I updated qubes-vpn-ns and that definitely did something, it’s picking up DNS entry in the config files and says it’s going to use those two DNS servers.
However I still see these NAT entries:
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
So I went ahead and flushed/created the modified NAT entries myself based on the commands in the updated script and they do show up until the service restarts and get overwritten.
However it didn’t seem to have any effect anyway the AppVM still uses the VPN providers servers anyway.
sudo nft flush chain ip qubes dnat-dns
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 tcp dport 53 dnat to 9.9.9.9
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 udp dport 53 dnat to 9.9.9.9
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 tcp dport 53 dnat to 1.1.1.1
sudo nft add rule ip qubes dnat-dns iifgroup 2 ip daddr 10.139.1.1 udp dport 53 dnat to 1.1.1.1
Out of curiosity when I also tried adding a line after all of the above temporarily to your updated script to see if the array was being populated and whether the if statement was true in my case.
And sure enough this echo statement spit out two lines, one for each server I specified, so it has the values, so I’m not sure how the other NAT entries keep getting populated.
if [[ $i < ${#vpn_dns_ip4[@]} ]] ; then
echo ${vpn_dns_ip4[$i]}
nft add rule ip qubes dnat-dns iifgroup 2 ip daddr ${qubes_dns_ip4[$i]} tcp dport 53 dnat to ${vpn_dns_ip4[$i]}