Configure qubes disp sys-net to direct traffic through cloudflare

I am trying to figure out how can i set my disp sys-net in a way persistently route all connections through cloudflares,, i came across a few articles but none that directly related to my issue here, and i saw qubes does not use an unencrypted dns by default is that correct and if so what do they use? and why not implement cloudflare by default, if you can provide the steps necessary.

Qubes doesn’t provide anything DNS-wise by itself. sys-net, which runs network manager, uses what your router provides via DHCP. If your router DNS is set to, sys-net will use that. If you want to use encrypted DNS, you should set it up in a separate qube with something like dnscrypt.

There is no way to configure DNS in the template vm for the disposable sys-net? i wanted to avoid creating a whole other proxy vm for this, odd that qubes doesnt encrypt DNS traffic by default, no?

You can control the network DNS with nmcli, but it will only use classic DNS servers, not encrypted ones. An if condition can be made inside the sys-net disposable template in /rw/config/rc.local like this:

# Set network manager connection name
nmname="Wired connection 1"
qube=$(qubesdb-read /name)

if [ "$qube" == "sys-net" ]; then
    nmcli connection modify "$nmname" ipv4.dns ","

You may need to add a sleep or a while loop before the condition to allow Network Manager to edit the DNS after the connection is made.

Qubes doesn’t force anything on users. It’s up to them to set up what they want.