On Wed, Mar 07, 2018 at 11:58:21AM -0500, Micah Lee wrote: > I'm trying to make all DNS requests in Qubes go over TLS (more information > about this [1]). > > I've got this successfully working in sys-net by running a local DNS server > on udp 53 that forwards DNS requests to a remote DNS server over TLS, and > then setting my only nameserver in /etc/resolv.conf to 127.0.0.1. I've > confirmed that this works great in sys-net -- all of my DNS requests are > encrypted to my remote DNS server, and none are plaintext. > > The problem is when I do this, DNS in other downstream VMs all fail. The > Qubes networking docs [2] explain how DNS works in Qubes, but I'm confused > about how to make this set up work. Any ideas? Thanks! > > [1] https://dnsprivacy.org/wiki/ > [2] https://www.qubes-os.org/doc/networking/ >
In sys-net you have PR-QBS chain in nat table that redirects DNS requests to the network DNS server. You'll need to remove that chain and replace it with one directing DNS traffic to the local server. You'll also need to open the udp port to inbound traffic. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20180307174022.u5dknqjh3oimwfq3%40thirdeyesecurity.org. For more options, visit https://groups.google.com/d/optout.
