Sent from my mobile phone.
> On 11 Mar 2018, at 10:21, Chris Laprise <[email protected]> wrote: > >> On 03/10/2018 04:43 PM, Alex Dubois wrote: >>> On Saturday, 10 March 2018 13:16:37 UTC, Micah Lee wrote: >>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>> >>>> On March 8, 2018 11:26 AM, Chris Laprise <[email protected]> wrote: >>>> >>>> >>>> >>>>>>> \> \[1\] https://dnsprivacy.org/wiki/ >>>> >>>>>>>> \[2\] https://www.qubes-os.org/doc/networking/ >>>> >>>> Micah, >>>> >>>> If you have any specific instructions on how to setup the forwarder >>>> >>>> you're using, I'd be happy to try it myself and post a solution for use >>>> >>>> with qubes-firewall. >>>> >>>> I found the dnsprivacy wiki to be a bit scattered and not very specific. >>>> >>>> Their video "tutorial" is really a lecture on the concept. >>> >>> Thanks, yes I'd love to share instructions. I haven't gotten it working yet >>> -- I'm traveling right now and haven't spent a lot of time on it, and might >>> not for the next week or two. But once I figure it out I'd like to write a >>> blog post or something with instructions. But maybe I should sent it to >>> this list first for people to test and give feedback. >> For your info, I have a wiki on how to use dns-crypt here: >> https://github.com/adubois/adubois.github.io/blob/master/_posts/2013-11-19-setup-dnscrypt-unbound.md >> It is supposed to be exposed via blog.bowabos.com but github changed >> something and the static site does not get automatically generated at the >> moment... > > Nice. I gave this a try on debian-9, using apt to install dnscrypt-proxy and > unbound. > > One problem is that the howto assumes particular Qubes 10.137.2.x and > 10.138.2.x nets for unbound. Yes I need to rewrite it for Qubes 4. The other blog post on Atlassian stack also needs a rewrite and I have now a better network topology (more secure) for it. Time is my problem > > Another problem is that on Qubes 4.0 the vif interfaces plus eth0 all share > the same IP address. This isn't explained in the Qubes networking or firewall > docs, so it may be a bug... > > To keep unbound.service from failing I changed unbound.conf to this: > >> interface: <eth0 address here> >> access-control: 10.137.0.0/24 allow >> harden-large-queries: yes >> private-address: 10.0.0.0/8 >> private-address: 192.168.0.0/16 >> val-permissive-mode: yes >> do-not-query-localhost: no > > ...and for now omitted the '-d' destination part in iptables. > > Then if I issue: > >> sudo iptables -t nat -F PR-QBS >> sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to >> $eth0_address >> sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to >> $eth0_address > > it appears to work from a downstream appVM. But I haven't checked yet to see > if its really using the dnscrypt proxy; even if it is, the config may need to > be adjusted for better security. > > -- > > Chris Laprise, [email protected] > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8ECF3140-FD4B-400C-AB7D-A459F74327AC%40gmail.com. For more options, visit https://groups.google.com/d/optout.
