I want to enable DNS over TLS for all my qubes (yes, also for the disposable qubes), that don’t use sys-whonix for their internet access. I have only the Debian template installed in QubesOS and therefore it is my default template.
So my plan is to do this:
Open the terminal of the Debian template, install systemd-resolve and enable it with this:
Then I would edit the /etc/systemd/resolved.conf with sudo nano /etc/systemd/resolved.conf, so that in the end only this doesn’t contain the “#” (with “exampleIpAddress#exampleName.com” changing of course to the real server IP and name of the DNS Server that I will use) :
Then I would do sudo systemctl restart systemd-networkd and sudo systemctl restart systemd-resolved.
My questions:
A: Will this work?
B: MORE IMPORTANTLY, is this somehow a security risk, because I’m actually a noob and usually don’t even use the terminal, so I definitely don’t know much about the network stuff and certainly don’t know anything about how networking works in QubesOS, especially the security implications there, if I would do what I mentioned above.
Probably not, because of the way DNS is handled in QubesOS.
Try to read this previous topic on the same subject (with links to even older topics).
All in all, if you want to go this way with your DNS, and are a (self-professed) noob, probably the best bet is to install @unman 's tools and sys-pihole from there.
Well, I tried my plan, that I mentioned in my first post, on a disposable template and it did work there without any problems, except that after shutting down the disposable template, the new settings don’t persist. But that is just how Qubes works.
So if I would do the same in the normal/standard Debian Template, why shouldn’t it work? And the new DNS setttings should be then inherited by all the other app qubes that are based on that Debian template, or not?
Again, I’m a noob, not an expert, so I don’t even know how to do what you mentioned, but I can say two things:
The DNS server I’m using only accepts a encrypted connection, otherwise the DNS server blocks you. So if I got a connection to that server, that already means that something is working right.
I did DNS tests with my clearnet Firefox on several websites, that test for DNS and I always got the server I put in the “/etc/systemd/resolved.conf”.