linux

How to properly configure an OpenVPN server in conjunction with Bind9 as a private DNS server?

Hello! I ran into a problem in the process of setting up a bunch of OpenVPN and Bind9 on the server. I've been struggling with this problem for at least a week now. Goal: make a VPN node and avoid DNS leaks by using Bind9 as a private DNS server. The OpenVPN server was configured without much difficulty, but when I tried to raise the DNS server, problems began. When using the dig command with any domain, everything is fine, the ping is expected, IP addresses are sent to the client. Here is the request log from the server side when executing "dig @10.8.0.1 ya.ru":

15:30:47.728737 IP 10.8.0.78.54465 > 10.8.0.1.domain: 18060+ [1au] A? ya.ru. (34)
15:30:47.729432 IP 10.8.0.1.domain > 10.8.0.78.54465: 18060 1/2/5 A 87.250.250.242 (201)

But if you use the wget or curl command, there is a long delay, bind9 works somehow incorrectly, and as a result, the client accesses the provider's DNS servers. In this case, the "wget ​​youtube.com" command was executed, and this is what happened from the server side:

15:35:55.463780 IP 10.8.0.78.33465 > 10.0.8.1.domain: 9299+ A? youtube.com. (29)
15:35:55.463932 IP 10.8.0.78.33465 > 10.0.8.1.domain: 47722+ AAAA? youtube.com. (29)
15:36:02.336465 IP 10.8.0.78.46473 > 10.0.8.1.domain: 47830+ A? www.youtube.com. (33)
15:36:02.336828 IP 10.8.0.78.46473 > 10.0.8.1.domain: 41320+ AAAA? www.youtube.com. (33)

The same thing happens when trying to load a web page, the DNS resolution step takes more than 5 seconds. As I understand it, the client tries to get information from bind9, but does not receive it, and accesses the provider's DNS servers, thereby creating a DNS leak.

OpenVPN server config:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key  
dh dh2048.pem
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.8.1"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth ta.key 0 
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
management 127.0.0.1 7505
ccd-exclusive
client-config-dir /etc/openvpn/ccd

OpenVPN client config:

client
dev tun
proto udp
remote 123.123.123.123 1194 # IP ноды
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
tls-auth ta.key 1
cipher AES-256-CBC
auth SHA256
key-direction 1
verb 3

Bind9 config:

acl vpn {10.8.0.0/24; 127.0.0.1;};
options {
  directory "/var/cache/bind";
  allow-query {vpn;};
  max-ncache-ttl 3600;
  max-cache-ttl 3600;
  dnssec-validation no;
  auth-nxdomain no;
  listen-on-v6 {none;};
};

The system is Debian 10. If someone faced the same problem, please tell me what the problem is, or at least in which direction to start digging. I tried many different configurations, cleaned up the bind several times and reinstalled it, but the result is the same. By the way, it was tested both with the firewall turned on and off. Thank you!