On 6/30/19 9:17 AM, 'qubeslover' via qubes-users wrote:
Dear qubes users,
I wish you a good Sunday.
I'd like to use DoT on my qubes laptop. However, I am not sure how to do. I
have followed a couple of pretty straightforward tutorials
(https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/
and
https://techrevelations.de/2019/01/11/encrypted-dns-and-how-to-use-it-in-linux/),
installed stubby and configured NetworkManager - /etc/resolv.conf properly in
sys-net.
Stubby connects to its default DoT servers and I can ping google from sys-net.
However, I can't resolve addresses from other qubes (like sys-firewall etc).
Has somebody managed to use DoT in Qubes? Which documents should I read in
order to understand how networking, routing and name resolution work in QubesOS
so that I can use DoT?
Hi,
The vpn doc (step 3) has a good example of setting up DNS for a VPN
"proxy VM": The iptables nat/PR-QBS chain must be populated with dnat
rules for your DNS ips.
(A proxy VM is just like sys-firewall: Its an appVM created with the
'provides network' option set and acts like a router.)
https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts
A version of this with more automatic setup is here:
https://github.com/tasket/Qubes-vpn-support
A shortcut you can take to setting up iptables for DNS is to populate
/etc/resolv.conf and then run '/usr/lib/qubes/qubes-setup-dnat-to-ns'.
This should configure the nat/PR-QBS chain with the DNS addresses you set.
A final note: There doesn't seem to be much demand for DoT over a VPN, I
think because VPN providers usually have their own DNS servers which are
protected by the VPN protocol. Something like DoT becomes useful only
when your link is generally insecure or you need to use a third-party
DNS for some other reason (i.e. you set up your own VPN server but not a
DNS server to go with it).
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/075a360f-4778-d951-8702-d4541cee6654%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
