On 08/03/2016 09:31 AM, Marek Marczykowski-Górecki wrote: > On Mon, Aug 01, 2016 at 08:31:12AM +0200, David Hobach wrote: > > >> On 07/31/2016 10:05 AM, Markus Kilås wrote: >>> On 02/28/2016 04:13 PM, Markus Kilås wrote: >>>> Hi, >>>> >>>> I am experiencing an issue with DNS queries in my AppVMs in R3.0. >>>> >>>> Sometimes after booting up, the AppVMS that are connected to >>>> sys-firewall are unable to do DNS lookups: >>>> user@untrusted ~]$ dig qubes-os.org >>>> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> qubes-os.org >>>> ;; global options: +cmd >>>> ;; connection timed out; no servers could be reached >>>> >>>> The same command works in sys-firewall and netvm and any AppVM connected >>>> directly to the netvm but not when going through sys-firewall. There are >>>> no firewall rules added in the Qubes VM Manager and changing to allow >>>> all network traffic for 5 minutes makes no difference. >>>> >>>> Besides DNS lookups not working, the networking is working: >>>> [user@untrusted ~]$ ping 104.25.119.5 >>>> PING 104.25.119.5 (104.25.119.5) 56(84) bytes of data. >>>> 64 bytes from 104.25.119.5: icmp_seq=1 ttl=56 time=31.4 ms >>>> >>>> If I manually change the nameserver to the same as in sys-firewall the >>>> resolving works also in the AppVM: >>>> >>>> With IP from /etc/resolve.conf (sys-firewall): >>>> [user@untrusted ~]$ dig @10.137.2.1 qubes-os.org >>>> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> @10.137.2.1 qubes-os.org >>>> ; (1 server found) >>>> ;; global options: +cmd >>>> ;; connection timed out; no servers could be reached >>>> >>>> Instead with the netvm IP: >>>> [user@untrusted ~]$ dig @10.137.5.1 qubes-os.org >>>> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> @10.137.5.1 qubes-os.org >>>> ; (1 server found) >>>> ;; global options: +cmd >>>> ;; Got answer: >>>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5804 >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 >>>> >>>> ;; OPT PSEUDOSECTION: >>>> ; EDNS: version: 0, flags:; udp: 4096 >>>> ;; QUESTION SECTION: >>>> ;qubes-os.org. IN A >>>> >>>> ;; ANSWER SECTION: >>>> qubes-os.org. 127 IN A 104.25.119.5 >>>> qubes-os.org. 127 IN A 104.25.118.5 >>>> >>>> ;; Query time: 11 msec >>>> ;; SERVER: 10.137.5.1#53(10.137.5.1) >>>> ;; WHEN: Sun Feb 28 16:03:09 CET 2016 >>>> ;; MSG SIZE rcvd: 73 >>>> >>>> >>>> Any idea what is going on here? >>>> > >> Very similar issues here... > > I think it's this issue: > https://github.com/QubesOS/qubes-issues/issues/1067 > >>> I think I solved this now. >>> >>> After re-installing with V3.2-rc2 and restoring my VMs (including my old >>> netvm) I still had this problem from time to time. >>> >>> So what I did was to start use the new sys-net VM as NetVM instead of my >>> restored old netvm (I manually copied over the network manager config, >>> private keys, certificates etc from the old VM to not have to >>> reconfigure that). >>> >>> Since then, so far I have not seen the issue again. > >> I had renamed the sys-firewall VM back to its old "firewallvm" name using >> Qubes manager after a fresh 3.1rc2 install (otherwise restoring my backup >> wouldn't have worked: "could not find referenced firewallvm" ...). > > Enable option "ignore missing" during backup restoration. This will use > default VMs in place of missing ones (default netvm, default template > etc). > >> Maybe the >> sys-firewall name is hardcoded somewhere? I guess I'll test renaming it back >> again soon... > > It shouldn't matter. > >
My guess was not that the issue was with the name but rather that my restored netvm had some configuration (or similar) issue preventing the resolving from working in some situations. I have no idea if that makes sense or not, it was just a hypothesis of mine. But the fact for me is that since I switched to use the stock sys-net VM I haven't had the problem a single time yet. Cheers, Markus -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/584dcbfc-108f-b0d2-e3e3-94e5534e670a%40xn--kils-soa.se. For more options, visit https://groups.google.com/d/optout.
