[guide] how-to setup a sys-dns qube

DVM · December 19, 2023, 8:42pm

Since you need to edit Qubes-related DNS rules, you can no longer use iptables on Qubes 4.2, as it has been completely switched to nftables. Also, if I’m not mistaken, iptables is still available by default, at least in Fedora.

everwonder · December 19, 2023, 8:45pm

Thank you for the suggestion.
At this point, with provided nft instructions everything seem to work fine, so I am afraid to experiment it further with iptables. Now, I am focused on VPN solutions, but it seems it is the same story with nftables in v4.2…

DVM · December 19, 2023, 8:47pm

This works with 4.2:

Tezeria · December 20, 2023, 1:11pm

I just install Qubes-4.2 and migrate my sys-dns and sys-wall from 4.1 (with also fedora-38-minimal) and all is good with iptables.
I also check for iptables and it’s always install in fedora-38-xfce.

DVM · December 20, 2023, 8:14pm

Fedora replaces iptables with iptables-nft, which converts rules to nftables on the fly:

lrwxrwxrwx. 1 root root 26 Nov 17 15:02 /usr/sbin/iptables -> /etc/alternatives/iptables
lrwxrwxrwx. 1 root root 22 Nov 17 15:02 /etc/alternatives/iptables -> /usr/sbin/iptables-nft

I’m not sure how you got it to work unless you have some iptables leftovers. The PR-QBS chain is not present in Qubes 4.2 since it has been replaced by dnat-dns. Also, FORWARD and INPUT are not accepted by nftables because it’s case sensitive.

Related issue: Some R4.1 firewall scripts do not work after upgrading to R4.2 · Issue #8487 · QubesOS/qubes-issues · GitHub

Tezeria · December 21, 2023, 1:42pm

@DVM I just check on dnsleaktest.com and all is ok.
I use sys-net ← sys-firewall ← sys-dns ← sys-wall ← Appvm

sys-net and sys-firewall have fedora-xfce as template and, sys-dns and sys-wall have fedora-minimal as template…
On minimal i don’t have iptables-nft neither ip6tables-nft. fedora-xfce have it.
NB: i install a clean version of 4.2 and NOT an upgrade, then backup fedora-minimal of 4.1, so i don’t have iptables-net (normal! lol) .

DVM · December 21, 2023, 2:01pm

I guess your templates are still running on r4.1 packages then? You will need to manually upgrade them to match the way r4.2 works. This would explain why you can still use these iptables rules.

Tezeria · December 21, 2023, 2:26pm

I’ll try it this night or tomorrow do you think it could be a problem for now?

DVM · December 21, 2023, 2:30pm

I don’t think this is a problem for now, but upgrade them to 4.2 as soon as possible using this script. When your templates switch to the 4.2 repos, you won’t be able to use iptables as before, and you’ll have to switch to nftables instead.

Tezeria · December 21, 2023, 2:39pm

i launch it in my minimal templates, right?

DVM · December 21, 2023, 2:44pm

Yes. Any Templates/Standalone you have restored from a Qubes 4.1 backup will need to be switched to 4.2 repos using the script.
Clone them first, just in case something goes wrong.

Tezeria · December 21, 2023, 2:49pm

For sure! thank you, i’ll do it and tell you if it’s ok.
This script have a topic? If not, that would be a good thing…

DVM · December 21, 2023, 2:54pm

I don’t think there is one and I don’t think even the official “how to upgrade” guide for clean installations mentions it.

qubist · December 21, 2023, 3:36pm

Since you need to edit Qubes-related DNS rules, you can no longer use iptables on Qubes 4.2, as it has been completely switched to nftables. Also, if I’m not mistaken, iptables is still available by default, at least in Fedora.

I don’t know what “switched” means and whether iptables has been deprecated in a way making any use of it impossible. I question the later, as it would render the very existence of the package in the repo meaningless.

So, I don’t see a reason why iptables rules should not work if the proper iptables package is installed in sys-wall and sys-dns. The fact that Qubes OS uses nftables is not new. In 4.1.2 all firewall rules created through the UI or through qvm-firewall are translated to nft rules. So, if 4.2 does the same (I still don’t know as I still have not upgraded), it is not directly obvious (to me) why that should conflict iptables rules running in parallel.

Of course, getting rid of iptables is the way forward. Just sharing thoughts.

DVM · December 21, 2023, 3:48pm

It’s correct for the GUI/CLI firewall because it uses a dedicated nftables table (qubes-firewall), but not for the firewall rules inside all qubes, including the communication between them (e.g. DNS). Some chains related to Qubes have been removed from iptables and moved to nftables (e.g. PR-QBS → dnat-dns). So, for example, the two scripts provided in your post won’t work because the DNS side won’t be applied, the same for the others when used with iptables-nft because nftables uses different table and chain names.

qubist · December 21, 2023, 4:40pm

I see.

So, whenever I find time, I will have to re-investigate and update this whole thing.

Is there any existing issue suggesting to have dnscrypt as default DNS provider in Qubes OS? Perhaps that should be the right thing to do, long term.

DVM · December 21, 2023, 4:48pm

I tested the setup you provided, replaced the scripts with the ones I converted to nftables in one of my previous posts here, and it worked fine on 4.2.

Integration of DNSCrypt

opened 04:13PM - 29 Sep 16 UTC

rugk

T: enhancement help wanted P: default C: networking

I'd suggest you to integrate [DNSCrypt](https://dnscrypt.org/) into Qubes OS. Pr…eferably so that all VMs automatically use this as a DNS resolver. DNSCrypt provides confidentially, integrity and protects against sniffing DNS queries, which are by default unencrypted and unauthenticated allowing DNS redirection attacks. It uses the well-known and -tested library NaCl (respectively it's fork Libsodium).

github.com/QubesOS/qubes-issues

DNScrypt support

opened 08:53AM - 30 Nov 20 UTC

closed 05:09PM - 07 Dec 21 UTC

ghost

R: duplicate T: enhancement P: default C: networking

**The problem you're addressing (if any)** DNS resolving via DNScrypt. *…*Describe the solution you'd like** Run DNScrypt-proxy in firewall-vm and forward DNS-requests to that service. **Where is the value to a user, and who might that user be?** DNScrypt is a fast and reliable solution to encrypt and authenticate DNS traffic. Actually I would expect every operating system to protect DNS traffic. Protection of DNS traffic concerns all users of operating systems which utilise the internet. There are DoT and DoH also, but so far DNScrypt worked best for me. **Describe alternatives you've considered** I have not considered an alternative so far. I have tried DoT and DoH in different setups but their performance hasn't been convincing. **Additional context** This is just a quick hack. I'm interested in your perspective, especially if you have security concerns. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** https://www.qubes-os.org/doc/contributing/ **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** https://github.com/QubesOS/qubes-issues/issues/2341 https://github.com/QubesOS/qubes-issues/issues/2344 https://github.com/DNSCrypt/dnscrypt-proxy https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/ To enable DNScrypt for Qubes-OS it takes two steps: Step 1: ``` # start FEDORA-TEMPLATE-VM and run a terminal sudo su dnf install dnscrypt-proxy # do not (!) enable the dnscrypt-proxy.service # shutdown FEDORA-TEMPLATE-VM # restart all VMs which use the FEDORA-TEMPLATE ``` Step 2: ``` # open a terminal in SYS-FIREWALL sudo su cd /rw/config vi rc.local # insert the lines below at the end of rc.local # save and close file # shutdown and restart SYS-FIREWALL ``` ``` # start dnscrypt-proxy systemctl start dnscrypt-proxy.service # tweak iptables iptables -t nat -F PR-QBS iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1 iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT # enable traffic coming from the virtual interfaces to be forwarded to the loopback interface find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' find /proc/sys/net/ipv6/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' ``` Further considerations: 1. There is no need to use unbound or dnsmasq since dnscrypt-proxy already caches DNS-requests. 2. To run an extra VM for dnscrypt-proxy seemed a bit overkill to me. 3. It is reasonable to trust dnscrypt-proxy since it is part of the fedora distribution which we put our trust in. 4. Whonix Tor traffic is not affected, all traffic including DNS is still tunneled through the Tor network as far as I can tell. However, I am going to investigate by which means Tor is protecting DNS traffic.

I think the current thinking is to forward DNS until it hits a custom service en route or the router’s DNS in sys-net as a last resort.

Tezeria · December 21, 2023, 4:50pm

I upgrade my minimal template with the script, all is good!
But the iptables-nft wasn’t installed during the upgrade and dnscrypt didn’t work. Once the package is installed, everything is back to normal

DVM · December 21, 2023, 5:00pm

I don’t think iptables-nft automatically replaces iptables when you install it. Can you confirm that a “PR-QBS” chain is listed when you run this command?

sudo iptables -t nat -L

qubist · December 21, 2023, 7:23pm

Thanks for the links. I skimmed through.