On 7/1/19 3:40 PM, 'qubeslover' via qubes-users wrote:
Hello,
I tried but without results.
1. dnf install getdns-stubby in fedora-30-firewall (template).
2. servicectl enable stubby in fedora-30-firewall.
3. Shutdown fedora-30-firewall.
4. Restart sys-firewall
4. Sudo nano /etc/resolv.conf and change nameserver in 127.0.0.1 and ::1
5. Run /usr/lib/qubes/qubes-setup-dnat-to-ns as root.
I can ping the outside world and sys-firewall can resolve hostnames. However,
the qubes behind it can't.
Hmmm. I hate to keep tossing suggestions at you without having tried DoT
myself (though I hope to make time for it in the next couple weeks).
But... if 127.0.0.1/localhost is the dnat target, then the INPUT chain
comes into the picture. By default, Qubes configures INPUT to reject any
new requests (packets that don't satisfy 'related' or 'established'
conditions). As a quick workaround, you could try allowing DNS packets
in sys-firewall:
iptables -I INPUT -p udp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp --dport 53 -j ACCEPT
For sure, I am messing up somewhere. It is a sin: I would like to have a
sys-dns qube running DoT or DoH.
Thanks a lot for your attention, interest and help. Again, very much
appreciated.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/58595ece-a717-4315-eabd-12ba5dee76fa%40posteo.net.
For more options, visit https://groups.google.com/d/optout.