On Mon, Nov 27, 2017 at 09:27:16PM +0100, CF wrote: > Dear Users, > > A few (simple) questions as I was reading about DNS servers: > > 1 - Any feedback on using your own DNS server directly on your Qubes > machine (using unbound for instance)? Is it straightforward to have your > DNS cache persistent across reboots? > > 2 - Any feedback on the DNS over TLS provided by quad 9? > https://www.quad9.net/ > https://labs.ripe.net/Members/stephane_bortzmeyer/quad9-a-public-dns-resolver-with-security/ > > 3 - Are you aware of any other similar public server available? (IPV4 / > IPV6 + DNS over TLS) > > 4 - Last but not least, it is not very clear how to set up Qubes to use > a given DNS server. Should we modify each VM? Or only the net VM? Or the > firewall VM? > > Thanks
You can, if you wish, set up a qube to provide DNS - you can either set this on one of the proxyVMs or use a dedicated qube (in which case you will need to manipulate iptables to allow inter-qube traffic). Look at https://www.qubes-os.org/doc/firewall to help with this. To make the cache persistent, either store it in /usr/local or use the bind-dirs facility: https://www.qubes-os.org/doc/bind-dirs/ To understand the standard Qubes DNS in 3.2, note that each qube has in /etc/resolv.conf nameserver entries for the network segment relating to the network relating to the proxy to which it is connected. If you examine the iptables rules in the proxy you will see that the NAT table contains a chain which effectively redirects DNS traffic upstream, using the same .1 and .254 addresses. At sys-net, the iptables rules redirect to the external DNS server(s) If you want to use a particular server, change the iptables DNAT rules in sys-net - you can do this from /rw/config/rc.local - again look at the docs of the firewall. OR if you want just SOME qubes to use a different DNS server, make changes to the PR-QBS chain in the proxy to redirect DNS traffic to the chosen server. You can see that ALL of the methods proposed in your final question will work: which you choose will depend on how many qubes you want to use the given DNS server. unman -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20171129010058.lbuy7ffa6efgelow%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
