In sys-net I changed resolv.conf, emptied it, disabled networkmanager, disabled systemd-resolved, yet my qubes still have network access (I did not reboot sys-net). I want to know why this works. I also tried pointing a qube directly to sys-net (instead of through sys-firewall) and the same thing happened.
The DNS requests from qubes connected to sys-net are redirected using firewall:
$ sudo nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to x.x.x.x
ip daddr 10.139.1.1 tcp dport 53 dnat to x.x.x.x
}
}
So just changing resolv.conf in sys-net won’t affect it.
I don’t know how did you disable networkmanager so I’m not sure why the network still works for you.
Try to right click on the network manager widget in system tray and uncheck “Enable Networking.”
disabling a service does not stop it.
enabling a service does not start it.
These are distinct things.
It makes little sense to enable or disable a service in a qube, since on
reboot the services will be loaded depending on what is in the template.
(I exclude services which are controlled by the Qubes mechanism.)
This is expected. The qube has DNS set to a local net address, which is
resolved in sys-net to the sys-net DNS servers. All you have done is
stop the Qubes firewall from operating, since it is not enforced in
sys-net.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Sorry I did stop the services, not disable them, my bad. I also didn’t reboot the qube. And I pointed the appvm to sys-net after having done all of that
But, I changed the sys-net dns servers, so shouldn’t those changes trickle down to the AppVM?
Stopping the NetworkManager service does not bring down the interface.
systemd-resolved is not running - at least in cwa vanilla debian-12-xfce
sys-net
Look at nft list table qubes - qubes have default resolvers of
10.139.1.1 and 10.139.1.2. These addresses are changed under DNAT to
the given nameserver from external iface of sys-net. This is not changed
dynamically when you make changes to /etc/resolv.conf in sys-net.
Do the other qubes get DNS over TLS or do they regularly connect to 1.1.1.1/8.8.8.8 (those are the servers that are routed to the qubes by default) ?
Qubes OS don’t use DoT by default.
In this configuration:
sys-net ↔ sys-firewall ↔ test-qube
The test-qube will send DNS requests to the virtual Qubes OS DNS servers 10.139.1.1/10.139.1.2 UDP/TCP port 53.
Then sys-firewall will get these requests and send them to sys-net using these firwall rules:
root@sys-firewall:~# nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
}
Then sys-net will receive these requests and will send them to the DNS servers specified in it. E.g. if 1.1.1.1 is specified in /etc/resolve.conf:
root@sys-net:~# nft list chain ip qubes dnat-dns
table ip qubes {
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 1.1.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 1.1.1.1
}
}