‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Sunday, June 30, 2019 11:20 PM, 'qubeslover' via qubes-users <qubes-users@googlegroups.com> wrote:
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > On Sunday, June 30, 2019 10:36 PM, Chris Laprise tas...@posteo.net wrote: > > > On 6/30/19 4:10 PM, Chris Laprise wrote: > > > > > > > A shortcut you can take to setting up iptables for DNS is to populate > > > > > /etc/resolv.conf and then run '/usr/lib/qubes/qubes-setup-dnat-to-ns'. > > > > > This should configure the nat/PR-QBS chain with the DNS addresses you > > > > > set. > > > > > > So check that your DoT setup is updating /etc/resolv.conf, then run > > > '/usr/lib/qubes/qubes-setup-dnat-to-ns'. > > Thanks for you suggestion. Apparently, it does not work in sys-net. > > Stubby is up, working and connected to its default DoT providers (as lsof -i > asserts): > > COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME > stubby 534 stubby 3u IPv4 17946 0t0 UDP localhost:domain > stubby 534 stubby 4u IPv4 17947 0t0 TCP localhost:domain (LISTEN) > stubby 534 stubby 5u IPv6 17948 0t0 UDP localhost:domain > stubby 534 stubby 6u IPv6 17949 0t0 TCP localhost:domain (LISTEN) > stubby 534 stubby 7u IPv4 35444 0t0 TCP > sys-net:46006->145.100.185.16:domain-s (ESTABLISHED) > stubby 534 stubby 8u IPv4 35447 0t0 TCP sys-net:45550->getdnsapi.net:domain-s > (ESTABLISHED) > NetworkMa 564 root 17u IPv4 31022 0t0 UDP sys-net:bootpc > systemd-r 647 systemd-resolve 11u IPv4 19350 0t0 UDP *:hostmon > systemd-r 647 systemd-resolve 12u IPv4 19351 0t0 TCP *:hostmon (LISTEN) > systemd-r 647 systemd-resolve 13u IPv6 19353 0t0 UDP *:hostmon > systemd-r 647 systemd-resolve 14u IPv6 19354 0t0 TCP *:hostmon (LISTEN) > systemd-r 647 systemd-resolve 16u IPv4 19358 0t0 UDP 127.0.0.53:domain > systemd-r 647 systemd-resolve 17u IPv4 19359 0t0 TCP 127.0.0.53:domain > (LISTEN) > tinyproxy 1547 tinyproxy 4u IPv4 32068 0t0 TCP *:us-cli (LISTEN) > tinyproxy 1547 tinyproxy 5u IPv6 32069 0t0 TCP *:us-cli (LISTEN) > tinyproxy 1548 tinyproxy 4u IPv4 32068 0t0 TCP *:us-cli (LISTEN) > tinyproxy 1548 tinyproxy 5u IPv6 32069 0t0 TCP *:us-cli (LISTEN) > tinyproxy 1549 tinyproxy 4u IPv4 32068 0t0 TCP *:us-cli (LISTEN) > > Also, nano claims that everything is right in /etc/resolv.conf > > Generated by NetworkManager > > ============================ > > nameserver 127.0.0.1 > nameserver ::1 > > As root, I run /usr/lib/qubes/qubes-setup-dnat-to-ns . Everything looks fine. > > I can ping the outside world but sys-net does not receive any request from my > qubes :-( > > > Additional thought: The sys-net VM may not be the best place to secure > > any data, DNS included. Putting DoT in sys-firewall or similar proxyVM > > (and using qubes-setup-dnat-to-ns there) would be a better choice and > > has a fair chance of working. > > OK, will try tomorrow with sys-firewall and see what happens. > Hello, I tried but without results. 1. dnf install getdns-stubby in fedora-30-firewall (template). 2. servicectl enable stubby in fedora-30-firewall. 3. Shutdown fedora-30-firewall. 4. Restart sys-firewall 4. Sudo nano /etc/resolv.conf and change nameserver in 127.0.0.1 and ::1 5. Run /usr/lib/qubes/qubes-setup-dnat-to-ns as root. I can ping the outside world and sys-firewall can resolve hostnames. However, the qubes behind it can't. For sure, I am messing up somewhere. It is a sin: I would like to have a sys-dns qube running DoT or DoH. Thanks a lot for your attention, interest and help. Again, very much appreciated. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bP-yHOHB2lzMcPmqC9oiymt22tnm2EAechJ9Q9dXylzEGbWhD4Ik8CqGkdOj6iHVggbzCX46wjR1j-u217UC9ZnudW-kmWRn6VtNa1jXptQ%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
