At the moment I am using DnsServiceVM as NetVM for all my qube`s:
the Internet
- NetVM
- - FirewallVM
- - - DnsServiceVM
- - - - ClientVM1
- - - - .........
ClientVM ← ― → DnsServiceVM ← ― → FirewallVM ← ― → NetVM
Added firewall rules to DnsServiceVM:
- rc.local
sh /rw/config/dns.sh sysctl -w net.ipv4.conf.all.route_localnet = 1
- dns.sh
QUBES_DNS=“10.139.1.1 10.139.1.2”
DNS=127.0.0.1iptables -I INPUT -i vif+ -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i vif+ -p tcp --dport 53 -j ACCEPTiptables --flush PR-QBS --table nat
for QUBES_DNS in ${QUBES_DNS} ; do
iptables --append PR-QBS --table nat --in-interface vif+ --protocol tcp --destination “${QUBES_DNS}” --dport 53 --jump DNAT --to-destination “${DNS}”:53
iptables --append PR-QBS --table nat --in-interface vif+ --protocol udp --destination “${QUBES_DNS}” --dport 53 --jump DNAT --to-destination “${DNS}”:53done
iptables --append PR-QBS --table nat --in-interface vif+ --protocol tcp --dport 53 --jump LOG --log-level 1 --log-prefix 'DNS Query: ’
iptables --append PR-QBS --table nat --in-interface vif+ --protocol udp --dport 53 --jump LOG --log-level 1 --log-prefix 'DNS Query: ’
With this configuration, my ClientVMs work stably. But in this configuration, the attack surface increases because an attack on a given domain puts all traffic at risk.
Actually my question is how to come to such a solution:
- NetVM
- - FirewallVM
- - - FirewallDnsVM
- - - - ClientDnsVM
- - - - DnsServiceVM
ClientVM ← ― → FirewallDnsVM ← ― → FirewallVM ← ― → NetVM
↑
❘ (DNS traffic)
↓
DnsServiceVM
↑
❘
↓
Stubby
That is, FirewallVM accepts DNS traffic from clients and redirects them to DnsServiceVM, which redirects to the local resolver(stubby) service.
I tried different methods, but nothing good came out 
I would be grateful for any help.