On 03/13/2018 07:14 AM, Alex Dubois wrote:
On 12 Mar 2018, at 18:40, David Hobach <trip...@hackingthe.net> wrote:On 03/11/2018 03:15 PM, David Hobach wrote: An alternative might be to setup the local DNS service in a VM closer to the Internet, i.e. not in the proxy VM which also implements the qubes firewall. Something like Internet <-- sys-net <-- sys-firewall <-- DNS server VM <-- proxy VM with qubes-fw <-- client VM I didn't test that though.I just tested that as well now and it works as expected without any of the aforementioned caveats. So I'd recommend the one above over the previously discussed Internet <-- sys-net <-- sys-firewall <-- DNS server VM <-- client VM (at least I was talking about that architecture - maybe the others were talking about something different...). The same holds true for VPN users.This type of architecture is bad practice as the attack surface of DNS is bigger than Qubes firewall, and an attack on this daemon compromise all traffic, not just DNS. A better arch is Internet - netVM - - firewallVM - - - Service (ie DNS or VPN) - - - clientVM1 - - - clientVM2
I believe your essential point was not to use proxy VMs for services at all.My main point was not to mix a Qubes Firewall VM with local services. I think you basically agree with that.
I however also disagree with your point wrt proxy VM usage as there's no attack vector for E2E encrypted traffic on proxy VMs except for DoS which you'll notice. If you're using non-E2E encrypted traffic (except for maybe DNS) you have a different problem altogether and even then I'd trust my proxy VM a lot more than any other hop (your Wifi provider? the 4+ backbone providers you pass?) on the route to the destination.
Moreover it is rather inconvenient to configure each and every client VM to use that service VM which can also lead to unexpected misconfigurations & leakages.
-- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to email@example.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e117d09a-974c-904d-2532-b890b2c77008%40hackingthe.net. For more options, visit https://groups.google.com/d/optout.
Description: S/MIME Cryptographic Signature