How do you manage DNS topic?

xyz_cube · September 2, 2025, 1:55pm

Hi!
how do you manage DNS topic?
you keep DNS standard (port 53) and you use Doh or DoT for privacy and for prevent Man in the middle attack? e.g when you are connected to free public wifi?
If DoH or Dot, you use a DNS resolver in a dedicated qube, like cryptDNS?
please explain a little bit.
thank you!

OvalZero · September 2, 2025, 4:33pm

There are tons of guides and discussions about “the best DNS solution.” You will meet people who swear by using an encrypted, filtered, or $whatever upstream. I won’t claim that none of them have a reasonable privacy/security policy.

However, I prefer to be as independent and as much in control as possible. So I never use upstream DNS servers - no matter what features -, I only trust my own local recursors. When I’m on the go (public wifi e.g.), those are contacted via my self hosted VPN. It routes everything. Even my mobile traffic. As long as a VPN connection is unavailable, everything gets dropped.

xyz_cube · September 2, 2025, 4:55pm

Thank you, thats intereresting.
Which dns are you using? Unbound?
Can you help me for settings it in Qubes, like you did?
I would like to try.
As i see the query is only in standard dns udp 53 right? For this reason you using vpn so that your provider that know who you are can not see query and instead vpn provider not (like mullvad)?
Thank you

OvalZero · September 2, 2025, 5:39pm

My Qubes setup is as minimal as possible, since availability matters. I need to get things up (again) rather in minutes than hours or days in case anything goes down. It’s simply

[app-qubes ->] sys-prevpn-firewall → sys-vpn (wireguard) → sys-firewall → sys-net

There are community guides around, that give you (some!) options …

DNS is indeed done by three unbound machines (total) in two different strata.

xyz_cube · September 2, 2025, 7:31pm

Thanks, need to search unbound guides? In this casei didnt find it…

OvalZero · September 2, 2025, 7:54pm

https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/home-resolver.html

Just an example…

https://docs.pi-hole.net/guides/dns/unbound/

Here with pihole…

Etc. etc. etc.

networknoob · September 3, 2025, 2:43am

Interesting. Why the sys-prevpn-firewall here? Another safety layer? any special configs here? Is your second firewall the (default) firewall (does it even matter).

You mentioned you run your own server vpn. I am guessing at the top level outside of the system.

[app-qubes ->] sys-prevpn-firewall → sys-vpn (wireguard) → sys-firewall → sys-net (e.g., your server vpn)

Which VPN will the app qube know it is using in the chain? The first one or the last one?

Is anything in your networking stack a disposable?

I’m trying to improve my networking skills. By testing various configurations and writing new firewall rules.

OvalZero · September 3, 2025, 9:03am

Yes. The VPN server (sitting in a datacenter rack) has a public IP.

Concerning the qubes’ “chain”: The prevpn is mainly for convenience. If I want to switch VPN servers, I don’t have to reconfigure all my appVM qubes’ net-vms. The “default” firewall prevents the VPN qube from leaking clearnet data.

Sys-net is disposable but has some preconfigured trustworthy connections.