How do I setup a custom DNS in AppVM?

Hello everyone, I’m trying to do this with standalone debian-10 AppVM + sys-firewall as NetVM.

My goal is to be able to use any custom public DNS server when I’m using my AppVM, not servers provided by my NetVM. However, I’ve tried everything I could find and nothing is working. Simply changing /etc/resolv.conf, installing dnsmasq, changing NetworkManager config, installing PiHole… Everytime I ended up with DNS servers provided by sys-firewall.

Any ideas how to solve this problem? Thank you.

I’m running unbound and the trick is to use ipfilter for translating the incoming client DNS queries to and By default these are forwarded to next netvm in chain (if I understand it correctly). This translation is usually done automatically on VPN qubes that use NetworkManager via its own hooks. But since I didn’t want to run NetworkManager, I had to do it myself.

I added following code to /rw/config/qubes-ip-change-hook:

# This will Flush PR-QBS chain
iptables -t nat -F PR-QBS

# Redirects all the DNS traffic to localhost:53
iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination

# Accepts the traffic coming to localhost
# from XEN's virtual interfaces on port 53
iptables -I INPUT -i vif+ -p udp --dport 53 -d -j ACCEPT

# Enable the traffic coming from the virtual interfaces
# forwarded to the loopback interface
# enabling the route_localnet flag on them
echo 1 > /proc/sys/net/ipv4/conf/default/route_localnet

So my unbound service is listening to, and that’s also what I have in /etc/resolv.conf (for local testing on the unbound box).

1 Like


No, that’s not necessary. unbound is standalone resolver, I thought you wanted something like that with “custom DNS”.

Now I don’t really understand what is it you want to do. Why would Tor clients behind sys-whonix need to care about any DNS servers? It’s a socks proxy, and the name is resolved in the exit node.

So maybe you could try to elaborate what exactly are you trying to achieve?

1 Like


I don’t use Whonix.
It’s possible that they capture all DNS traffic, not just that
which is sent to and 10.139.1. - from your description that
is what seems to be happening.
I’d confirm that on the Whonix side first - otherwise you run the risk
of wasting time and effort to no purpose.

Changing /etc/resolv.conf does work if not through Whonix: you can
confirm this yourself.

You might also ask yourself why you want to use Tor, and what risks
using DNS not through Tor might bring.