How To Set Up A DNS For Wireguard

In this post I explain how to set up a DNS server that you can use inside your Wireguard VPN network. My main Wireguard node is an Ubuntu Server 22.04 machine and I choose to use bind9 as my DNS server. You can find a description of my Wireguard setup here.

Installing and configuring bind9 DNS server

Bind9 is reasonably easy to configure. I will show how to set it up using RPZ. Although this is not the original purpose for which RPZ was designed, it helps us cut down on configuration files. Remember, we are not exposing a public DNS server. We don’t need some of the features a full configuration would provide.

In order to ensure our nodes can still access the external net if we need them to, we will designate an upstream public DNS server to handle all requests that are not defined in our RPZ file. In this case, I used 8.8.8.8.

We can install bind9 using apt-get. It is included in the default Ubuntu package repositories. Therefore:

sudo apt-get install bind9

After installing, ubuntu will create a systemd service for use. Remember to enable it so that it is restarted in case the server restarts.

sudo systemctl enable bind9

We need to edit the following files to make bind9 use RPZ. We can then define our IP Address – hostname pairs in one line in our db.rpz file. All files are located in the folder /etc/bind

  • named.conf.options
  • named.conf.local
  • db.rpz

named.conf.local

named.conf.options

db.rpz

Remember to restart

Once you have edited these files, restart bind9 using systemd.

sudo systemctl restart bind9

Configuring the Wireguard nodes

Now that the DNS server is configured we need to tell our Wireguard nodes to use it when accessing the VPN. We can do this by editing each Wireguard configuration file on each node and adding an entry in the Interface section. See below:

[Interface]
PrivateKey = your-nodes-private-key
Address = your-node-address
DNS = your-dns-node-address

[Peer]
PublicKey = your-servers-public-key
PresharedKey = pre-shared-key-optional
Endpoint = public-address-of-vpn-server
AllowedIPs = your-vpn-network-and-netmask

After reconnecting each node to Wireguard, it will use the VPNs DNS server to search resolve hostnames. Now you can create convenient aliases for your VPN nodes instead of using their IP addresses.

Related Posts:

Leave a Reply

Your email address will not be published. Required fields are marked *

Filed under: guides,linux,open-source - @ 2023-09-11 15:09

Tags: , , ,