On Sun, Mar 05, 2017 at 09:25:07PM +0100, 'Antoine' via qubes-users wrote: > Hi, > > I have recently installed Qubes OS and I am experiencing some slow time > resolution in my debian VM. I have checked the /etc/resolv.conf file and > it contains the following lines: > > nameserver 10.137.2.1 > nameserver 10.137.2.254 > > Playing with dig I can realise that the first IP is working well while > all DNS queries sent to the second one finish in timeout: > > $ dig +short qubes-os.org @10.137.2.1 > 104.25.152.101 > 104.25.151.101 > $ dig +short qubes-os.org @10.137.2.254 > ;; connection timed out; no servers could be reached > > In sys-firewall, everything seems OK: > > $ iptables -S -t nat > [...] > -A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination > 10.137.1.1 > -A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination > 10.137.1.1 > -A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT > --to-destination 10.137.1.254 > -A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT > --to-destination 10.137.1.254 > > But I have the feeling something is missing in sys-net: > > $ iptables -S -t nat > [...] > -A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination > 192.168.1.1 > -A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination > 192.168.1.1 > [...] > > where 192.168.1.1 is the expected DNS server on my LAN. > > Do you have an idea why this DNAT rule is missing? (I am not sure to > understand why 2 different nameserver are filled in resolv.conf). > > Many thanks for your help, > > Antoine > > --
No idea - report it as a bug -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170305210749.GC16686%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.