Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Wednesday, July 3, 2019 5:24 AM, Sphere <nvidiatempatg...@gmail.com> wrote: > You're welcome and good luck! > In any case, I was reminded that any sort of communication between > non-interconnected qubes are not allowed. So even if both of your AppVM qubes > and sys-dns qube are connected to sys-firewall then they won't be able to > communicate with each other by default. Additional iptables rules must be > added to allow it according to what's written here: > https://www.qubes-os.org/doc/firewall/#enabling-networking-between-two-qubes Hello! Here I am again as promised. In summary: I managed to create a sys-dns qube running DoT. Long story short, it is far from usable. Here are the steps I followed. 0. qvm-clone debian-10-minimal d10-minimal-dns. 1. Create a sys-dns qube which provides network and is based on d10-minimal-dns. This qube is behind sys-firewall. 2. qvm-run -u root d10-minimal-dns 'apt install qubes-core-agent-networking stubby' 3. In d10-minimal-dns 'nano /etc/stubby/stubby.yml' and add the following option > listen_addresses: - 127.0.0.1 - 0::1 - 10.137.0.xx # this is sys-dns IP address. 4. In d10-minimal-dns 'nano /etc/resolv.conf > nameserver 127.0.0.1 namerserver ::1 5. qvm-shutdown d10-minimal-dns 6. qvm-start sys-dns 7. In sys-dns 'nano /rw/config/rc.local' > iptables -I INPUT -p udp --dport 53 -j ACCEPT iptables -I INPUT -p tcp --dport 53 -j ACCEPT 8. qvm-shutdown sys-dns 9. Set sys-dns as the network qube of a random app qubes (i.e. 'firefox') firefox => sys-dns => sys-firewall => sys-net 10. In firefox 'nano /etc/resolv.conf' > nameserver 10.137.xx # this is sys-dns IP address. Check with dnsleaktest.com: DoT is working fine and firefox is resolving with the standard stubby provider. Until step 9 every step is easily doable. However step 10 is kind of issue. Without step 10, the qube behind sys-dns is using the DNS of my Internet provider in order to resolv any address. I can't change resolv.conf everytime I open a qube, nor I think is a good idea to change resolv.conf in the template. Thanks for any suggestions. I am just trying to find a suitable way to run DoT on Qubes. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/HEvBH8L79wZgaorSx0TzJlWmFmgRfoh6cA7OM7rlQjxtktzcN9n2XFY3t-b05WHZa8eak4r1SwbxniI56h1zpXzjPLBjK5Q9g7p6LJz91VU%3D%40protonmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Dns-over-TLS in sys-vpn. Is it possible? How?
'qubeslover' via qubes-users Wed, 03 Jul 2019 12:51:17 -0700
- Re: [qubes-users] Dns-over-TLS in sys-vpn. Is... Chris Laprise
- Re: [qubes-users] Dns-over-TLS in sys-vp... 'qubeslover' via qubes-users
- Re: [qubes-users] Dns-over-TLS in sy... Chris Laprise
- Re: [qubes-users] Dns-over-TLS i... Chris Laprise
- Re: [qubes-users] Dns-over-T... 'qubeslover' via qubes-users
- Re: [qubes-users] Dns-o... 'qubeslover' via qubes-users
- Re: [qubes-users] D... Chris Laprise
- Re: [qubes-users] D... Sphere
- Re: [qubes-users] D... 'qubeslover' via qubes-users
- Re: [qubes-users] D... Sphere
- Re: [qubes-users] D... 'qubeslover' via qubes-users
