@David On Thursday, March 8, 2018 at 7:18:04 PM UTC+1, David Hobach wrote: > On 03/07/2018 06:40 PM, Unman wrote: > > On Wed, Mar 07, 2018 at 11:58:21AM -0500, Micah Lee wrote: > >> I'm trying to make all DNS requests in Qubes go over TLS (more information > >> about this [1]). > >> > >> I've got this successfully working in sys-net by running a local DNS > >> server on udp 53 that forwards DNS requests to a remote DNS server over > >> TLS, and then setting my only nameserver in /etc/resolv.conf to 127.0.0.1. > >> I've confirmed that this works great in sys-net -- all of my DNS requests > >> are encrypted to my remote DNS server, and none are plaintext. > >> > >> The problem is when I do this, DNS in other downstream VMs all fail. The > >> Qubes networking docs [2] explain how DNS works in Qubes, but I'm confused > >> about how to make this set up work. Any ideas? Thanks! > >> > >> [1] https://dnsprivacy.org/wiki/ > >> [2] https://www.qubes-os.org/doc/networking/ > >> > > > > In sys-net you have PR-QBS chain in nat table that redirects DNS > > requests to the network DNS server. > > > > You'll need to remove that chain and replace it with one directing DNS > > traffic to the local server. > > You'll also need to open the udp port to inbound traffic. > > If you do that, you'll lose any qubes firewall-based control on DNS > traffic though. I.e. all of your downstream VMs will have DNS access. > > Essentially you'll have to implement your own local version of the qubes > firewall to achieve qubes-firewall support. I happened to have done that > some time ago, but the code quality is not good enough to share it > (sorry). nft usage in 4.0 further complicates it from my point of view. > You could try to move the forward chain rules to the input chain on > every firewall change... > > Maybe qubes will support it one day; here's the feature request: > https://github.com/QubesOS/qubes-issues/issues/3051 > I'm not sure why it got tagged as doc though - maybe I didn't see the > obvious solution.
We're currently trying to start a Qubes Community doc guide collection at the moment, which is thought to be entirely run by volunteers on day-to-day in order to help save the Qubes staff time. Nothing official yet though, but here one of the ideas being worked on is so you can open up your script to allow others to help you finish it and review it. Basically, if this comes to fruition, then it allows you to publish unfinished scripts, either to work with others and finish it together, or let others takeover if you don't want to continue it. Kinda something like that, of course credits should be put like always. If this comes to fruition, maybe you can start up a collaboration to have people with the right background review it and quality check it? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/c20a76d2-dcb5-4e5b-8fbe-7f83510e6e0b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
