Is the AppVM DNS a DoT ? or shoud i set up DoT in PFSense

Perhaps all QubesOS AppVMs use encrypted DNS rather than DNS using 53, but even though VirtualDNS is used when communicating between AppVMs, I don’t know what is actually used in crypt / not crypt DNS when communicating with the internet. However, although VirtualDNS is used when communicating between AppVMs, it is not clear what is actually used in what DNS when communicating with the Internet.

Therefore, I am thinking whether I should implement DoT on the PFSense side, so that DNS requests coming to PFSense ( (with number 53 on the AppVM side) are queried to with number 853, but I am not sure if the DNS used in QubesOS is encrypted. I don’t think this is necessary if the default is that the DNS used by QubesOS is encrypted.

If AppVM is using unencrypted DNS (unlikely), I am thinking of using sys-net / sys-firewall to specify as the DNS server and encrypt DNS queries.

Qubes OS uses unencrypted DNS. If you want to use DoT then you need to redirect unencrypted DNS request to encrypted DNS in sys-net or sys-vpn.

1 Like

Thanks, I see that QubesOS does not have DNS encryption, I would like to configure the sys-net / sys-vpn person to query PFSense for DNS.

For sys-net you can just set DNS to your PFSense IP in its network settings using Network Manager or some other way that it use to set up networking.
For sys-vpn you can’t use PFSense DNS server because it’ll cause DNS leak. You need to configure the redirection of unencrypted DNS requests from qubes connected to sys-vpn to some external DoT server so DoT requests will go through VPN.

1 Like

Thank you, after confirming that the DNS connection is to, I configured the settings on the PFSense side and now I can successfully communicate DNS with the DoH/DoT. This means that the DNS can no longer be read and known which site you are connecting to.