Re: [qubes-users] DNS
On Thu, Mar 09, 2017 at 12:30:21AM +, Unman wrote: > > > > > >> https://github.com/QubesOS/qubes-issues/issues/2674 > > > > I have the same problem with Fedora 23, Debian 8 and Debian 9: > > > > > > > > = Fedora 23 = > > > > [user@work ~]$ grep PRETTY /etc/os-release > > > > PRETTY_NAME="Fedora 23 (Workstation Edition)" > > > > [user@work ~]$ cat /etc/resolv.conf > > > > nameserver 10.137.2.1 > > > > nameserver 10.137.2.254 > > > > [user@work ~]$ dig +short gov.uk @10.137.2.1 > > > > 23.235.33.144 > > > > 23.235.37.144 > > > > [user@work ~]$ dig +short gov.uk @10.137.2.254 > > > > ;; connection timed out; no servers could be reached > > I have understood why I have this problem. > > > > On my LAN, the DNS recursive server (unbound) has a blacklist: it > > refuses to answer queries for tracking/ad domains. The problem is that > > when a program receives a "REFUSED" packet from its DNS query, it tries > > to solve the same host on the second DNS server in resolv.conf. > > > > I can see the pattern clearly using tcpdump: Query -> fast answer > > REFUSED -> Query on the second DNS server -> no answer. > > > > On the DNS resolver: > > # grep facebook unbound-blacklist.conf > > local-zone: "facebook.com" refuse > > > > on any Qubes VM: > > $ host facebook.com 10.137.2.1 > > Using domain server: > > Name: 10.137.2.1 > > Address: 10.137.2.1#53 > > Aliases: > > > > Host facebook.com not found: 5(REFUSED) > > $ host facebook.com 10.137.2.254 > > [... 10s ...] > > ;; connection timed out; no servers could be reached > > $ host facebook.com > > Host facebook.com not found: 5(REFUSED) > > $ ping facebook.com > > [... 10s ...] > > ping: facebook.com: Temporary failure in name resolution > > > > I do not understand why this second DNS server is populated in all Qubes > > VM. Is there a simple way to configure only 1 DNS server? > > > > Antoine > > > > If you had two servers on your network, or your DHCP server gave out two > addresses both would be used, I think. The issue is that my DHCP server is only giving 1 DNS server. I do not understand why Qubes thinks I have 2. Antoine -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170311210550.uzoxnnr6dnglhteq%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] DNS
On Tue, Mar 07, 2017 at 09:08:07PM +, Unman wrote: > On Tue, Mar 07, 2017 at 09:56:23PM +0100, 'Antoine' via qubes-users wrote: > > On Mon, Mar 06, 2017 at 04:31:31PM -0800, Andrew David Wong wrote: > > > >> Filed a bug report: > > > >> > > > >> https://github.com/QubesOS/qubes-issues/issues/2674 > > I have the same problem with Fedora 23, Debian 8 and Debian 9: > > > > = Fedora 23 = > > [user@work ~]$ grep PRETTY /etc/os-release > > PRETTY_NAME="Fedora 23 (Workstation Edition)" > > [user@work ~]$ cat /etc/resolv.conf > > nameserver 10.137.2.1 > > nameserver 10.137.2.254 > > [user@work ~]$ dig +short gov.uk @10.137.2.1 > > 23.235.33.144 > > 23.235.37.144 > > [user@work ~]$ dig +short gov.uk @10.137.2.254 > > ;; connection timed out; no servers could be reached > > > > = Debian 8 = > > user@cloud:~$ grep PRETTY /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 8 (jessie)" > > user@cloud:~$ cat /etc/resolv.conf > > nameserver 10.137.2.1 > > nameserver 10.137.2.254 > > user@cloud:~$ dig +short gov.uk @10.137.2.1 > > 23.235.33.144 > > 23.235.37.144 > > user@cloud:~$ dig +short gov.uk @10.137.2.254 > > ;; connection timed out; no servers could be reached > > > > = Debian 9 = > > user@Email:~$ grep PRETTY /etc/os-release > > PRETTY_NAME="Debian GNU/Linux 9 (stretch)" > > user@Email:~$ cat /etc/resolv.conf > > nameserver 10.137.2.1 > > nameserver 10.137.2.254 > > user@Email:~$ dig +short gov.uk @10.137.2.1 > > 23.235.33.144 > > 23.235.37.144 > > user@Email:~$ dig +short gov.uk @10.137.2.254 > > ;; connection timed out; no servers could be reached > > > > Do you have an advise how to remove 10.137.2.254 from the list of > > default name servers? > > Probaly more relevant would be for you to discover why the first > nameserver isnt reachable or isnt responding. > With multiple entries they are queried in the order given, so if the > first is working correctly the second entry wont be hit. > > Thats the real problem. I have understood why I have this problem. On my LAN, the DNS recursive server (unbound) has a blacklist: it refuses to answer queries for tracking/ad domains. The problem is that when a program receives a "REFUSED" packet from its DNS query, it tries to solve the same host on the second DNS server in resolv.conf. I can see the pattern clearly using tcpdump: Query -> fast answer REFUSED -> Query on the second DNS server -> no answer. On the DNS resolver: # grep facebook unbound-blacklist.conf local-zone: "facebook.com" refuse on any Qubes VM: $ host facebook.com 10.137.2.1 Using domain server: Name: 10.137.2.1 Address: 10.137.2.1#53 Aliases: Host facebook.com not found: 5(REFUSED) $ host facebook.com 10.137.2.254 [... 10s ...] ;; connection timed out; no servers could be reached $ host facebook.com Host facebook.com not found: 5(REFUSED) $ ping facebook.com [... 10s ...] ping: facebook.com: Temporary failure in name resolution I do not understand why this second DNS server is populated in all Qubes VM. Is there a simple way to configure only 1 DNS server? Antoine -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170308225516.3coxi2iautyfbfuj%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] DNS
On Mon, Mar 06, 2017 at 04:31:31PM -0800, Andrew David Wong wrote: > >> Filed a bug report: > >> > >> https://github.com/QubesOS/qubes-issues/issues/2674 > >> > >> Antoine, you didn't mention which version of Qubes or Debian > >> you're using, so I assumed Qubes 3.2 and the Debian 8 > >> TemplateVM. > > > > In fact, I am using a Debian 9 TemplateVM. > > > > Antoine > > > > Thanks. I've updated the bug report. > > However, please note that Debian 8 has gone more extensive testing > than Debian 9 as a TemplateVM. You may wish to try Debian 8 to see > whether this resolves your problem. I have the same problem with Fedora 23, Debian 8 and Debian 9: = Fedora 23 = [user@work ~]$ grep PRETTY /etc/os-release PRETTY_NAME="Fedora 23 (Workstation Edition)" [user@work ~]$ cat /etc/resolv.conf nameserver 10.137.2.1 nameserver 10.137.2.254 [user@work ~]$ dig +short gov.uk @10.137.2.1 23.235.33.144 23.235.37.144 [user@work ~]$ dig +short gov.uk @10.137.2.254 ;; connection timed out; no servers could be reached = Debian 8 = user@cloud:~$ grep PRETTY /etc/os-release PRETTY_NAME="Debian GNU/Linux 8 (jessie)" user@cloud:~$ cat /etc/resolv.conf nameserver 10.137.2.1 nameserver 10.137.2.254 user@cloud:~$ dig +short gov.uk @10.137.2.1 23.235.33.144 23.235.37.144 user@cloud:~$ dig +short gov.uk @10.137.2.254 ;; connection timed out; no servers could be reached = Debian 9 = user@Email:~$ grep PRETTY /etc/os-release PRETTY_NAME="Debian GNU/Linux 9 (stretch)" user@Email:~$ cat /etc/resolv.conf nameserver 10.137.2.1 nameserver 10.137.2.254 user@Email:~$ dig +short gov.uk @10.137.2.1 23.235.33.144 23.235.37.144 user@Email:~$ dig +short gov.uk @10.137.2.254 ;; connection timed out; no servers could be reached Do you have an advise how to remove 10.137.2.254 from the list of default name servers? Many thanks, Antoine -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170307205623.bz6ibs44qcme6s2x%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
Re: [qubes-users] DNS
On Sun, Mar 05, 2017 at 05:35:03PM -0800, Andrew David Wong wrote: > Filed a bug report: > > https://github.com/QubesOS/qubes-issues/issues/2674 > > Antoine, you didn't mention which version of Qubes or Debian you're > using, so I assumed Qubes 3.2 and the Debian 8 TemplateVM. In fact, I am using a Debian 9 TemplateVM. Antoine -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/2017030622.vzipj7ztpgcd6ezi%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature
[qubes-users] DNS
Hi, I have recently installed Qubes OS and I am experiencing some slow time resolution in my debian VM. I have checked the /etc/resolv.conf file and it contains the following lines: nameserver 10.137.2.1 nameserver 10.137.2.254 Playing with dig I can realise that the first IP is working well while all DNS queries sent to the second one finish in timeout: $ dig +short qubes-os.org @10.137.2.1 104.25.152.101 104.25.151.101 $ dig +short qubes-os.org @10.137.2.254 ;; connection timed out; no servers could be reached In sys-firewall, everything seems OK: $ iptables -S -t nat [...] -A PR-QBS -d 10.137.2.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.1 -A PR-QBS -d 10.137.2.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.1 -A PR-QBS -d 10.137.2.254/32 -p udp -m udp --dport 53 -j DNAT --to-destination 10.137.1.254 -A PR-QBS -d 10.137.2.254/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 10.137.1.254 But I have the feeling something is missing in sys-net: $ iptables -S -t nat [...] -A PR-QBS -d 10.137.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 192.168.1.1 -A PR-QBS -d 10.137.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 192.168.1.1 [...] where 192.168.1.1 is the expected DNS server on my LAN. Do you have an idea why this DNAT rule is missing? (I am not sure to understand why 2 different nameserver are filled in resolv.conf). Many thanks for your help, Antoine -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20170305202507.sskvrkfd4ho6sea2%40fedora-23-dvm. For more options, visit https://groups.google.com/d/optout. signature.asc Description: PGP signature