Sys-firewall cannot resolve DNS

dro212 · September 18, 2023, 12:35am

My sys-net has working internet. I can curl ‘https://www.google.com’ in sys-net, but in sys-firewall I cannot resolve the DNS. I’ve had this happen before and with a few restarts it works, does anyone know the solution to this problem? FYI no firewall restrictions, all firewalls set to allow all connections, and Debian disposable template for the sys-qubes.

Thanks!

dro212 · September 18, 2023, 2:30pm

This is a problem with the virtual DNS nameserver. I’m troubleshooting now.

dro212 · September 19, 2023, 1:57pm

Issue created. Temp fix is to use the new autorestart once the template has been updated.

github.com/QubesOS/qubes-issues

Virtual DNS Fails with manual sys-net restart

opened 01:54PM - 19 Sep 23 UTC

andrew-drogalis

### Qubes OS release V4.2 rc3 ### Brief summary Using Debian Disposable templ…ates, the virtual DNS in all qubes doesn't work once the sys-net & sys-firewall are manually restarted. Once an update occurs and the new qubes update restart process takes place, the error is fixed and it works normally. ### Steps to reproduce In sys-net & sys-firewall with a disposable Debian template, shut down both qubes and restart. The DNS request will fail in the sys-firewall. ### Expected behavior DNS requests work as expected with a manual sys-net restart. ### Actual behavior DNS requests fail with, "site's DNS address cannot be found."

slcoleman · September 21, 2023, 2:00pm

Whenever I have had problems with DNS resolution upstream of sys-net I have found that just adding a public DNS server entry into NetworkManager in sys-net fixed the problem. Something to try at least.

dro212 · September 21, 2023, 5:20pm

Thanks, it’s not upstream of sys-net, but downstream.

The work around is just timing the manual restart properly until the virtual DNS kicks in. The bug issue is linked above.

Talkabout · August 24, 2025, 12:16am

Although this post is quite old, I’d like to share something that happened to me recently.
I started to experiment with CPU pinning and reducing the number of cores available for dom0. At some point, when I restarted my laptop, DNS resolution did not work from sys-firewall and all AppVMs, whereas it worked within sys-net. I checked via nft command the ruleset and it turned out that DNS propagation was not correctly configured throughout the VMs. It seems to me that depending on the available resources and the number of VMs being started on boot there can be cases where the start order changes/takes longer and the DNS setup fails. I was not able to restore the DNS resolution “manually” but only via restarting the complete machine.
From my point of view this issue exists but might not show on most installations because the resources for dom0 are “enough”.

seth · October 3, 2025, 8:34pm

Thank you for pointing this out. I’ve been struggling with virtual DNS failure after restarting sys-net & sys-firewall qubes after updates. work around has been to manually add public DNS nameserver to /etc/resolv.conf in each qube, which is a hassle needless to say.

I did notice that when I did a complete reboot of the computer, the issue went away.

seth · October 3, 2025, 8:58pm

You might also try running the following command in net-sys to restore virtual DNS resolution. I’ve had success with this after authenticating to captive portals.

sudo systemctl restart qubes-network.service