Split DNS on sys-vpn - FW issue?

I’ve a sys-vpn qubes, that contains my openconnect stuff in here. It is doing split tunneling perfectly fine.

I want this qube to perform Split-DNS as well, using DNSmasq (I already set that up on another machine). DNSmasq runs fine and listens on 53.
However, a “client” qube (using sys-vpn) as his network qube, cannot dig or telnet on that port…

I suspect the firewall on sys-vpn not accepting traffic on UDP/53, but I don’t know which table is responsible for this. I’ve tried custom-input without success.

Any ideas ?

Thanks !

What did you try?

See GitHub - 3hhh/qubes-dns: DNS VM helper scripts for some ideas.

1 Like

I’ve set this rule on the sys-vpn qube (running DNSmasq)

sudo nft add rule qubes custom-input ip saddr 10.137.0.0/24 udp dport 53 ct state new,established,related counter accept

Now, my “DNS client” qubes outputs a timeout instead of a Unreachable, but still… Slowly progressing