“This directory” means /run/dnscrypt-proxy, as in the command:
useradd --system --home /run/dnscrypt-proxy --shell /bin/false --gid dnscrypt
In /etc/dnscrypt-proxy/dnscrypt-proxy.toml there is a section named [sources]. Each subsection of it has a line cache_file = <value> . What you quote means that the value should be a path in /run if you want these stored in RAM, e.g. for [sources.public-resolvers]:
cache_file = '/run/dnscrypt-proxy/public-resolvers.md'
@qubist thank you for your clear answers!
I wanted to ask you about IP addresses in the script /rw/config/rc.local of f37-m-firewall-dvm.
The IP addresses 10.139.1.1 and 10.139.1.2 are more or less clear from your answer elsewhere:
What about the following IP address? Should I adapt it according to IPs of my VMs? If yes, to which one? If no, what does it represent?
10.138.26.87 is sys-dns IP.
You can replace:
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination 10.138.26.87
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.26.87
With universal:
sys-dns_ip=$(/usr/bin/qubesdb-read /qubes-gateway)
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination $sys-dns_ip
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination $sys-dns_ip
@apparatus Thank you for your answer!
Yes, I did put the IP address of my sys-dns like you indicated here.
My problem is I couldn’t obtain the same result as in the test of @qubist therefore I am double checking everything:
even though *google-analytics* is in the blocked-names.txt.
In a qube attached to sys-wall, I am obtaining the following, which is not normal:
[user@avm ~]$ host google-analytics.com
google-analytics.com has address 142.250.75.228
google-analytics.com has IPv6 address 2a00:1450:4007:810::2004
because in sys-dns I am getting:
[user@sys-dns ~]$ host google-analytics.com
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"```Nice! Thank you @apparatus!
Is the netvm of your sys-wall set to sys-dns?
Yes, I did in dom0:
And here is the content of /rw/config/rc.local of f37-m-firewall-dvm:
#!/bin/sh
# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
ipt='usr/sbin/iptables'
"${ipt}" -t nat -F PR-QBS
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p udp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p udp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp --dport 53 -j DNAT --to-destination 10.138.x.x
"${ipt}" -t nat -A PR-QBS -p udp --dport 53 -j DNAT --to-destination 0.0.0.0
"${ipt}" -t nat -A PR-QBS -p tcp --dport 53 -j DNAT --to-destination 0.0.0.0
where 10.138.x.x is the IP address of my sys-dns.
What is wrong with the script?
On second thought, I don’t thing sys-wall is even needed in your setup because you’re already redirecting the DNS traffic to dnscrypt-proxy in sys-dns and there is no point in blocking the DNS requests to non-virtual DNS servers in separate firewall qube.
You can just do the blocking in sys-dns.
I attached sys-dns directly to a qube. In this qube I am getting:
[user@avm ~]$ host google-analytics.com
google-analytics.com has address 142.250.75.228
google-analytics.com has IPv6 address 2a00:1450:4007:810::2004
which is strange because in sys-dns I am getting:
[user@sys-dns ~]$ host google-analytics.com
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"
google-analytics.com host information "This query has been locally blocked" "by dnscrypt-proxy"```
[/quote]
Are you using Qubes OS 4.1 or Qubes OS 4.2?
What’s the output of this command in sys-dns?
sudo iptables -t nat -nvL PR-QBS
@apparatus I’m using Qubes OS 4.2 ( 4.2.0-rc5 testing release, is the problem because of this?)
I also use fedora-38-minimal template for net.
The sudo command in sys-dns demands a password. I don’t know what passport should I use? Do the minimal templates have a default password?
The Qubes OS 4.2 is no longer using iptables and now uses nftables instead:
You’ll need to convert the iptables commands to nftables.
@apparatus Thank you for your suggestions, but I have no idea how to do it.
I hope somebody will update the guide for 4.2 please
I asked a LLM (phind) to convert iptables to nftables. Here is what it gave me:
sysctl -w net.ipv4.conf.all.route_localnet=1
nft add table ip filter
nft add chain ip filter INPUT { type filter hook input priority 0 \; }
nft add rule ip filter INPUT iifname "vif+" ip daddr 127.0.0.1 ip protocol tcp tcp dport 53 counter accept
nft add rule ip filter INPUT iifname "vif+" ip daddr 127.0.0.1 ip protocol udp udp dport 53 counter accept
nft add chain ip filter FORWARD { type filter hook forward priority 0 \; }
nft add rule ip filter FORWARD iifname "vif+" ip daddr 127.0.0.1 ip protocol tcp tcp dport 53 counter drop
nft add rule ip filter FORWARD iifname "vif+" ip daddr 127.0.0.1 ip protocol udp udp dport 53 counter drop
nft add table ip nat
nft add chain ip nat PR-QBS { type nat hook prerouting priority 0 \; }
nft add rule ip nat PR-QBS ip dport 53 udp dnat 127.0.0.1
nft add rule ip nat PR-QBS ip dport 53 tcp dnat 127.0.0.1
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
echo 'options edns0' >> /etc/resolv.conf
ln -s /rw/dnscrypt-proxy /etc/dnscrypt-proxy
systemctl start dnscrypt-proxy.service
Aren’t those commands nonsense?
I’ll try it tomorrow
It’s not gonna work for Qubes OS.
You can check this for examples of converting iptables to nftables:
look at the documentation for Passwordless Root
I converted @qubist’s iptables rules to support Qubes 4.2 nftables. I did some quick tests and it seems to work, tell me if something is not working properly.
#!/bin/sh
# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
nft='/usr/sbin/nft'
# allow redirects to localhost
/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
"${nft}" add rule ip qubes custom-input meta l4proto { tcp, udp } iifgroup 2 ip daddr 127.0.0.1 th dport 53 accept
# block connections to other DNS servers
"${nft}" add rule ip qubes custom-forward meta l4proto { tcp, udp } iifgroup 2 ip daddr != 127.0.0.1 th dport 53 drop
"${nft}" flush chain ip qubes dnat-dns
"${nft}" add rule ip qubes dnat-dns meta l4proto { tcp, udp } th dport 53 dnat to 127.0.0.1
echo 'nameserver 127.0.0.1' > /etc/resolv.conf
# https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-linux
# https://wiki.archlinux.org/title/Dnscrypt-proxy#Enable_EDNS0
echo 'options edns0' >> /etc/resolv.conf
ln -s /rw/dnscrypt-proxy /etc/dnscrypt-proxy
/usr/bin/systemctl start dnscrypt-proxy.service
#!/bin/sh
# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.
nft='/usr/sbin/nft'
# redirect all dns-requests to sys-dns
"${nft}" flush chain ip qubes dnat-dns
"${nft}" add rule ip qubes dnat-dns meta l4proto { tcp, udp } ip daddr { 10.139.1.1, 10.139.1.2 } th dport 53 dnat to $(/usr/bin/qubesdb-read /qubes-gateway)
# block connections to other DNS servers
"${nft}" add rule ip qubes dnat-dns meta l4proto { tcp, udp } th dport 53 drop
There is something to learn in every situation.
Consider that the date of the guide is older than the date of Qubes 4.2.
In an earlier reply by @tripleh we also have:
Qubes 4.2 only uses nft.
So, you are using different software and expect similar result. That is the actual problem you are facing.
I hope somebody will update the guide for 4.2 please
Someone (I guess that’s me) will, as it is on my TODO list. No ETA though.
Thank you @DVM it worked wonderfully!
I still have not tested that but perhaps you could simply install iptables in Fedora 38.