Re: [qubes-users] Re: Properly setup a qube dns cache server
Please, someone? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8fb316bb-a6d6-404e-8b31-2da2db4d2324%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Properly setup a qube dns cache server
I'm already in the process of implementing this feauture (method A) in R4.0. > dom0 doesn't store any DNS settings. Each VM forwards packets to the > next upstream VM and the DNS decision is made at your netvm resolv.conf. > Dynamic firewalls (iptables in 3.2, netfilter or so in 4.0) managed by > the dom0 qvm-firewall in your proxsy & firewall VMs ensure only allowed > traffic is going through. DNS uses dnat rules. Dom0 uses your firewall > VM to pull updates. I'm aware of the Qubes networking mechanisms. What I'm trying to achieve is the following: 1) New fields in 'Qubes Global Settings' menu, under 'System defaults' (Dom0) that let the user choose the default primary and secondary DNS (now '10.139.1.1' and '10.139.1.2'). How this will be implemented? Dom0 will inform the first NetVM backends ('sys-firewall', 'sys-net' or a VpnVM) of the change though a rpc service and this will trigger `qubes-dnat-to-ns` which will procede to update the (NAT) iptables. -> All the DNS requests destinated to '10.139.1.1' and '10.139.1.2' DNAT to the new DNS backend specified by the user <- This method doesn't require any changes to the Templates or the AppVMs, but only to install a rpc service and a custom `qubes-dnat-to-ns` script in the VMs that provide network (ProxyVMs and NetVMs). 2) New fields in 'VM Settings' menu (Dom0) that let the user choose the primary and secondary DNS for each VM, if the machine has network. How this will be implemented? Dom0 will inform the NetVM backend to which the VM is attached and the (NAT) iptables will be modified to DNAT all the DNS requests from a the specific VM vif interface (-i vifX.0) to the new addresses provided. Again, no changes are required to the Templates or the AppVMs, but only to the VMs that provide network (ProxyVMs and NetVMs). * ISSUES: 1) I solved the first issue and I discovered how to retrieve vif names from xen database, 2) I still don't know how to make all VMs that provide network launch a script when a new vif interface came up. As I said before, I've found the this file '/etc/udev/rules.d/99-qubes-network.rules' that I believed was the solution, but it seem not to work at all, 3) My code still rely on files, because the Qubes API and Qubesadmin API has confused me a lot. I need to add: - the attributes 'default_primary_dns' and 'default_secondary_dns' to 'qubesadmin.app.QubesBase' and - the properties 'primary_dns' and 'secondary_dns' to the base Class that represent a VM object. I don't know if I have to modify 'Qubes' or 'Qubesadmin' and if this is enough for the `qubesd` calls or if it's not possible to add new properties at all. I really need help from the developers, expecially for the point n.3. Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7a66a147-8348-4eeb-98f7-bb4b2438a7e9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Properly setup a qube dns cache server
I'm already in the process of implementing this feauture (method A) in R4.0. > dom0 doesn't store any DNS settings. Each VM forwards packets to the > next upstream VM and the DNS decision is made at your netvm resolv.conf. > Dynamic firewalls (iptables in 3.2, netfilter or so in 4.0) managed by > the dom0 qvm-firewall in your proxsy & firewall VMs ensure only allowed > traffic is going through. DNS uses dnat rules... > I'm aware of the Qubes networking mechanisms. What I'm trying to achieve is the following: 1) New fields in 'Qubes Global Settings' menu, under 'System defaults' (Dom0) that let the user choose the default primary and secondary DNS (now '10.139.1.1' and '10.139.1.2'). How this is will be implemented? Dom0 will inform the first NetVM backends ('sys-firewall', 'sys-net' or a VpnVM) of the change though a rpc service and this will trigger `qubes-dnat-to-ns` which will procede to update the (NAT) iptables. -> All the DNS requests destinated to '10.139.1.1' and '10.139.1.2' DNAT to the new DNS backend specified by the user <- This method doesn't require any changes to the Templates or the AppVMs, but only to install a rpc service and a custom `qubes-dnat-to-ns` script in the VMs that provide network (ProxyVMs and NetVMs). 2) New fields in 'VM Settings' menu (Dom0) that let the user choose the primary and secondary DNS for each VM, if the machine has network. How this is will be implemented? Dom0 will inform the NetVM backend to which the VM is attached and the (NAT) iptables will be modified to DNAT all the DNS requests from a the specific VM vif interface (-i vifX.0) to the new addresses provided. Again, no changes are required to the Templates or the AppVMs, but only to the VMs that provide network (ProxyVMs and NetVMs). ISSUES: 1) I solved the first issue and I discovered how to retrieve vif names from xen database, 2) I still don't know how to make all VMs that provide network launch a script when a new vif interface came up. As I said before, I've found the this file '/etc/udev/rules.d/99-qubes-network.rules' that I believed was the solution, but it seem not to work at all, 3) My code still rely on files, because the Qubes API and Qubesadmin API has confused me a lot. I need to add: - the attributes 'default_primary_dns' and 'default_secondary_dns' to 'qubesadmin.app.QubesBase' and - the properties 'primary_dns' and 'secondary_dns' to the base Class that represent a VM object. I don't know if I have to modify 'Qubes' or 'Qubesadmin' and if this is enough for the `qubesd` calls or if it's not possible to add new properties at all. I really need help from the developers, expecially for the point n.3. Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/38f7121d-b047-431d-b4c2-aedc2b68a9fb%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Properly setup a qube dns cache server
I'm already in the process of implementing this feauture (method A) in R4.0. > dom0 doesn't store any DNS settings. Each VM forwards packets to the > next upstream VM and the DNS decision is made at your netvm resolv.conf. > Dynamic firewalls (iptables in 3.2, netfilter or so in 4.0) managed by > the dom0 qvm-firewall in your proxsy & firewall VMs ensure only allowed > traffic is going through. DNS uses dnat rules... I'm aware of the Qubes networking mechanisms. What I'm trying to achieve is the following: 1) New fields in 'Qubes Global Settings' menu, under 'System defaults' (Dom0) that let the user choose the default primary and secondary DNS (now '10.139.1.1' and '10.139.1.2'). How this is will be implemented? Dom0 will inform the first NetVM backends ('sys-firewall', 'sys-net' or a VpnVM) of the change though a rpc service and this will trigger `qubes-dnat-to-ns` which will procede to update the (NAT) iptables. -> All the DNS requests destinated to '10.139.1.1' and '10.139.1.2' DNAT to the new DNS backend specified by the user <- This method doesn't require any changes to the Templates or the AppVMs, but only to install a rpc service and a custom `qubes-dnat-to-ns` script in the VMs that provide network (ProxyVMs and NetVMs). 2) New fields in 'VM Settings' menu (Dom0) that let the user choose the primary and secondary DNS for each VM, if the machine has network. How this is will be implemented? Dom0 will inform the NetVM backend to which the VM is attached and the (NAT) iptables will be modified to DNAT all the DNS requests from a the specific VM vif interface (-i vifX.0) to the new addresses provided. Again, no changes are required to the Templates or the AppVMs, but only to the VMs that provide network (ProxyVMs and NetVMs). ISSUES: 1) I solved the first issue and I discovered how to retrieve vif names from xen database, 2) I still don't know how to make all VMs that provide network launch a script when a new vif interface came up. As I said before, I've found the this file '/etc/udev/rules.d/99-qubes-network.rules' that I believed was the solution, but it seem not to work at all, 3) My code still rely on files, because the Qubes API and Qubesadmin API has confused me a lot. I need to add: - the attributes 'default_primary_dns' and 'default_secondary_dns' to 'qubesadmin.app.QubesBase' and - the properties 'primary_dns' and 'secondary_dns' to the base Class that represent a VM object. I don't know if I have to modify 'Qubes' or 'Qubesadmin' and if this is enough for the `qubesd` calls or if it's not possible to add new properties at all. I really need help from the developers, expecially for the point n.3. Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/126d08c0-9846-4c50-832f-b0636a35e973%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Re: Properly setup a qube dns cache server
On 10/28/2017 06:36 PM, nicholas roveda wrote: Up to now, I've thought of 2 possible solutions: [...] I really need some help, maybe from the developers, to understand better these mechanisms, to be able to implement a solution as more general as possible, that users can adopt without efforts. Have a look at the code whonix or that VPN project uses to provide upstream services to downstream VMs. The mechanisms are somewhat different in 3.2 and 4.0. Your thoughts appear to be overly complicated. I e.g. didn't understand the dom0 part: dom0 doesn't store any DNS settings. Each VM forwards packets to the next upstream VM and the DNS decision is made at your netvm resolv.conf. Dynamic firewalls (iptables in 3.2, netfilter or so in 4.0) managed by the dom0 qvm-firewall in your proxsy & firewall VMs ensure only allowed traffic is going through. DNS uses dnat rules. Dom0 uses your firewall VM to pull updates. So you can just configure your DNS cache server in your net VM or if you want to use a proxy VM you'll have to write a custom service that does the iptables changes desired by the Qubes firewall (the default ones will not work as they are designed to forward packets further upstream). The latter should only be done by really experienced users. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/bfa1ad19-90a7-22a2-5eab-a5b9bfe37a64%40hackingthe.net. For more options, visit https://groups.google.com/d/optout. smime.p7s Description: S/MIME Cryptographic Signature