Qubes cli firewall and DNS

I understand how to use qvm firewall to limit vpn traffic to IP:Port and disable ICMP Pings. But I’m unsure on how to make it so that only my VPN’s DNS server can be used. This question applies to any of Solene’s VPN Guides as well as any other guides in this forum.

I often see people use the GUI Firewall suggested to limit to IP:Port and then a subsequent reply saying that the GUI firewall is not enough as it doesn’t block DNS and pings. But then there is no follow up on how to block all traffic traffic to non vpn dns, in the cli qvm firewall. Interestingly, preventing icmp pings is documented. But never anything about preventing non VPN dns from working.

A well known VPN provider (Mullvad’s) dns is 10.64.0.1
Is there no way to set this in the qvm-firewall in order to prevent any other dns from accidentally being used?

The requests to VPN DNS are going through VPN tunnel so they won’t be seen in the Qubes firewall. Just block all traffic using Qubes firewall except for the VPN IP:port for your VPN qube and that’s all.

so what is the added benefit of using qvm-firewall instead of the GUI?

Is the only benefit the ability to disable ICMP pings?

The ability to disable the ICMP and DNS requests if your VPN qube is misconfigured and could leak the DNS requests when VPN is not connected.

right. so i know how to disable icmp requests. now how do i disable all non vpn dns? not sure what I am missing from your original response.

If you add the firewall rule limiting the connection to the 1.2.3.4 IP using GUI, then firewall rules for this qube will be:

[user@dom0 ~]$ qvm-firewall tstqube
NO  ACTION  HOST        PROTOCOL  PORT(S)  SPECIAL TARGET  ICMP TYPE  EXPIRE  COMMENT
0   accept  1.2.3.4/32  -         -        -               -          -       -
1   accept  -           -         -        dns             -          -       -
2   accept  -           icmp      -        -               -          -       -
3   drop    -           -         -        -               -          -       -

So you need to remove both DNS and ICMP accept rules from this qube using qvm-firewall.

Okay. I noticed that you have also commented on solene’s mullvad guide. Do you know if the vpn connection will still properly work after disabling icmp and dns?

MTU issues have already been solved for me with the new commands that you had suggested, but I haven’t tried their guide with icmp and dns disabled. Wondering if you had tried it yourself

It works fine for me.

Thanks. I am planning to use sys net- > sys firewall - VPN Qube → App Vms.
Which VM are you specifying these firewall rules in?
Right now I have used the GUI to specify firewall rules in both sys firewall and the VPN qube. So in both qubes, and this seems to work fine. Wondering what your setup is as im not sure if I should expect things to change when using cli rather than GUI.

In VPN Qube.

thanks. Is there any added benefit to setting these rules in sys-firewall as well? or any drawbacks, if any.

Not really.
You could think that this will limit the connections from sys-firewall itself e.g. update checks/NTP request/etc but in the end there is still sys-net that can do the same and you can’t limit its connections using Qubes firewall.
If you want to make sure that you limit all the connections except for VPN Qube connection from your Qubes OS then you need to have an external hardware router and use its firewall to limit the connections there.

No drawbacks.

“If you want to make sure that you limit all the connections except for VPN Qube connection from your Qubes OS then you need to have an external hardware router and use its firewall to limit the connections there.”

I agree with this 100% and I’ve come to this conclusion as well. Though it would be really nice to be able to sort of accomplish this with sys-firewall. As an extra safety measure. Then this is also countersided with what you mentioned about sys-net’s connections not being able to be limited by the qubes firewall. So in the end, an external hardware router is really what is needed.

Thanks for explaining everything in such a concise way. I’m sure others will benefit from this as well. All this time I assumed that I needed to specify a specific DNS in qvm-firewall when meanwhile, all i needed to do was ‘drop’ the requests.

Thank you for your time.