On 03/11/2018 10:03 AM, David Hobach wrote:
On 03/11/2018 11:21 AM, Chris Laprise wrote:
...and for now omitted the '-d' destination part in iptables.
Then if I issue:
sudo iptables -t nat -F PR-QBS
sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT
sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT
it appears to work from a downstream appVM. But I haven't checked yet
to see if its really using the dnscrypt proxy; even if it is, the
config may need to be adjusted for better security.
I just tested that one (my implementation was also doing pretty much
exactly that + a local INPUT chain firewall so it was a 5 min test
removing the INPUT firewall):
Since you'll need something like
-I INPUT -p udp -m udp --dport 53 -j ACCEPT
-I INPUT -p tcp -m tcp --dport 53 -j ACCEPT
I used this, which is Alex's example without '-d':
iptables -I INPUT 3 -j ACCEPT -p udp --sport 1024:65535 --dport 53 -m
conntrack --ctstate NEW
it makes DNS accessible for all downstream VMs regardless of the
qubes-firewall settings, i.e. apprently the nft FORWARD rules are not
applied for DNAT to localhost.
That's probably why I had opened that github issue & implemented a local
firewall back then...
You can verify my findings by using the dom0 qvm-firewall command line
to revoke DNS access for a downstream VM & then use e.g. dig in that VM.
The qubes-vm-settings GUI won't work as in 4.0 DNS & ICMP is always
So yes, if one is aware of that issue, one can certainly use it the way
you described. If you rely on the qubes-firewall to work as expected,
you shouldn't use it.
Thanks for the specific caveat.
Qubes 3.2 firewall had a dns incompatibility when you configured a
tunnel such as openvpn. I was able to fix that problem (pretty
seamlessly) with sed :) .
Chris Laprise, tas...@posteo.net
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To post to this group, send email to firstname.lastname@example.org.
To view this discussion on the web visit
For more options, visit https://groups.google.com/d/optout.