21:02:48 IST 2024
;; MSG SIZE  rcvd: 43

I can add unbound debug logs if it can help in some way.

[ziz480]

Bump. NordVPN became unusable for me around March this year when this issue started. I wouldn't think it's anything with the official app - the issue is happening to me with OpenVPN client as well. I'm using BIND for DNS and running OpenVPN client on the router.

Forwarding to public resolvers (E.g. Google DNS) works fine but queries to root/authoritative servers are being refused while on NordVPN. I don't experience any problems when using competing VPN product or without VPN.

Here's the BIND error:

REFUSED unexpected RCODE resolving 'xyz.zyx.yxz/A/IN': 1.2.3.4#53

On the client side this shows up as a SERVFAIL response.

Above is just one example; I get the server log full of this as soon as I switch traffic to Nord. I've contacted their support a couple times, but I was firmly stuck in tier 1. They were just about as helpful as garden gnomes.

I'm happy to provide more logs too, if it helps.