I managed to set up a pi-hole qube and make it my network’s DNS filtering/caching server. Ironically, it works flawlessly across my network EXCEPT it completely breaks DNS for all other qubes in the same system. On Debian-based qubes I figured out I can simply edit /etc/resolv.conf, while making sure sys-firewall lets the two qubes talk to each other, as a workaround. However this is a hacky per-qube solution and doesn’t persist across qube restarts. It would be nice to simply have sys-firewall relay the information to all of its client qubes automatically. Any idea how to do this?
You dont need to change the settings per qube at all.
You haven't said *where* the pi-hole qube is located in your qubes
network, or what the nature of the breakage is.
I assume from what you say it is attached to sys-firewall.
You can do this by editing the PR-QBS chain in nat table in
sys-firewall.
By default, this forwards all DNS traffic to 10.139.1.1 and 10.139.1.2
using dnat. Flush that chain and replace it with dnat rules to the IP
address of your Pi-hole qube.
You could do this in /rw/config/qubes-firewall-user-script or by script
in /rw/config/qubes-firewall.d