On Wed, Mar 08, 2017 at 11:55:17PM +0100, 'Antoine' via qubes-users wrote: > On Tue, Mar 07, 2017 at 09:08:07PM +0000, Unman wrote: > > On Tue, Mar 07, 2017 at 09:56:23PM +0100, 'Antoine' via qubes-users wrote: > > > On Mon, Mar 06, 2017 at 04:31:31PM -0800, Andrew David Wong wrote: > > > > >> Filed a bug report: > > > > >> > > > > >> https://github.com/QubesOS/qubes-issues/issues/2674 > > > I have the same problem with Fedora 23, Debian 8 and Debian 9: > > > > > > = Fedora 23 = > > > [user@work ~]$ grep PRETTY /etc/os-release > > > PRETTY_NAME="Fedora 23 (Workstation Edition)" > > > [user@work ~]$ cat /etc/resolv.conf > > > nameserver 10.137.2.1 > > > nameserver 10.137.2.254 > > > [user@work ~]$ dig +short gov.uk @10.137.2.1 > > > 23.235.33.144 > > > 23.235.37.144 > > > [user@work ~]$ dig +short gov.uk @10.137.2.254 > > > ;; connection timed out; no servers could be reached > > > > > > = Debian 8 = > > > user@cloud:~$ grep PRETTY /etc/os-release > > > PRETTY_NAME="Debian GNU/Linux 8 (jessie)" > > > user@cloud:~$ cat /etc/resolv.conf > > > nameserver 10.137.2.1 > > > nameserver 10.137.2.254 > > > user@cloud:~$ dig +short gov.uk @10.137.2.1 > > > 23.235.33.144 > > > 23.235.37.144 > > > user@cloud:~$ dig +short gov.uk @10.137.2.254 > > > ;; connection timed out; no servers could be reached > > > > > > = Debian 9 = > > > user@Email:~$ grep PRETTY /etc/os-release > > > PRETTY_NAME="Debian GNU/Linux 9 (stretch)" > > > user@Email:~$ cat /etc/resolv.conf > > > nameserver 10.137.2.1 > > > nameserver 10.137.2.254 > > > user@Email:~$ dig +short gov.uk @10.137.2.1 > > > 23.235.33.144 > > > 23.235.37.144 > > > user@Email:~$ dig +short gov.uk @10.137.2.254 > > > ;; connection timed out; no servers could be reached > > > > > > Do you have an advise how to remove 10.137.2.254 from the list of > > > default name servers? > > > > Probaly more relevant would be for you to discover why the first > > nameserver isnt reachable or isnt responding. > > With multiple entries they are queried in the order given, so if the > > first is working correctly the second entry wont be hit. > > > > Thats the real problem. > > I have understood why I have this problem. > > On my LAN, the DNS recursive server (unbound) has a blacklist: it > refuses to answer queries for tracking/ad domains. The problem is that > when a program receives a "REFUSED" packet from its DNS query, it tries > to solve the same host on the second DNS server in resolv.conf. > > I can see the pattern clearly using tcpdump: Query -> fast answer > REFUSED -> Query on the second DNS server -> no answer. > > On the DNS resolver: > # grep facebook unbound-blacklist.conf > local-zone: "facebook.com" refuse > > on any Qubes VM: > $ host facebook.com 10.137.2.1 > Using domain server: > Name: 10.137.2.1 > Address: 10.137.2.1#53 > Aliases: > > Host facebook.com not found: 5(REFUSED) > $ host facebook.com 10.137.2.254 > [... 10s ...] > ;; connection timed out; no servers could be reached > $ host facebook.com > Host facebook.com not found: 5(REFUSED) > $ ping facebook.com > [... 10s ...] > ping: facebook.com: Temporary failure in name resolution > > I do not understand why this second DNS server is populated in all Qubes > VM. Is there a simple way to configure only 1 DNS server? > > Antoine >
If you had two servers on your network, or your DHCP server gave out two addresses both would be used, I think. If you want to lose one, you could overwrite it from rc.local or use bind-dirs on resolv.conf: both methods are covered in the docs. Look at www.qubes-os.org/doc/config-files -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170309003021.GB5764%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
