[qubes-users] Mirage Firewall with separate DNS

Sat, 15 Aug 2020 01:21:28 -0700 

I've installed qubes-mirage-firewall 0.7.1 on my Qubes 4.0.3 installation 
and am having trouble isolating my DNS calls with the standard rules.ml 
file.

My configuration looks like this:

sys-net  (uplink to router using 1.1.1.1 DNS)
   | sys-mirage
      | - pihole  (set to use 8.8.8.8 DNS)
      | - appvm (fedora32)  (set to use 10.139.1.1)

The only changes to rules.ml are these:

...
let dns_port = 53
let dns_provider = Ipaddr.of_string_exn "10.137.0.8"
...
let from_client dns_client (packet : ([`Client of Fw_utils.client_link], _) 
Packet.t) : Packet.action Lwt.t =
  match packet with
  | { dst = `Firewall; transport_header = `UDP header; _ } ->
    if header.Udp_packet.dst_port = dns_port
    then Lwt.return @@ `NAT_to (`External dns_provider, dns_port)
    else Lwt.return @@ `Drop "packet addressed to client gateway"
...

My intention is for all DNS requests in AppVM forward to sys-mirage (via 
`Firewall) and be NAT'ted to the Pihole at the provided IP above.

The problem I run into is that I can't seem to *break* the DNS.  For 
example, if the Pihole VM is shut down, I would expect DNS to fail. With 
the NAT_to destination unavailable, all AppVMs with sys-mirage should stop 
resolving, correct? I have also tried setting dns_provider to an unused ip 
10.137.0.x and it still resolves.

When I make DNS queries from the AppVM, it seemingly bypasses the pihole 
despite the `Firewall rule.  I can check dnsleaktest and it reports back 
1.1.1.1 (DNS from my router).  If I manually change /etc/resolv.conf on the 
AppVM to 10.137.0.8,  it routes through the pihole and operates perfectly 
(dnsleaktest reports back 8.8.8.8).

I notice that with the Pihole down *and* /etc/resolv.conf modified, DNS 
*does* break--but the question is:  *why isn't ( dst = `Firewall`;... ) 
catching the forwarded **10.139.1.1 and 10.139.1.2** DNS queries from AppVM 
and NAT_to `External dns_provider?*

Or maybe more directly, what rules are necessary to ensure I catch 100% of 
DNS requests from appvms so that I can route it to the pihole?

Best,
hexparrot

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/f7b787be-fc0a-4318-a0ee-62cf60a544b7n%40googlegroups.com.

Reply via email to