On 08/03/2016 03:22 PM, Markus Kilås wrote:
> On 08/03/2016 09:31 AM, Marek Marczykowski-Górecki wrote:
>> On Mon, Aug 01, 2016 at 08:31:12AM +0200, David Hobach wrote:
>>
>>
>>> On 07/31/2016 10:05 AM, Markus Kilås wrote:
On 02/28/2016 04:13 PM, Markus Kilås wrote:
> Hi,
>
> I am experiencing an issue with DNS queries in my AppVMs in R3.0.
>
> Sometimes after booting up, the AppVMS that are connected to
> sys-firewall are unable to do DNS lookups:
> user@untrusted ~]$ dig qubes-os.org
> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> qubes-os.org
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> The same command works in sys-firewall and netvm and any AppVM connected
> directly to the netvm but not when going through sys-firewall. There are
> no firewall rules added in the Qubes VM Manager and changing to allow
> all network traffic for 5 minutes makes no difference.
>
> Besides DNS lookups not working, the networking is working:
> [user@untrusted ~]$ ping 104.25.119.5
> PING 104.25.119.5 (104.25.119.5) 56(84) bytes of data.
> 64 bytes from 104.25.119.5: icmp_seq=1 ttl=56 time=31.4 ms
>
> If I manually change the nameserver to the same as in sys-firewall the
> resolving works also in the AppVM:
>
> With IP from /etc/resolve.conf (sys-firewall):
> [user@untrusted ~]$ dig @10.137.2.1 qubes-os.org
> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> @10.137.2.1
> qubes-os.org
> ; (1 server found)
> ;; global options: +cmd
> ;; connection timed out; no servers could be reached
>
> Instead with the netvm IP:
> [user@untrusted ~]$ dig @10.137.5.1 qubes-os.org
> ; <<>> DiG 9.10.3-P3-RedHat-9.10.3-10.P3.fc23 <<>> @10.137.5.1
> qubes-os.org
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5804
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ;; QUESTION SECTION:
> ;qubes-os.org.IN A
>
> ;; ANSWER SECTION:
> qubes-os.org. 127 IN A 104.25.119.5
> qubes-os.org. 127 IN A 104.25.118.5
>
> ;; Query time: 11 msec
> ;; SERVER: 10.137.5.1#53(10.137.5.1)
> ;; WHEN: Sun Feb 28 16:03:09 CET 2016
> ;; MSG SIZE rcvd: 73
>
>
> Any idea what is going on here?
>
>>
>>> Very similar issues here...
>>
>> I think it's this issue:
>> https://github.com/QubesOS/qubes-issues/issues/1067
>>
I think I solved this now.
After re-installing with V3.2-rc2 and restoring my VMs (including my old
netvm) I still had this problem from time to time.
So what I did was to start use the new sys-net VM as NetVM instead of my
restored old netvm (I manually copied over the network manager config,
private keys, certificates etc from the old VM to not have to
reconfigure that).
Since then, so far I have not seen the issue again.
>>
>>> I had renamed the sys-firewall VM back to its old "firewallvm" name using
>>> Qubes manager after a fresh 3.1rc2 install (otherwise restoring my backup
>>> wouldn't have worked: "could not find referenced firewallvm" ...).
>>
>> Enable option "ignore missing" during backup restoration. This will use
>> default VMs in place of missing ones (default netvm, default template
>> etc).
>>
>>> Maybe the
>>> sys-firewall name is hardcoded somewhere? I guess I'll test renaming it back
>>> again soon...
>>
>> It shouldn't matter.
>>
>>
>
> My guess was not that the issue was with the name but rather that my
> restored netvm had some configuration (or similar) issue preventing the
> resolving from working in some situations.
>
> I have no idea if that makes sense or not, it was just a hypothesis of mine.
>
> But the fact for me is that since I switched to use the stock sys-net VM
> I haven't had the problem a single time yet.
>
>
> Cheers,
> Markus
>
Unfortunately, I was wrong.
After working perfectly for a few weeks now I have seen the issue again :(
- working networking in sys-net
- working networking in sys-firewall using sys-net
- ping/dig etc not working in AppVM when using sys-firewall
- working networking in AppVM when connecting directly to sys-net
Currently the only workaround I know of is to connect directly to
sys-net or reboot and hope for better luck...
Cheers,
Markus
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
