On Sat, Mar 11, 2017 at 10:05:50PM +0100, 'Antoine' via qubes-users wrote: > On Thu, Mar 09, 2017 at 12:30:21AM +0000, Unman wrote: > > > > > > >> https://github.com/QubesOS/qubes-issues/issues/2674 > > > > > I have the same problem with Fedora 23, Debian 8 and Debian 9: > > > > > > > > > > = Fedora 23 = > > > > > [user@work ~]$ grep PRETTY /etc/os-release > > > > > PRETTY_NAME="Fedora 23 (Workstation Edition)" > > > > > [user@work ~]$ cat /etc/resolv.conf > > > > > nameserver 10.137.2.1 > > > > > nameserver 10.137.2.254 > > > > > [user@work ~]$ dig +short gov.uk @10.137.2.1 > > > > > 23.235.33.144 > > > > > 23.235.37.144 > > > > > [user@work ~]$ dig +short gov.uk @10.137.2.254 > > > > > ;; connection timed out; no servers could be reached > > > I have understood why I have this problem. > > > > > > On my LAN, the DNS recursive server (unbound) has a blacklist: it > > > refuses to answer queries for tracking/ad domains. The problem is that > > > when a program receives a "REFUSED" packet from its DNS query, it tries > > > to solve the same host on the second DNS server in resolv.conf. > > > > > > I can see the pattern clearly using tcpdump: Query -> fast answer > > > REFUSED -> Query on the second DNS server -> no answer. > > > > > > On the DNS resolver: > > > # grep facebook unbound-blacklist.conf > > > local-zone: "facebook.com" refuse > > > > > > on any Qubes VM: > > > $ host facebook.com 10.137.2.1 > > > Using domain server: > > > Name: 10.137.2.1 > > > Address: 10.137.2.1#53 > > > Aliases: > > > > > > Host facebook.com not found: 5(REFUSED) > > > $ host facebook.com 10.137.2.254 > > > [... 10s ...] > > > ;; connection timed out; no servers could be reached > > > $ host facebook.com > > > Host facebook.com not found: 5(REFUSED) > > > $ ping facebook.com > > > [... 10s ...] > > > ping: facebook.com: Temporary failure in name resolution > > > > > > I do not understand why this second DNS server is populated in all Qubes > > > VM. Is there a simple way to configure only 1 DNS server? > > > > > > Antoine > > > > > > > If you had two servers on your network, or your DHCP server gave out two > > addresses both would be used, I think. > > The issue is that my DHCP server is only giving 1 DNS server. I do not > understand why Qubes thinks I have 2. > > Antoine >
No the issue is that the 1 DNS server you use doesn't resolve some addresses. I assume this is how you like it so I'm not clear really on what the problem is. I have suggested to you how you can easily remove the second listing if that bothers you. (You've cut that from my reply). Alternatively you could customise sys-net to provide DNS services from some other servers, or add a second redirect rule to the one server you have. I don't see why that would be an advantage - surely your applications would time out in exactly the same way that they do at present? And if you added a second server that *doesn't* filter requests, why have one that *does* as your primary server? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170311230229.GA25808%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
