How to overwrite Qubes Virtual DNS,

To run lokinet I need to set persistently the nameserver to (which comes with lokinet). Linux troubleshooting - Oxen Docs

Can’t you change it in /etc/resolve.conf?

No, it is not working.

If you want you can simple try it on your side. The setup is done in 2 mins.

I did tests with

sudo nano /etc/resolvconf/resolv.conf.d/head


sudo nano /etc/resolv.conf

and did the update afterwards but it returns:

etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

And after every reboot it switches back to the Qubes default DNS.

The only qube I have that uses a custom DNS is my VPN, and it uses NetworkManager to configure the DNS after boot.

But changing the nameservers in resolve.conf should allow you to use a different DNS.

Ok, thx. I will give it a try.

No, I did not get it working and in the Qubes Settings it still displays the default Virtual DNS.

This is not particularly helpful.

That is a natural result of you editing a file in /etc, that comes from
the template.

If you want to make a permanent change, either use bind-dirs
or make the change using /rw/config/rc.local

You’ll have to fix the other error message you have reported.

I never presume to speak for the Qubes team.
When I comment in the Forum or in the mailing lists I speak for myself.

Ok, obviously my simple question " How to overwrite Qubes Virtual DNS," cannot be solved by a simple command.

I start with a step-by-step explanation. Hopefully, this will give some more light into the setup, the DNS issue and how to troubleshoot this on Qubes.

I did a fresh setup on a standaloneVM, followed the lokinet installation instructions:

  1. sudo apt-get update && sudo apt install curl

  2. sudo curl -so /etc/apt/trusted.gpg.d/oxen.gpg

  3. echo “deb $(lsb_release -sc) main” | sudo tee /etc/apt/sources.list.d/oxen.list

  4. sudo apt update && sudo apt install lokinet-gui

during the installation routine I see this (I guess this could be a useful info):

Created symlink /etc/systemd/system/
→ /lib/systemd/system/resolvconf.service.

Created symlink /etc/systemd/system/systemd-resolved.service.wants/resolvconf-pull-resolved.path
→ /lib/systemd/system/resolvconf-pull-resolved.path.

Created symlink /etc/systemd/system/systemd-resolved.service.wants/resolvconf-pull-resolved.service
→ /lib/systemd/system/resolvconf-pull-resolved.service.

checking Qubes DNS returns:

user@lokinet-standalone-debian-11:~$ cat /etc/resolvconf/resolv.conf.d/head 
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# is the systemd-resolved stub resolver.
# run "resolvectl status" to see details about the actual nameservers.

user@lokinet-standalone-debian-11:~$ cat /etc/resolvconf/resolv.conf.d/original 

checking the lokinet’s systemctl:

user@lokinet-standalone-debian-11:~$ systemctl status lokinet
● lokinet.service - LokiNET: Anonymous Network layer thingydoo, client
     Loaded: loaded (/lib/systemd/system/lokinet.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 20yy-mm-dd hh:mm:ss XXXX; 13min ago
    Process: 4897 ExecStartPost=/usr/sbin/lokinet-resolvconf add /var/lib/lokinet/lokinet.ini (code=exited, status=0/SUCCESS)
   Main PID: 4888 (lokinet)
     Status: "v0.9.11 client | known/connected: 954/6 | paths/endpoints 44/1"
      Tasks: 9 (limit: 4633)
     Memory: 11.2M
        CPU: 22.294s
     CGroup: /system.slice/lokinet.service
             └─4888 /usr/bin/lokinet /var/lib/lokinet/lokinet.ini

Verify everything is working fine:

  1. Starting a web-browser, set HTTPS-Only Mode to: Don’t enable HTTPS-Only Mode.
    browse to a *.loki website: http://deb.loki , http://mirror.loki/debian

  2. Switch on lokinet VPN mode (exit.loki) and checking IP ( , …):
    IPv4 address: /

  3. Checking the lokinet status / lokinet-GUI displays: ~1600 routers, active paths ~100 with 92% success.

NOW, reboot the standaloneVM.

  1. checking the systemctl status again:
user@lokinet-standalone-debian-11:~$ sudo systemctl status lokinet
● lokinet.service - LokiNET: Anonymous Network layer thingydoo, client
     Loaded: loaded (/lib/systemd/system/lokinet.service; enabled; vendor prese>
     Active: active (running) since Tue 20yy-mm-dd hh:mm:ss XXXX; 44s ago
    Process: 656 ExecStartPost=/usr/sbin/lokinet-resolvconf add /var/lib/lokine>
   Main PID: 599 (lokinet)
     Status: "v0.9.11 client | known/connected: 1596/4 | paths/endpoints 11/0"
      Tasks: 8 (limit: 4633)
     Memory: 28.1M
        CPU: 933ms
     CGroup: /system.slice/lokinet.service
             └─599 /usr/bin/lokinet /var/lib/lokinet/lokinet.ini
  1. Open web-browser and go to a *.loki
    We can’t connect to the server at deb.loki.

Any idea what is set during the installation routine and overwritten with the (standaloneVM) reboot?

How to fix the DNS reboot issue?

… ultimately, what needs to be done (bind-dirs …) to get it working as ProxyVM?

Thanks for your support

The following has a solution that might be helpful.

@whoami - I suggested that you use /rw/config/rc.local to overwrite the Qubes DNS
Can you explain why you think this simple solution does not provide an answer to
your simple question?

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.

Since I still do not know what needs to be entered to get lokinet’s DNS working after reboot (after one week).

I would very thankful if you just simply drop me the simple one-liner solution for my simple question even if this proofs that I still need to learn a lot about DNS, Qubes DNS workflow and how to manipulate it. That is fine for me, I still want to learn more about QOS :wink:

I tested the official troubleshooting recommendations (for normal Linux distros) with your recommendation:

echo ‘nameserver’ > /etc/resolvconf/resolv.conf.d/head

I also did some tests with
echo ‘nameserver’ > /etc/resolv.conf
echo ‘nameserver’ > /etc/resolvconf/resolv.conf.d/original

As already stated here:

and here:

I guess this symlink is the issue here but I have no clue where to start here. I never used / worked with symlink before but what I understood it is simply a link which points to a directory.

I tried your second recommendation: using bind-dirs
As descripted in the docs I made a 50_user.conf and added


with that I hoped to keep the symlink persistent (which was made during the installation routine). I also did this test with a lokinet-gw and a lokinet-ws setup instead of the previous standalone Qube tests. Both still without success.

Accidentally, I saw @qubist nice Guide on:

He also used your recommended /rw/config/rc.local approach:

echo 'nameserver' > /etc/resolv.conf

But he used it in a much more complex content and I guess in my case the issue is strongly linked to the way lokinet implemented its DNS.

@qubist maybe you have an additional hint / solution for me. As described here the issue can be reproduced very quickly (in 5 mins).


I am still learning about Qubes OS and I have never heard about lokinet before seeing this thread, so consider this as a disclaimer for anything I write here. I think we need better documentation about how various things work in Qubes OS, as well as about setting up custom DNS services.

What I have learned so far is that Qubes OS routes all DNS requests to and which is done using /etc/resolv.conf files in templates and firewall rules. To use a custom DNS one obviously needs to modify both, otherwise DNS requests would still go to the 2 default hosts.

To persist modifications in /etc/* you must either do them in the particular template, or use some of the other methods described in the docs: config files or bind-dirs. Since you mentioned that you are using a StandaloneVM, I don’t know why the changes you make may be volatile. You may need to look deeper into logs of the VM and the service file itself.

You can use the guide I shared in the other thread too. The sys-wall I use there routes all DNS requests to a sys-dns qube. Just replace the part related to dnscrypt with your lokinet specific stuff, thus creating your own sys-dns running whatever DNS you like. This approach makes any modifications in the client qube (your lokinet-standalone-debian-11) unnecessary as sys-wall which you will use as a NetVM will do that for you upstream.

You asked a simple question - how do I overwrite /etc/resolv.conf from
Qubes default?
The simple answer is:
Put a line in /rw/.config/rc.local like this:
echo "nameserver " > /etc/resolv.conf
That is the simple answer to the question you asked.

The difficult t you have is that your problem is not encompassed by that
simple question.
That is why I told you you would have to deal with the warning message
that you received.
etc/resolvconf/update.d/libc: Warning: /etc/resolv.conf is not a symbolic link to /run/resolvconf/resolv.conf

If you had spent 5 minutes in the past week of travail searching for
that issue, then you would have found a solution to your actual
Try these lines in /rw/config/rc.local:

rm /etc/resolv.conf
ln -s  /run/resolvconf/resolv.conf /etc/resolv.conf
I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
1 Like

I was pretty close. I have already tested

ln -s  /run/resolvconf/resolv.conf/head /etc/resolv.conf
resolvconf -u

Thank you @unman !!

Standalone works now, lokinet-gw with lokinet-ws not. Let’s see if I get the split setup working :crossed_fingers:

Glad you got that working.
If you need help with a loki gateway, open a new thread.