‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, June 30, 2019 10:36 PM, Chris Laprise <tas...@posteo.net> wrote:
> On 6/30/19 4:10 PM, Chris Laprise wrote: > > > > > A shortcut you can take to setting up iptables for DNS is to populate > > > > /etc/resolv.conf and then run '/usr/lib/qubes/qubes-setup-dnat-to-ns'. > > > > This should configure the nat/PR-QBS chain with the DNS addresses you > > > > set. > > > > So check that your DoT setup is updating /etc/resolv.conf, then run > > '/usr/lib/qubes/qubes-setup-dnat-to-ns'. Thanks for you suggestion. Apparently, it does not work in sys-net. Stubby is up, working and connected to its default DoT providers (as lsof -i asserts): COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME stubby 534 stubby 3u IPv4 17946 0t0 UDP localhost:domain stubby 534 stubby 4u IPv4 17947 0t0 TCP localhost:domain (LISTEN) stubby 534 stubby 5u IPv6 17948 0t0 UDP localhost:domain stubby 534 stubby 6u IPv6 17949 0t0 TCP localhost:domain (LISTEN) stubby 534 stubby 7u IPv4 35444 0t0 TCP sys-net:46006->145.100.185.16:domain-s (ESTABLISHED) stubby 534 stubby 8u IPv4 35447 0t0 TCP sys-net:45550->getdnsapi.net:domain-s (ESTABLISHED) NetworkMa 564 root 17u IPv4 31022 0t0 UDP sys-net:bootpc systemd-r 647 systemd-resolve 11u IPv4 19350 0t0 UDP *:hostmon systemd-r 647 systemd-resolve 12u IPv4 19351 0t0 TCP *:hostmon (LISTEN) systemd-r 647 systemd-resolve 13u IPv6 19353 0t0 UDP *:hostmon systemd-r 647 systemd-resolve 14u IPv6 19354 0t0 TCP *:hostmon (LISTEN) systemd-r 647 systemd-resolve 16u IPv4 19358 0t0 UDP 127.0.0.53:domain systemd-r 647 systemd-resolve 17u IPv4 19359 0t0 TCP 127.0.0.53:domain (LISTEN) tinyproxy 1547 tinyproxy 4u IPv4 32068 0t0 TCP *:us-cli (LISTEN) tinyproxy 1547 tinyproxy 5u IPv6 32069 0t0 TCP *:us-cli (LISTEN) tinyproxy 1548 tinyproxy 4u IPv4 32068 0t0 TCP *:us-cli (LISTEN) tinyproxy 1548 tinyproxy 5u IPv6 32069 0t0 TCP *:us-cli (LISTEN) tinyproxy 1549 tinyproxy 4u IPv4 32068 0t0 TCP *:us-cli (LISTEN) Also, nano claims that everything is right in /etc/resolv.conf # Generated by NetworkManager nameserver 127.0.0.1 nameserver ::1 As root, I run /usr/lib/qubes/qubes-setup-dnat-to-ns . Everything looks fine. I can ping the outside world but sys-net does not receive any request from my qubes :-( > Additional thought: The sys-net VM may not be the best place to secure > any data, DNS included. Putting DoT in sys-firewall or similar proxyVM > (and using qubes-setup-dnat-to-ns there) would be a better choice and > has a fair chance of working. OK, will try tomorrow with sys-firewall and see what happens. > > There is also a chance that configuring DoT to run in your AppVMs, > instead, could work and without any special Qubes steps. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/1Tx8lU2t-zeR8NRc1t3tmQe2GM4aPITcooW2ZdkkeI_Hj2oOTD-3UCGlrtUImviqz8OL0w22jzUbmP2-kbKxNNRcqBqP_nErvMZLnAyZxZg%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
