Re: [qubes-users] DNS propagation in Qubes

Thu, 08 Mar 2018 10:18:18 -0800 

On 03/07/2018 06:40 PM, Unman wrote:

On Wed, Mar 07, 2018 at 11:58:21AM -0500, Micah Lee wrote:

I'm trying to make all DNS requests in Qubes go over TLS (more information 
about this [1]).

I've got this successfully working in sys-net by running a local DNS server on 
udp 53 that forwards DNS requests to a remote DNS server over TLS, and then 
setting my only nameserver in /etc/resolv.conf to 127.0.0.1. I've confirmed 
that this works great in sys-net -- all of my DNS requests are encrypted to my 
remote DNS server, and none are plaintext.

The problem is when I do this, DNS in other downstream VMs all fail. The Qubes 
networking docs [2] explain how DNS works in Qubes, but I'm confused about how 
to make this set up work. Any ideas? Thanks!

[1] https://dnsprivacy.org/wiki/
[2] https://www.qubes-os.org/doc/networking/



In sys-net you have PR-QBS chain in nat table that redirects DNS
requests to the network DNS server.

You'll need to remove that chain and replace it with one directing DNS
traffic to the local server.
You'll also need to open the udp port to inbound traffic.
If you do that, you'll lose any qubes firewall-based control on DNS traffic though. I.e. all of your downstream VMs will have DNS access.
Essentially you'll have to implement your own local version of the qubes firewall to achieve qubes-firewall support. I happened to have done that some time ago, but the code quality is not good enough to share it (sorry). nft usage in 4.0 further complicates it from my point of view. You could try to move the forward chain rules to the input chain on every firewall change...
Maybe qubes will support it one day; here's the feature request: https://github.com/QubesOS/qubes-issues/issues/3051 I'm not sure why it got tagged as doc though - maybe I didn't see the obvious solution. 

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/e60f357b-99ed-fa8d-8909-978200662b95%40hackingthe.net.
For more options, visit https://groups.google.com/d/optout.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to