On 03/10/2018 04:43 PM, Alex Dubois wrote:
On Saturday, 10 March 2018 13:16:37 UTC, Micah Lee wrote:
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On March 8, 2018 11:26 AM, Chris Laprise <t...@p...o.net> wrote:
\> \[1\] https://dnsprivacy.org/wiki/
\[2\] https://www.qubes-os.org/doc/networking/
Micah,
If you have any specific instructions on how to setup the forwarder
you're using, I'd be happy to try it myself and post a solution for use
with qubes-firewall.
I found the dnsprivacy wiki to be a bit scattered and not very specific.
Their video "tutorial" is really a lecture on the concept.
Thanks, yes I'd love to share instructions. I haven't gotten it working yet --
I'm traveling right now and haven't spent a lot of time on it, and might not
for the next week or two. But once I figure it out I'd like to write a blog
post or something with instructions. But maybe I should sent it to this list
first for people to test and give feedback.
For your info, I have a wiki on how to use dns-crypt here:
https://github.com/adubois/adubois.github.io/blob/master/_posts/2013-11-19-setup-dnscrypt-unbound.md
It is supposed to be exposed via blog.bowabos.com but github changed something
and the static site does not get automatically generated at the moment...
Nice. I gave this a try on debian-9, using apt to install dnscrypt-proxy
and unbound.
One problem is that the howto assumes particular Qubes 10.137.2.x and
10.138.2.x nets for unbound.
Another problem is that on Qubes 4.0 the vif interfaces plus eth0 all
share the same IP address. This isn't explained in the Qubes networking
or firewall docs, so it may be a bug...
To keep unbound.service from failing I changed unbound.conf to this:
interface: <eth0 address here>
access-control: 10.137.0.0/24 allow
harden-large-queries: yes
private-address: 10.0.0.0/8
private-address: 192.168.0.0/16
val-permissive-mode: yes
do-not-query-localhost: no
...and for now omitted the '-d' destination part in iptables.
Then if I issue:
sudo iptables -t nat -F PR-QBS
sudo iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to
$eth0_address
sudo iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to
$eth0_address
it appears to work from a downstream appVM. But I haven't checked yet to
see if its really using the dnscrypt proxy; even if it is, the config
may need to be adjusted for better security.
--
Chris Laprise, tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/6be04a34-d79d-df7f-cd64-68d098613df6%40posteo.net.
For more options, visit https://groups.google.com/d/optout.
