Dear tasket, today here is so hot that I feel like I am drunk. I typed the wrong title. The topic actually was
"Dns-over-TLS in *sys-net*. Is it possible? How?" Obviously, as you correctly (and politely) pointed out, it doesn't make sense at all to run DoT over VPN. Actually, I want to run DoT in sys-net since my link is insecure. Apologies for mistake. Suggestions are still appreciated. Off Topic P.S: I use and love your scripts and extensions for Qubes. You made my life much easier. Look forward to test sparsebak once encryption will be deployed into it. Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, June 30, 2019 7:12 PM, Chris Laprise <tas...@posteo.net> wrote: > On 6/30/19 9:17 AM, 'qubeslover' via qubes-users wrote: > > > Dear qubes users, > > I wish you a good Sunday. > > I'd like to use DoT on my qubes laptop. However, I am not sure how to do. I > > have followed a couple of pretty straightforward tutorials > > (https://www.techrepublic.com/article/how-to-use-dns-over-tls-on-ubuntu-linux/ > > and > > https://techrevelations.de/2019/01/11/encrypted-dns-and-how-to-use-it-in-linux/), > > installed stubby and configured NetworkManager - /etc/resolv.conf properly > > in sys-net. > > Stubby connects to its default DoT servers and I can ping google from > > sys-net. However, I can't resolve addresses from other qubes (like > > sys-firewall etc). Has somebody managed to use DoT in Qubes? Which > > documents should I read in order to understand how networking, routing and > > name resolution work in QubesOS so that I can use DoT? > > Hi, > > The vpn doc (step 3) has a good example of setting up DNS for a VPN > "proxy VM": The iptables nat/PR-QBS chain must be populated with dnat > rules for your DNS ips. > > (A proxy VM is just like sys-firewall: Its an appVM created with the > 'provides network' option set and acts like a router.) > > https://www.qubes-os.org/doc/vpn/#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts > > A version of this with more automatic setup is here: > > https://github.com/tasket/Qubes-vpn-support > > A shortcut you can take to setting up iptables for DNS is to populate > /etc/resolv.conf and then run '/usr/lib/qubes/qubes-setup-dnat-to-ns'. > This should configure the nat/PR-QBS chain with the DNS addresses you set. > > A final note: There doesn't seem to be much demand for DoT over a VPN, I > think because VPN providers usually have their own DNS servers which are > protected by the VPN protocol. Something like DoT becomes useful only > when your link is generally insecure or you need to use a third-party > DNS for some other reason (i.e. you set up your own VPN server but not a > DNS server to go with it). > > ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Chris Laprise,tas...@posteo.net > https://github.com/tasket > https://twitter.com/ttaskett > PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886 -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/9WXrT765SQgqQPM0yc8YXEL36bN9ua56wIZZTlRnhhKew8Nl0d6z9GHaoCpnCavs3zHH0AUQe4CxmPOwNFy33LDBXX8kZrkU6prqPEgSQW8%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
