[guide] how-to setup a sys-dns qube

Community Guides
144

One thing that caught my eye in your earlier nft rules: chain antispoor (not antispoof). That’s irrelevant to your current problem, just FYI.

Re. the main issue:

  • dnscrypt-proxy is running but not responding to queries.

If you are able to resolve names in sys-dns, then it is responding to queries. It seems packets are not forwarded correctly somewhere.

But let’s please clarify the actual task and problem. You say there is no DNS resolution in sys-wall. First, I would ask myself - is it necessary in sys-wall at all? The goal is to use it in client VMs, e.g. AppVMs.

Perhaps try this in sys-wall’s DVM template:

Remove any nft commands from /rw/config/rc.local and any other firewall customizations you may have.

Create an executable /rw/config/qubes-firewall.d/90-dnscrypt.nft:

#!/usr/sbin/nft -f

define sys_dns_addr = "IP address of your sys-dns qube"

define qubes_internal_ipv4_addr = {
        10.137.0.0/16,
        10.138.0.0/16
}

flush chain ip qubes custom-forward

add    chain ip qubes custom-dnat-dns
delete chain ip qubes custom-dnat-dns

table ip qubes {
        chain custom-forward {
                iifgroup 2 \
                        ip saddr $qubes_internal_ipv4_addr \
                        meta l4proto { tcp, udp } th dport 53 \
                        log prefix "[forward] " level debug \
                        accept
        }

        chain custom-dnat-dns {
                type nat hook prerouting priority dstnat - 1
                policy accept

                # Traffic not originating from the resolver goes to it
                iifgroup 2 \
                        ip saddr != $sys_dns_addr \
                        meta l4proto { tcp, udp } th dport 53 \
                        log prefix "[dnat] " level debug \
                        dnat to $sys_dns_addr
        }
}

Shutdown sys-wall’s DVM and sys-wall.
Create an AppVM which uses sys-wall as netvm.

After rebooting sys-wall, journalctl -f (as root) will show you what is actually happening in real time when you attempt DNS resolution. If everything works (i.e. if you have DNS resolution in the client AppVM), you can remove the lines starting with log. You can use similar logging in your sys-dns if you want.

Play with this, see what happens, and if it doesn’t work, post what the journal shows.

A few remarks:

I am not using DNSCrypt currently. Just trying to help.

FYI, you can also test if a service is reachable like this:

nc -zvw <seconds> <host> <port>

No need to post the output of nft list table ip qubes as nft list ruleset contains all tables.