With my experience of using DNSCrypt I actually think that Qubes' has some unique way of handling DNS queries given how the nameservers automatically put into /etc/resolv.conf are on a different subnet.
I actually think there must be some sort of bind or unbound being ran in there that resolves all the DNS queries for you by using sys-net or your netvm as a proxy. In order to make a sys-dns qube or to turn any other qube into a sys-dns qube you must ensure that it is listening on port 53 UDP for any DNS queries. This command alone given by Chris should be enough. iptables -I INPUT -p udp --dport 53 -j ACCEPT Afterwards you should change your /etc/resolv.conf to the IP address of your sys-dns qube. The IP address can be found out using Qubes Manager and try to ping that ip address first to verify if it is reachable by your AppVM in the first place. If your sys-dns qube is not your sys-net or netvm then you should ensure that TCP port 853 outbound is allowed through if your firewall rules do not explicitly allow all outbound (all outbound is allowed by default for each qube) (In dom0 terminal) qvm-firewall [sys-firewall or/and sys-dns] add action=accept proto=tcp dstports=853 --before 0 If this doesn't solve it then it may be best to provide us with some logs of your stubby -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/24d42a1d-b5cc-4d92-9aed-a5f209b1195a%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
