Starting point -------------- - Qubes v3.2 - validation of the resolved names takes place at DNS that LAN router gets from ISP
Ending point ------------ - same Qubes 3.2 - validation of the resolved names takes place in one of the VMs. - dnscrypt is not involved Few years ago Alex Dubois did a great job by posting http://bowabos.blogspot.ca/2013/11/how-to-set-up-dnscrypt-proxy-on-qubes-os.html I tried to follow his guidelines and got lost. In particular: 1) What VM is better suited for running validating name resolver, i.e. 'unbound'? _ I guess that ProxyVM is good enough to isolate the validation process _ from both AppVMs and FirewallVM. Is it a reasonable guess? 2) I copied /etc/unbound/unbound.conf to /rw/config/unbound following the guideline. _ Then I got lost. _ a) What value should be used instead of 'x' in the following setting? _ interface: 10.137.2.x _ Is it the IP address of eth0 interface in ProxyVM? _ Running "ifconfig" in ProxyVM terminal yields inet 10.137.2.21. _ Is this address stays always the same between reboots of the entire Qubes OS? _ b) What value should be used in the following setting? _ access-control: 10.137.2.0/24 allow _ access-control: 10.138.2.0/24 allow _ Are they IP addresses of vif interfaces in the ProxyVM? _ Running "ifconfig" in ProxyVM terminal yields inet 10.137.5.1 _ Or they are IP addresses of eth0 interfaces in AppVMs that are configured _ to use this Proxy VM as NetVM? _ Running "ifconfig" in these AppVMs yields inet 10.137.5.9 and 10.138.5.6 (DispVM) _ c) What value should be used instead of 'x' and 'y'? _ access-control: x.x.x.x/y allow _ d) I left _ val-permissive-mode: yes _ as shown in the guideline. I will be using it for debug purposes. Once I _ confirm that everything up and running, I will change it to 'no'. _ Let me know if it will have devastating effect on AppVMs. _ e) I left it _ do-not-query-localhost: no _ f) Is this setting going to work given that no dnscrypt is listening on 127.0.0.1@53? _ If not, what should it be set to so that name is eventually resolved by _ DNS that LAN router gets from ISP (same way how it was working at the starting point)? _ forward-zone: _ name: "." _ forward-addr: 127.0.0.1@53 3) According to the guidelines, rc.local should have INPUT rules _ /usr/sbin/iptables -I INPUT 3 -j ACCEPT -d 10.137.2.x -p udp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW _ /usr/sbin/iptables -I INPUT 3 -j ACCEPT -d 10.137.2.x -p tcp --sport 1024:65535 --dport 53 -m conntrack --ctstate NEW _ What value should be used instead of 'x' _ Is it the IP address of eth0 interface in ProxyVM? I hope, it will get easier to set up Validating (DNSSEC) Name Resolver after https://github.com/QubesOS/qubes-issues/issues/2344 is addressed. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/374093626.4280608.1489949096487%40mail.yahoo.com. For more options, visit https://groups.google.com/d/optout.