So where to put it. I think the net-vm is a good place to be root and sniff the DNS traffic of all my qubes.
I want do this for academic research on DNS, as I need to gather “real world” dns traffic. So the idea is to use auto browsing webbrowsers in different qubes which are browsing like bees to generate DNS traffic. The honey is then collected in sys-net using DNSCAP - DNS traffic capture utility | DNS-OARC.
Thanks, I sniff in netvm at vif5.0 which is the interface that is connected to sys-firewall, so I am “between sys-firewall and sys-net” as I listen on the interface of sys-net which is facing sys-firewall.
If you want, you can also make it more secure by routing only the DNS traffic through your sniffer VM by adding proper nft rules in sys-firewall and the sniffer itself.
This will also be more CPU efficient as the sniffer will process less data.
I lean (Eileen?) towards your first suggestion: run the sniffer/analyzer on an upstream router to be 100% sure you’re capturing all traffic.
If you start playing with nft rules, fighting the Qubes OS automation/NAT for DNS, you can always miss or mess up things. The KISS principle…
Depends what you want to do with the capture. If you don’t care about sys-net traffic but only the other qubes, you can run tcpdump -i eth0 udp port 53 or tcp port 53 and dump this to a file or view live all port 53 requests.
That’s not really suitable for long term use though, but it will do the job for instant viewing or replay analysis with wireshark.