On 03/08/2018 01:16 PM, David Hobach wrote:
On 03/07/2018 06:40 PM, Unman wrote:
On Wed, Mar 07, 2018 at 11:58:21AM -0500, Micah Lee wrote:
I'm trying to make all DNS requests in Qubes go over TLS (more
information about this [1]).
I've got this successfully working in sys-net by running a local DNS
server on udp 53 that forwards DNS requests to a remote DNS server
over TLS, and then setting my only nameserver in /etc/resolv.conf to
127.0.0.1. I've confirmed that this works great in sys-net -- all of
my DNS requests are encrypted to my remote DNS server, and none are
plaintext.
The problem is when I do this, DNS in other downstream VMs all fail.
The Qubes networking docs [2] explain how DNS works in Qubes, but I'm
confused about how to make this set up work. Any ideas? Thanks!
[1] https://dnsprivacy.org/wiki/
[2] https://www.qubes-os.org/doc/networking/
In sys-net you have PR-QBS chain in nat table that redirects DNS
requests to the network DNS server.
You'll need to remove that chain and replace it with one directing DNS
traffic to the local server.
You'll also need to open the udp port to inbound traffic.
If you do that, you'll lose any qubes firewall-based control on DNS
traffic though. I.e. all of your downstream VMs will have DNS access.
Essentially you'll have to implement your own local version of the qubes
firewall to achieve qubes-firewall support. I happened to have done that
some time ago, but the code quality is not good enough to share it
(sorry). nft usage in 4.0 further complicates it from my point of view.
You could try to move the forward chain rules to the input chain on
every firewall change...
Maybe qubes will support it one day; here's the feature request:
https://github.com/QubesOS/qubes-issues/issues/3051
I'm not sure why it got tagged as doc though - maybe I didn't see the
obvious solution.
If this is about changing the iptables rules in a proxyVM, then you're
allowed to do so with qubes-firewall-user-script and the new
qubes-firewall.d in /rw/config. Just be mindful of what the default
rules are and Insert/Append as needed.
For example, if you don't want DNS requests to be routed elsewhere you
can flush the PR-QBS chain in the nat table and maybe add another dnat
rule there redirecting to localhost (this would catch all DNS requests,
not just the ones sent to the Qubes internal DNS addresses). Then you
can add an INPUT rule for port 53.
Maybe I'm missing something but this doesn't look hard. As another
possible avenue if the above fails, you could look for a guide to
setting up 'stubby' on a local router; this has the best chance of
working as proxyVMs are much like routers.
--
Chris Laprise, [email protected]
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/599cfc5e-d7e8-b2c0-88f0-a1ace3064cff%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
