Re: [qubes-users] Configuring OpenDNS in Qubes
Ok, thanks a lot for your help. I'll try it. On Aug 5, 2016 00:04, "Qubed One" wrote: > m...@lamarciana.com: > >> eth0 is an uplink to sys-net. And /etc/resolv.conf there indeed is > >> generated, so manual changes will be lost. There is a way to avoid this > >> using /etc/qubes/protected-files.d/, but I think it isn't the way to go. > >> Better adjust NetworkManager settings in sys-net, using standard > >> connection editor GUI. The DNS servers in any other VM are in the end > >> pointing to what you have in sys-net(*) (using DNAT redirections). > >> > >> (*) unless you use Tor/Whonix - in which case those are redirected to > >> tor process. > > > > Thanks for your answer. > > > > Does it mean that all VM have to share the same DNS settings (except > Tor/Whonix)? What I was trying to do is routing only one of them through > OpenDNS, while keeping the rest with my ISP DNS server (and I would like to > avoid an HVM just for that). > > > > I see I can create a new "NetVM" but I'm not sure if it is full > supported. If I create a new one, is the GUI adapted so that I can > configure both (sys-net and my custom one)? I prefer to ask before trying > it and risking leaving something in an inconsistent state. > > > > > > I would suggest trying to completely disable or get rid of > NetworkManager in that ProxyVM (you shouldn't need it, especially just > to redirect DNS), then see if /etc/resolv.conf changes become > persistent. If not, you could still use /rw/config/rc.local to replace > /etc/resolv.conf on boot. > > -- > You received this message because you are subscribed to a topic in the > Google Groups "qubes-users" group. > To unsubscribe from this topic, visit https://groups.google.com/d/ > topic/qubes-users/Q0kLzqD1ir4/unsubscribe. > To unsubscribe from this group and all its topics, send an email to > qubes-users+unsubscr...@googlegroups.com. > To post to this group, send email to qubes-users@googlegroups.com. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/qubes-users/a038a41c-61c1-da76-225e-68600908de45%40riseup.net. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/CAJzvRW9N7DsuScqixQURMPWdN6WVShp6_zccnQLM4a7DgQO3aw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
m...@lamarciana.com: >> eth0 is an uplink to sys-net. And /etc/resolv.conf there indeed is >> generated, so manual changes will be lost. There is a way to avoid this >> using /etc/qubes/protected-files.d/, but I think it isn't the way to go. >> Better adjust NetworkManager settings in sys-net, using standard >> connection editor GUI. The DNS servers in any other VM are in the end >> pointing to what you have in sys-net(*) (using DNAT redirections). >> >> (*) unless you use Tor/Whonix - in which case those are redirected to >> tor process. > > Thanks for your answer. > > Does it mean that all VM have to share the same DNS settings (except > Tor/Whonix)? What I was trying to do is routing only one of them through > OpenDNS, while keeping the rest with my ISP DNS server (and I would like to > avoid an HVM just for that). > > I see I can create a new "NetVM" but I'm not sure if it is full supported. If > I create a new one, is the GUI adapted so that I can configure both (sys-net > and my custom one)? I prefer to ask before trying it and risking leaving > something in an inconsistent state. > I would suggest trying to completely disable or get rid of NetworkManager in that ProxyVM (you shouldn't need it, especially just to redirect DNS), then see if /etc/resolv.conf changes become persistent. If not, you could still use /rw/config/rc.local to replace /etc/resolv.conf on boot. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a038a41c-61c1-da76-225e-68600908de45%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
> eth0 is an uplink to sys-net. And /etc/resolv.conf there indeed is > generated, so manual changes will be lost. There is a way to avoid this > using /etc/qubes/protected-files.d/, but I think it isn't the way to go. > Better adjust NetworkManager settings in sys-net, using standard > connection editor GUI. The DNS servers in any other VM are in the end > pointing to what you have in sys-net(*) (using DNAT redirections). > > (*) unless you use Tor/Whonix - in which case those are redirected to > tor process. Thanks for your answer. Does it mean that all VM have to share the same DNS settings (except Tor/Whonix)? What I was trying to do is routing only one of them through OpenDNS, while keeping the rest with my ISP DNS server (and I would like to avoid an HVM just for that). I see I can create a new "NetVM" but I'm not sure if it is full supported. If I create a new one, is the GUI adapted so that I can configure both (sys-net and my custom one)? I prefer to ask before trying it and risking leaving something in an inconsistent state. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/e7b7ccac-708d-4c60-8dc6-1493fcf21d15%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On Wed, Aug 03, 2016 at 06:50:21AM -0700, m...@lamarciana.com wrote: > > Are you using NetworkManager in that ProxyVM? > > I assigned "network-manager" service through "Qubes VM Manager" to my debian > standalone ProxyVM, but I see this disappears once I start and shutdown the > machine... I tried again to be sure and I can reproduce the issue. I will > inspect it further and open a Qubes issue if needed. > > But, anyway, I changed my ProxyVM to use fedora template (still standalone): > Then, "network-manager" survives after reboot, but not the content in > "/etc/resolv.conf"... But, in fedora template this file has an interesting > hint: > > # Generated by NetworkManager > > I think this confirms my fears that /etc/resolv.conf should not be edited by > hand... > > I tried then to edit file > /etc/NetworkManager/system-connections/qubes-uplink-eth0 and added OpenDNS > IP's in "[ipv4]" section but changes are lost after reboot (I'm not using > ethernet cable but wifi, but there is no other file. Furthermore, "ifconfig" > only shows loop and eth0, but I suppose there is some kind of delegation to > sys-net for that). eth0 is an uplink to sys-net. And /etc/resolv.conf there indeed is generated, so manual changes will be lost. There is a way to avoid this using /etc/qubes/protected-files.d/, but I think it isn't the way to go. Better adjust NetworkManager settings in sys-net, using standard connection editor GUI. The DNS servers in any other VM are in the end pointing to what you have in sys-net(*) (using DNAT redirections). (*) unless you use Tor/Whonix - in which case those are redirected to tor process. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXofgJAAoJENuP0xzK19csN7cH/A1gNpFZfoV1Ta7KolWAVCjF wJuEpj1reXjD/+fc5aO7jvlJCUDWgMIuGPbqCdE0QFEOjbUS/KdyJIONh2+AGnjf 6CrIflZI4ii0lOHglslVaRpK0WqbfonlPoTb6Swo0FmDJh6yI26tc6xdn0zjRU6Y B0ZVfUCDVow55Ta8Nm+XLtB1HInS0yx3WKOXff5uVvPJVbDVzsq/SncOmNiQjdU3 SmEwJoHNFel3LpUR0l3CHvSm3Bls4NDiWnmOSTn7X6wSXnqOEGWaeB8psy9VI+8W jVDLlX9+7Jca5zSexQTYAjwDy9x73SfzsXQQnRkAV/iNO1ZAK+pj3p5qdqZsPYg= =VOop -END PGP SIGNATURE- -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/20160803135624.GO32095%40mail-itl. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
> Are you using NetworkManager in that ProxyVM? I assigned "network-manager" service through "Qubes VM Manager" to my debian standalone ProxyVM, but I see this disappears once I start and shutdown the machine... I tried again to be sure and I can reproduce the issue. I will inspect it further and open a Qubes issue if needed. But, anyway, I changed my ProxyVM to use fedora template (still standalone): Then, "network-manager" survives after reboot, but not the content in "/etc/resolv.conf"... But, in fedora template this file has an interesting hint: # Generated by NetworkManager I think this confirms my fears that /etc/resolv.conf should not be edited by hand... I tried then to edit file /etc/NetworkManager/system-connections/qubes-uplink-eth0 and added OpenDNS IP's in "[ipv4]" section but changes are lost after reboot (I'm not using ethernet cable but wifi, but there is no other file. Furthermore, "ifconfig" only shows loop and eth0, but I suppose there is some kind of delegation to sys-net for that). -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/f8c7338b-90a9-484f-8d0f-1153aa04b73e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
m...@lamarciana.com: >> If I understand correctly, permanently changing /etc/resolv.conf in the >> ProxyVM to show: >> >> nameserver 208.67.222.222 >> nameserver 208.67.220.220 >> >> should achieve that in a standalone ProxyVM. > > Thanks for your answer. I thought that changing /etc/resolv.conf by hand was > not recommended because some other programs can overwrite it. Anyway, I tried > it and changes in /etc/resolv.conf in my standalone ProxyVM are lost once I > reboot... > Are you using NetworkManager in that ProxyVM? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/46da2e66-4687-886f-2250-43067e021d91%40riseup.net. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
> If I understand correctly, permanently changing /etc/resolv.conf in the > ProxyVM to show: > > nameserver 208.67.222.222 > nameserver 208.67.220.220 > > should achieve that in a standalone ProxyVM. Thanks for your answer. I thought that changing /etc/resolv.conf by hand was not recommended because some other programs can overwrite it. Anyway, I tried it and changes in /etc/resolv.conf in my standalone ProxyVM are lost once I reboot... -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8bc745c0-2b86-4066-a18b-57ef56f2d058%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [qubes-users] Configuring OpenDNS in Qubes
m...@lamarciana.com: > Hi, > > I'm trying to figure out how I can change my DNS settings for an > AppVM. I'm relatively new to Qubes, so other related issues in this > forum have clarified me some ideas but I am still quite puzzled. > > This is what I have done so far: > > 1 - I have created a ProxyVM, which in turns connect to sys-firewall > as NetVM. This ProxyVM uses debian-8 as template, because I'm > following some tutorials in Internet about networking stuff using > kali linux (configuring OpenDNS is one part). This ProxyVM is a > StandaloneVM in order to keep changes in /. > > 2 - I have added to it network-manager service > > 3 - I have edited /etc/dhcp/dhclient.conf in my ProxyVM and I have > added the following line with OpenDNS IPs: > > prepend domain-name-servers 208.67.222.222, 208.67.220.220; > > 4 - I have connected my AppVM to this ProxyVM as NetVM. > > 5 - I have restarted my ProxyVM and my AppVM. > > Now, I thought /etc/resolv.conf in my AppVM and ProxyVM should have > changed. But no, they still have: > > nameserver 10.137.5.1 nameserver 10.137.5.254 > > I see that my AppVM takes its /etc/dhcp/dhclient.conf from the > ProxyVM, because that line is also added there. > > Going to https://dnsleaktest.com confirms that I'm still using my ISP > DNS server. > > I guess that there is a way to do that without having to create a > StandaloneVM for my ProxyVM, but I tried to do everything manual to > learn how everything is tied. But anyway it doesn't work... > > Thanks! If I understand correctly, permanently changing /etc/resolv.conf in the ProxyVM to show: nameserver 208.67.222.222 nameserver 208.67.220.220 should achieve that in a standalone ProxyVM. Were it a TemplateBasedVM, you could have /rw/config/rc.local copy a file containing the above two lines to /etc/resolv.conf on boot (replacing /etc/resolv.conf), then call /usr/lib/qubes/qubes-setup-dnat-to-ns. I haven't tested this myself on a standalone ProxyVM. -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/687d366a-c5fe-dd4c-4354-74f2373f72e2%40riseup.net. For more options, visit https://groups.google.com/d/optout.
[qubes-users] Configuring OpenDNS in Qubes
Hi, I'm trying to figure out how I can change my DNS settings for an AppVM. I'm relatively new to Qubes, so other related issues in this forum have clarified me some ideas but I am still quite puzzled. This is what I have done so far: 1 - I have created a ProxyVM, which in turns connect to sys-firewall as NetVM. This ProxyVM uses debian-8 as template, because I'm following some tutorials in Internet about networking stuff using kali linux (configuring OpenDNS is one part). This ProxyVM is a StandaloneVM in order to keep changes in /. 2 - I have added to it network-manager service 3 - I have edited /etc/dhcp/dhclient.conf in my ProxyVM and I have added the following line with OpenDNS IPs: prepend domain-name-servers 208.67.222.222, 208.67.220.220; 4 - I have connected my AppVM to this ProxyVM as NetVM. 5 - I have restarted my ProxyVM and my AppVM. Now, I thought /etc/resolv.conf in my AppVM and ProxyVM should have changed. But no, they still have: nameserver 10.137.5.1 nameserver 10.137.5.254 I see that my AppVM takes its /etc/dhcp/dhclient.conf from the ProxyVM, because that line is also added there. Going to https://dnsleaktest.com confirms that I'm still using my ISP DNS server. I guess that there is a way to do that without having to create a StandaloneVM for my ProxyVM, but I tried to do everything manual to learn how everything is tied. But anyway it doesn't work... Thanks! -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/78684271-4bcf-426d-9428-ee706ebe0381%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
