On 03/05/2018 11:04 AM, vel...@tutamail.com wrote:
Again I have been using the Tasket VPN setup with Fedora 26 for a few weeks and 
it works well...love the kill switch element!

I was hoping to beef up the security(maybe compromise the privacy) of the VPN 
service by adding OpenDNS or Quad9 DNS addresses to this configuration.

My questions I was hoping to get some thoughts on were:

1) I was presented with a Phishing site the other day...understand I am being 
targetted so I am not suprised. Is OpenDNS, Quad9 better then others? Are there 
others that would provide just as good filtering?

Does this mean PIA's DNS converted a good domain name into a phishing IP address? Or was the phishing site arrived at by some other means (email, typo)?

My inclination is to view the VPN provider's nameservers as the safer option, but not if its serving wrong IPs.

Not sure what OpenDNS users would say on the subject...

2) Tasket I found some documentation in the Qubes-vpn-support-master (README.md 
file) and references the ability to change your DNS address:

You can manually set your VPN's DNS addresses with:
export vpn_dns="<dns addresses>"
sudo /rw/config/vpn/qubes-vpn-ns up

How would I specifically change this? Is this a command? Would this be the 
specific command I would enter into my VPN VM if I was using OpenDNS:

export vpn_dns=""
sudo /rw/config/vpn/qubes-vpn-ns up

I am asking here in the spirit of maybe providing some help to people trying to 
do the same thing...

Those shell commands could be used manually for testing purposes, for example. But the placement and phrasing is confusing so I'll change it.

For your purposes -- forcing particular DNS addresses despite the numbers that the VPN provider sends over DHCP -- the setenv example in the qubes-vpn-ns script comments is better. So if you want to use DNS you can put this in your openvpn config file:

   setenv vpn_dns ''

Then whenever openvpn calls qubes-vpn-ns script it will see the vpn_dns variable is already set and will use that instead.


And since DNS is now the subject.....

Both the VPN doc and Qubes-vpn-support 1.3 force all DNS requests to go through the tunnel (or else blocked). However, this does not mean an appVM will always send requests to the DNS server you want; it could conceivably try to use some other DNS server for nefarious purposes (although the threat model for this is weak).

TheirryIT was looking for a way to make sure the proper DNS servers were addressed for all DNS requests, so in 1.4beta2 I changed the dnat rules to convert all addresses for DNS request packets to the proper servers.

So my advice is to use the 1.4beta2 from the 'qubes4' branch (not currently 'master') if you aren't already. Only caveat is that, although its intended to still be compatible with Qubes 3.2, I haven't tested it yet on 3.2.


Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB  4AB3 1DC4 D106 F07F 1886

You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
For more options, visit https://groups.google.com/d/optout.

Reply via email to