Sent from my mobile phone.
> On 12 Mar 2018, at 18:40, David Hobach <trip...@hackingthe.net> wrote: > >> On 03/11/2018 03:15 PM, David Hobach wrote: >> An alternative might be to setup the local DNS service in a VM closer to the >> Internet, i.e. not in the proxy VM which also implements the qubes firewall. >> Something like >> Internet <-- sys-net <-- sys-firewall <-- DNS server VM <-- proxy VM with >> qubes-fw <-- client VM >> I didn't test that though. > > I just tested that as well now and it works as expected without any of the > aforementioned caveats. > > So I'd recommend the one above over the previously discussed > Internet <-- sys-net <-- sys-firewall <-- DNS server VM <-- client VM > (at least I was talking about that architecture - maybe the others were > talking about something different...). > The same holds true for VPN users. This type of architecture is bad practice as the attack surface of DNS is bigger than Qubes firewall, and an attack on this daemon compromise all traffic, not just DNS. A better arch is Internet - netVM - - firewallVM - - - Service (ie DNS or VPN) - - - clientVM1 - - - clientVM2 And firewallVM intercept the traffic for the VM that needs it. Note that a service can also be a client for another service. Note2 that does not mean that the arch should be flat, if you are worried that a mis conf of firewallVM could put you at risk you could do Internet - NetVM - - FirewallVM - - - FirewallVPN - - - - clientVPNVM - - - - vpmServiceVM - - - firewallDNS - - - - clientDNSVM - - - - dnsServiceVM - - - firewallWebServer - - - - ReverseProxyAuthVMservice - - - - - webServerVMservice - - - - - - webDMserviceVM - - - - ClientWebVM > > I also documented this at https://github.com/QubesOS/qubes-issues/issues/3051 > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/C3D0CBC3-8C5A-4BB5-B866-866E9B3144D9%40gmail.com. For more options, visit https://groups.google.com/d/optout.
