Hello! I am trying to set up a proxy vm that will redirect DNS requests to a local DNS server, for the purposes of adblocking.
Here is the setup: internet <-> sys-net <-> sys-firewall <-> MY_PROXYVM <-> appvm_with_firefox I have created a proxyvm based on a debian-8 template, and have installed PiHole (https://pi-hole.net/) as an adblocker. PiHole works by starting a DNS server (dnsmasq) and rejecting any dns queries to domains that serve ads. If (in the proxyvm) I set the contents of /etc/resolv.conf to 127.0.0.1 and open firefox (in the proxyvm), I can verify that the adblocker is working correctly. The issue I am having is when I used the proxyvm as the netvm for another appvm. Without any other changes, my appvm's firefox has internet access, but the adblocker has no effect. Of course, some additional setup is needed, but I'm not exactly sure how to do that. I'm not very good with iptables, and every attempt I have made to redirect DNS to 127.0.0.1 in the proxyvm has failed (and caused both the proxyvm and the appvm to lose the ability to browse). Here are the commands I ran (in the proxyvm): #!/bin/bash DNS=127.0.0.1 NS1=10.137.4.1 NS2=10.137.4.254 iptables -t nat -A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $DNS iptables -t nat -A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $DNS --- I pieced this together from what I could find from the VPN documentation on the qubes website as well as the contents of /usr/lib/qubes/qubes-setup-dnat-to-ns Running the qubes-setup-dnat-to-dns script by itself after changing /etc/resolv.conf (all this on the proxyvm) didn't seem to have any impact. So! My question is, am I going about this correctly? I think I need to modify the iptables in the proxyvm to redirect any incoming (from the appvm) DNS queries to 127.0.0.1, while still allowing outgoing (to the internet, from the proxyvm) DNS queries to get out. Along with this, I think I need to ensure that there are rules that allow all other traffic to pass through unhindered. Or is there a different, qubes-specific way of handling DNS that I should be using? After inspecting the sys-firewall ipconfig and iptables, it is clear that something behind-the-scenes is happening where an additional NIC is created for each attached appvm, and the iptables are being populated automatically somehow. I'm not sure how the proxyvm is supposed to get the addresses of the appvm and sys-firewall (my script above had addresses hardcoded). Thank you for any help! If I get all this working, I'm planning on making a Salt file that can create the adblocking proxyvm. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/7df5d8c4-e52f-4eec-bbea-6c9646c9d3a7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
