[guide] how-to setup a sys-dns qube

“This directory” means /run/dnscrypt-proxy, as in the command:

useradd --system --home /run/dnscrypt-proxy --shell /bin/false --gid dnscrypt

In /etc/dnscrypt-proxy/dnscrypt-proxy.toml there is a section named [sources]. Each subsection of it has a line cache_file = <value> . What you quote means that the value should be a path in /run if you want these stored in RAM, e.g. for [sources.public-resolvers]:

cache_file = '/run/dnscrypt-proxy/public-resolvers.md'
1 Like

@qubist thank you for your clear answers!

I wanted to ask you about IP addresses in the script /rw/config/rc.local of f37-m-firewall-dvm.
The IP addresses 10.139.1.1 and 10.139.1.2 are more or less clear from your answer elsewhere:

What about the following IP address? Should I adapt it according to IPs of my VMs? If yes, to which one? If no, what does it represent?

10.138.26.87 is sys-dns IP.
You can replace:

"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.26.87

With universal:

sys-dns_ip=$(/usr/bin/qubesdb-read /qubes-gateway)
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination $sys-dns_ip
1 Like

@apparatus Thank you for your answer!
Yes, I did put the IP address of my sys-dns like you indicated here.

My problem is I couldn’t obtain the same result as in the test of @qubist therefore I am double checking everything:

even though *google-analytics* is in the blocked-names.txt.

In a qube attached to sys-wall, I am obtaining the following, which is not normal:

[user@avm ~]$ host google-analytics.com
google-analytics.com has address 142.250.75.228
google-analytics.com has IPv6 address 2a00:1450:4007:810::2004

because in sys-dns I am getting:

[user@sys-dns ~]$ host google-analytics.com
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"```

Nice! Thank you @apparatus!

Is the netvm of your sys-wall set to sys-dns?

Yes, I did in dom0:

And here is the content of /rw/config/rc.local of f37-m-firewall-dvm:

#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.

ipt='usr/sbin/iptables'

"${ipt}" -t nat -F PR-QBS
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.x.x

"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.x.x


"${ipt}" -t nat -A PR-QBS -p udp --dport 53 -j DNAT --to-destination 0.0.0.0
"${ipt}" -t nat -A PR-QBS -p tcp --dport 53 -j DNAT --to-destination 0.0.0.0

where 10.138.x.x is the IP address of my sys-dns.
What is wrong with the script?

On second thought, I don’t thing sys-wall is even needed in your setup because you’re already redirecting the DNS traffic to dnscrypt-proxy in sys-dns and there is no point in blocking the DNS requests to non-virtual DNS servers in separate firewall qube.
You can just do the blocking in sys-dns.

I attached sys-dns directly to a qube. In this qube I am getting:

[user@avm ~]$ host google-analytics.com
google-analytics.com has address 142.250.75.228
google-analytics.com has IPv6 address 2a00:1450:4007:810::2004

which is strange because in sys-dns I am getting:

[user@sys-dns ~]$ host google-analytics.com
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"```

[/quote]

Are you using Qubes OS 4.1 or Qubes OS 4.2?
What’s the output of this command in sys-dns?

sudo iptables -t nat -nvL PR-QBS

@apparatus I’m using Qubes OS 4.2 ( 4.2.0-rc5 testing release, is the problem because of this?)
I also use fedora-38-minimal template for net.
The sudo command in sys-dns demands a password. I don’t know what passport should I use? Do the minimal templates have a default password?

The Qubes OS 4.2 is no longer using iptables and now uses nftables instead:

You’ll need to convert the iptables commands to nftables.

@apparatus Thank you for your suggestions, but I have no idea how to do it.
I hope somebody will update the guide for 4.2 please

I asked a LLM (phind) to convert iptables to nftables. Here is what it gave me:

sysctl -w net.ipv4.conf.all.route_localnet=1
nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority 0 \; }
nft add rule ip filter INPUT iifname "vif+" ip daddr 127.0.0.1 ip protocol tcp tcp dport 53 counter accept
nft add rule ip filter INPUT iifname "vif+" ip daddr 127.0.0.1 ip protocol udp udp dport 53 counter accept
nft add chain ip filter FORWARD { type filter hook forward priority 0 \; }
nft add rule ip filter FORWARD iifname "vif+" ip daddr 127.0.0.1 ip protocol tcp tcp dport 53 counter drop
nft add rule ip filter FORWARD iifname "vif+" ip daddr 127.0.0.1 ip protocol udp udp dport 53 counter drop
nft add table ip nat
nft add chain ip nat PR-QBS { type nat hook prerouting priority 0 \; }
nft add rule ip nat PR-QBS ip dport 53 udp dnat 127.0.0.1
nft add rule ip nat PR-QBS ip dport 53 tcp dnat 127.0.0.1


echo 'nameserver 127.0.0.1' > /etc/resolv.conf
echo 'options edns0' >> /etc/resolv.conf
ln -s /rw/dnscrypt-proxy /etc/dnscrypt-proxy
systemctl start dnscrypt-proxy.service

Aren’t those commands nonsense?
I’ll try it tomorrow

It’s not gonna work for Qubes OS.
You can check this for examples of converting iptables to nftables:

1 Like

look at the documentation for Passwordless Root

1 Like

I converted @qubist’s iptables rules to support Qubes 4.2 nftables. I did some quick tests and it seems to work, tell me if something is not working properly.

sys-dns
#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.

nft='/usr/sbin/nft'

# allow redirects to localhost
/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
"${nft}" add rule ip qubes custom-input meta l4proto { tcp, udp } iifgroup 2 ip daddr 127.0.0.1 th dport 53 accept

# block connections to other DNS servers
"${nft}" add rule ip qubes custom-forward meta l4proto { tcp, udp } iifgroup 2 ip daddr != 127.0.0.1 th dport 53 drop

"${nft}" flush chain ip qubes dnat-dns
"${nft}" add rule ip qubes dnat-dns meta l4proto { tcp, udp } th dport 53 dnat to 127.0.0.1

echo 'nameserver 127.0.0.1' > /etc/resolv.conf
# https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux
# https://wiki.archlinux.org/title/Dnscrypt-proxy#Enable_EDNS0
echo 'options edns0' >> /etc/resolv.conf

ln -s /rw/dnscrypt-proxy /etc/dnscrypt-proxy
/usr/bin/systemctl start dnscrypt-proxy.service
sys-wall
#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.

nft='/usr/sbin/nft'

# redirect all dns-requests to sys-dns
"${nft}" flush chain ip qubes dnat-dns
"${nft}" add rule ip qubes dnat-dns meta l4proto { tcp, udp } ip daddr { 10.139.1.1, 10.139.1.2 } th dport 53 dnat to $(/usr/bin/qubesdb-read /qubes-gateway)

# block connections to other DNS servers
"${nft}" add rule ip qubes dnat-dns meta l4proto { tcp, udp } th dport 53 drop
1 Like

@everwonder

There is something to learn in every situation.

Consider that the date of the guide is older than the date of Qubes 4.2.

In an earlier reply by @tripleh we also have:

Qubes 4.2 only uses nft.

So, you are using different software and expect similar result. That is the actual problem you are facing.

I hope somebody will update the guide for 4.2 please

Someone (I guess that’s me) will, as it is on my TODO list. No ETA though.

1 Like

Thank you @DVM it worked wonderfully!

1 Like

I still have not tested that but perhaps you could simply install iptables in Fedora 38.