I opened this issue on github:
Does anyone have any advice for this issue? Maybe a simple work, or some command in sys-net to turn the virtual DNS daemon on after start?
I keep running into this issue and need to restart multiple times before the virtual DNS syncs to sys-firewall.
Can you post the output of these commands in sys-net and sys-firewall when this issue happens?
qubesdb-read /qubes-primary-dns /qubes-secondary-dns /qubes-netvm-primary-dns /qubes-netvm-secondary-dns
cat /etc/resolv.conf
cat /var/run/qubes/qubes-ns
sudo nft list ruleset
The qubes DNS IPs, resolve.conf, and qubes-ns all have the correct primary and secondary nameserver to be 10.139.1.1 and 10.139.1.2 respectively.
I’ll post the nft ruleset shortly.
The problem isnt that it never works, but that it works sporadically, with the differentiator being the timing of sys-firewall startup with the sys-net network manager
I’m also getting this. Pinging cnn.com from sys-firewall hangs. Pinging 8.8.8.8 works as expected. Pinging cnn.com works from sys-net.
4.2.0-rc4
Can you post the output of these commands in sys-net and sys-firewall?
qubesdb-read /qubes-primary-dns /qubes-secondary-dns /qubes-netvm-primary-dns /qubes-netvm-secondary-dns
cat /etc/resolv.conf
cat /var/run/qubes/qubes-ns
sudo nft list ruleset
Specifically nft rules are of interest.
nft ruleset:
table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.138.37.115 }
}
set allowed {
type ifname . ipv4_addr
elements = { "vif36.0" . 10.138.37.115 }
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 chat dnat to 192.169.1.1
ip daddr 10.139.1.1 tcp dport 53 chat dnat to 192.169.1.1
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
}
}
I don’t have copy-from-minimal-template installed. This should be the standard nft ruleset. Nothing was changed by me.
To reiterate, I believe this to be a problem with the virtual DNS daemon in sys-net.
Is 192.169.1.1 your real DNS server IP? Shouldn’t it be 192.168.1.1?
Do you have nameserver 192.169.1.1 in /etc/resolv.conf as well?
There is no such thing as virtual DNS daemon, all of it is done by using firewall rules in dnat-dns chain.
@apparatus I appreciate the help, but I don’t think you can reproduce the issue. This has nothing to do with firewall rules. Everything works ~ sometimes. It depends on the timing of the sys-firewall startup with the sys-net startup. Thanks for the help, though.
It maybe the network manager application.
Only DNS resolution is not working? Can you ping/curl IPs in sys-firewall when this issue happens?
