So far the only solution I’ve seen that I know is converted for nft so I can use it on 4.2.
Please note that I’ve never tested them on 4.2 - just on 4.1 so far.
They should work on 4.2 as well though. Let me know, if not.
Thanks again!
You’re very welcome!
Thank you @qubist for this great guide!
I am a beginner and I just followed your instructions.
Everything was straightforward except this part:
Even though I didn’t touched the toml file, your solution worked.
But your ‘host google-analytics.com’ test failed for me. The site wasn’t blocked, even though I put the line "google-analytics* in blocked-names.txt.
I don’t know if it is because of this toml file.
Could you please give more details on what to put exactly in the [sources] section of the toml file?
Thank you very much for your prompt reply @qubist !
Most probably my message was too big and not clear, sorry.
If you could ellaborate the mentioned part, it would be immensely helpful
“This directory” means /run/dnscrypt-proxy, as in the command:
useradd --system --home /run/dnscrypt-proxy --shell /bin/false --gid dnscrypt
In /etc/dnscrypt-proxy/dnscrypt-proxy.toml there is a section named [sources]. Each subsection of it has a line cache_file = <value> . What you quote means that the value should be a path in /run if you want these stored in RAM, e.g. for [sources.public-resolvers]:
cache_file = '/run/dnscrypt-proxy/public-resolvers.md'
@qubist thank you for your clear answers!
I wanted to ask you about IP addresses in the script /rw/config/rc.local of f37-m-firewall-dvm.
The IP addresses 10.139.1.1 and 10.139.1.2 are more or less clear from your answer elsewhere:
What about the following IP address? Should I adapt it according to IPs of my VMs? If yes, to which one? If no, what does it represent?
10.138.26.87 is sys-dns IP.
You can replace:
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.26.87
With universal:
sys-dns_ip=$(/usr/bin/qubesdb-read /qubes-gateway)
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination $sys-dns_ip
@apparatus Thank you for your answer!
Yes, I did put the IP address of my sys-dns like you indicated here.
My problem is I couldn’t obtain the same result as in the test of @qubist therefore I am double checking everything:
even though *google-analytics* is in the blocked-names.txt.
In a qube attached to sys-wall, I am obtaining the following, which is not normal:
[user@avm ~]$ host google-analytics.com
google-analytics.com has address 142.250.75.228
google-analytics.com has IPv6 address 2a00:1450:4007:810::2004
because in sys-dns I am getting:
[user@sys-dns ~]$ host google-analytics.com
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"```Is the netvm of your sys-wall set to sys-dns?
Yes, I did in dom0:
And here is the content of /rw/config/rc.local of f37-m-firewall-dvm:
#!/bin/sh
# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
ipt='usr/sbin/iptables'
"${ipt}" -t nat -F PR-QBS
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -p udp --dport 53 -j DNAT --to-destination 0.0.0.0
"${ipt}" -t nat -A PR-QBS -p tcp --dport 53 -j DNAT --to-destination 0.0.0.0
where 10.138.x.x is the IP address of my sys-dns.
What is wrong with the script?
On second thought, I don’t thing sys-wall is even needed in your setup because you’re already redirecting the DNS traffic to dnscrypt-proxy in sys-dns and there is no point in blocking the DNS requests to non-virtual DNS servers in separate firewall qube.
You can just do the blocking in sys-dns.
I attached sys-dns directly to a qube. In this qube I am getting:
[user@avm ~]$ host google-analytics.com
google-analytics.com has address 142.250.75.228
google-analytics.com has IPv6 address 2a00:1450:4007:810::2004
which is strange because in sys-dns I am getting:
[user@sys-dns ~]$ host google-analytics.com
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"```
[/quote]
Are you using Qubes OS 4.1 or Qubes OS 4.2?
What’s the output of this command in sys-dns?
sudo iptables -t nat -nvL PR-QBS
@apparatus I’m using Qubes OS 4.2 ( 4.2.0-rc5 testing release, is the problem because of this?)
I also use fedora-38-minimal template for net.
The sudo command in sys-dns demands a password. I don’t know what passport should I use? Do the minimal templates have a default password?
The Qubes OS 4.2 is no longer using iptables and now uses nftables instead:
You’ll need to convert the iptables commands to nftables.
@apparatus Thank you for your suggestions, but I have no idea how to do it.
I hope somebody will update the guide for 4.2 please
I asked a LLM (phind) to convert iptables to nftables. Here is what it gave me:
sysctl -w net.ipv4.conf.all.route_localnet=1
nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority 0 \; }
nft add rule ip filter INPUT iifname "vif+" ip daddr 127.0.0.1 ip protocol tcp tcp dport 53 counter accept
nft add rule ip filter INPUT iifname "vif+" ip daddr 127.0.0.1 ip protocol udp udp dport 53 counter accept
nft add chain ip filter FORWARD { type filter hook forward priority 0 \; }
nft add rule ip filter FORWARD iifname "vif+" ip daddr 127.0.0.1 ip protocol tcp tcp dport 53 counter drop
nft add rule ip filter FORWARD iifname "vif+" ip daddr 127.0.0.1 ip protocol udp udp dport 53 counter drop
nft add table ip nat
nft add chain ip nat PR-QBS { type nat hook prerouting priority 0 \; }
nft add rule ip nat PR-QBS ip dport 53 udp dnat 127.0.0.1
nft add rule ip nat PR-QBS ip dport 53 tcp dnat 127.0.0.1
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
echo 'options edns0' >> /etc/resolv.conf
ln -s /rw/dnscrypt-proxy /etc/dnscrypt-proxy
systemctl start dnscrypt-proxy.service
Aren’t those commands nonsense?
I’ll try it tomorrow
It’s not gonna work for Qubes OS.
You can check this for examples of converting iptables to nftables: