Configuring dns stubby (dot) in a separate AppVM

At the moment I am using DnsServiceVM as NetVM for all my qube`s:

the Internet
- NetVM
- - FirewallVM
- - - DnsServiceVM
- - - - ClientVM1
- - - - .........

ClientVM ← ― → DnsServiceVM ← ― → FirewallVM ← ― → NetVM

Added firewall rules to DnsServiceVM:

  1. rc.local
sh /rw/config/dns.sh
sysctl -w net.ipv4.conf.all.route_localnet = 1
  1. dns.sh

QUBES_DNS=“10.139.1.1 10.139.1.2”
DNS=127.0.0.1

iptables -I INPUT -i vif+ -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i vif+ -p tcp --dport 53 -j ACCEPT

iptables --flush PR-QBS --table nat

for QUBES_DNS in ${QUBES_DNS} ; do

iptables --append PR-QBS --table nat --in-interface vif+ --protocol tcp --destination “{QUBES_DNS}" --dport 53 --jump DNAT --to-destination "{DNS}”:53
iptables --append PR-QBS --table nat --in-interface vif+ --protocol udp --destination “{QUBES_DNS}" --dport 53 --jump DNAT --to-destination "{DNS}”:53

done

iptables --append PR-QBS --table nat --in-interface vif+ --protocol tcp --dport 53 --jump LOG --log-level 1 --log-prefix 'DNS Query: ’
iptables --append PR-QBS --table nat --in-interface vif+ --protocol udp --dport 53 --jump LOG --log-level 1 --log-prefix 'DNS Query: ’

With this configuration, my ClientVMs work stably. But in this configuration, the attack surface increases because an attack on a given domain puts all traffic at risk.

Actually my question is how to come to such a solution:

- NetVM
- - FirewallVM
- - - FirewallDnsVM
- - - - ClientDnsVM
- - - - DnsServiceVM

ClientVM ← ― → FirewallDnsVM ← ― → FirewallVM ← ― → NetVM 
                  ↑ 
                  ❘ (DNS traffic)
                  ↓
             DnsServiceVM
                  ↑ 
                  ❘ 
                  ↓
                Stubby

That is, FirewallVM accepts DNS traffic from clients and redirects them to DnsServiceVM, which redirects to the local resolver(stubby) service.
I tried different methods, but nothing good came out :slight_smile: I would be grateful for any help.