I’ve been using @solene 's guide/setup for a long time, with all the leak prevention features, and noticed an annoying feature: on vpn qube boot, most of the times, first 1-2 DNS queries fail. I’m talking about DNS queries coming from qubes using this VPN qube on the upstream (through another sys-firewall-prevpn qube, but that is not important here).
Long story short, it happens because the Network Manager is always adding the default Qubes resolvers to /etc/resolv.conf, resulting in two non-functional entries which are present all the time. As I cannot change/remove the “qubes-netvm-primary-dns” property on my VPN qube, and was looking for an easy, permanent change that will not be clobbered by updates, I arrived at the following solution:
In /rw/config/rc.local, before anything else, add:
cat >/etc/NetworkManager/dispatcher.d/zzz-my-hook << __EOF__
#!/bin/bash
sed -i '/nameserver 10.139.1.[1-2]/d' /etc/resolv.conf
__EOF__
chmod 755 /etc/NetworkManager/dispatcher.d/zzz-my-hook
This creates a Network Manager hook that runs last every time an event occurs (like interface up/down if you switch between VPNs) and deletes the two “bad” dns entries.
Now I only have the wireguard-provided nameserver and due to the qubes-firewall-user-script changes documented in the guide, all DNS queries are “dnat”-ed through it.
Note: I created this separate topic to discuss the opportunity to add the solution to @solene 's guide. I can edit the guide but maybe there are simpler ways to overcome the problem.