Did I use the right command? `sudo iptables -t nat -A PR-QBS -p tcp --dport 53 -j DNAT --to-destination 10.137.0.50` (repeat for udp)
Apparently DNS requests reach the DNS qube, but the response gets stuck somewhere midway... On Thu, Jun 8, 2023 at 8:58 AM unman <un...@thirdeyesecurity.org> wrote: > On Tue, Jun 06, 2023 at 01:24:18PM -0500, Leo28C wrote: > > I managed to set up a pi-hole qube and make it my network's DNS > > filtering/caching server. Ironically, it works flawlessly across my > network > > EXCEPT it completely breaks DNS for all other qubes in the same system. > On > > Debian-based qubes I figured out I can simply edit /etc/resolv.conf, > while > > making sure sys-firewall lets the two qubes talk to each other, as a > > workaround. However this is a hacky per-qube solution and doesn't persist > > across qube restarts. It would be nice to simply have sys-firewall relay > > the information to all of its client qubes automatically. Any idea how to > > do this? > > > > Thanks in advance! > > > You dont need to change the settings per qube at all. > You haven't said *where* the pi-hole qube is located in your qubes > network, or what the nature of the breakage is. > I assume from what you say it is attached to sys-firewall. > > You can do this by editing the PR-QBS chain in nat table in > sys-firewall. > By default, this forwards all DNS traffic to 10.139.1.1 and 10.139.1.2 > using dnat. Flush that chain and replace it with dnat rules to the IP > address of your Pi-hole qube. > You could do this in /rw/config/qubes-firewall-user-script or by script > in /rw/config/qubes-firewall.d > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAALhvVaAFaB0umupS40-hGuCP4kzUachFKS0c3fieHo9S6Gfuw%40mail.gmail.com.
