DNS Queries and Firewall
146 views
Skip to first unread message
AndrewX192
Jul 5, 2013, 1:41:55 AM7/5/13
to qubes...@googlegroups.com
I just stumbled across this while figuring out why websites were inaccessible on my Qubes installation:
The firewall currently allows UDP traffic on port 53 for the purpose of DNS queries, but does not allow TCP traffic on port 53 (commonly used for DNS Zone transfers, but also for queries with a response over 512 bytes that would otherwise be truncated.
Is there a reason why the Qubes firewall defaults to only UDP, or can I safely make this adjustment?
The firewall currently allows UDP traffic on port 53 for the purpose of DNS queries, but does not allow TCP traffic on port 53 (commonly used for DNS Zone transfers, but also for queries with a response over 512 bytes that would otherwise be truncated.
Is there a reason why the Qubes firewall defaults to only UDP, or can I safely make this adjustment?
Joanna Rutkowska
Jul 5, 2013, 5:38:15 AM7/5/13
to AndrewX192, qubes...@googlegroups.com
open this. Ok, purist would argue that tcp processing is generally more
complex than udp, so theoretically this uncovers more attack surface
(client-side), but in most cases we will need tcp for other reasons
anyway, so this is meaningless if we also open tcp-based dns, I think.
joanna.
japroi...@gmail.com
Oct 31, 2015, 8:55:44 PM10/31/15
to qubes-users
Pete Howell
Nov 1, 2015, 5:59:57 PM11/1/15
to qubes-users
I'm running R3.0 and DNS over TCP is not blocked in my default firewall settings.
Anonymous
Nov 1, 2015, 6:26:01 PM11/1/15
to qubes-users
Are other people have DNS issues too? I am frequently forced to edit /etc/resolve.conf and throw in an OpenNIC DNS server in order to get the VM to connect. Which gets reset on reboot. Sometimes correctly, sometimes incorrectly. I cannot figure out if this has something to do with changing the NetVMs around (I have a lot of Proxy and VPN VMs, so the NetVMs are always getting swapped around. So I assumed this was what was breaking my DNS settings).
Also, I am not sure of the security implications of adding an OpenDNS or OpenNIC DNS server to this list, especially if I am using Whonix-Gateway, or a VPN Proxy. I check https://ipleak.net to see if I they can spot any leaks. And they never can. But I have no idea how reliable that is.
I do NOT alter DNS settings for Whonix-Workstations.
Jeremy Rand
Nov 1, 2015, 7:06:43 PM11/1/15
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 11/01/2015 05:26 PM, Anonymous wrote:
>
>
> On Sunday, November 1, 2015 at 2:59:57 PM UTC-8, Pete Howell
> wrote:
>
> I'm running R3.0 and DNS over TCP is not blocked in my default
> firewall settings.
>
> On Thursday, July 4, 2013 at 11:41:55 PM UTC-6, Andrew Sorensen
> wrote:
>
> I just stumbled across this while figuring out why websites were
> inaccessible on my Qubes installation:
>
> The firewall currently allows UDP traffic on port 53 for the
> purpose of DNS queries, but does not allow TCP traffic on port 53
> (commonly used for DNS Zone transfers, but also for queries with a
> response over 512 bytes that would otherwise be truncated.
>
> Is there a reason why the Qubes firewall defaults to only UDP, or
> can I safely make this adjustment?
>
>
>
>
> Are other people have DNS issues too? I am frequently forced to
> edit /etc/resolve.conf and throw in an OpenNIC DNS server in order
> to get the VM to connect. Which gets reset on reboot. Sometimes
> correctly, sometimes incorrectly. I cannot figure out if this has
> something to do with changing the NetVMs around (I have a lot of
> Proxy and VPN VMs, so the NetVMs are always getting swapped around.
> So I assumed this was what was breaking my DNS settings).
I tried to install dnssec-trigger into a Windows 10 HVM a month or so
ago, and dnssec-trigger/unbound seemed to be unable to talk to any DNS
servers. I never figured out what the issue was. If the firewall is
actually blocking TCP-based DNS traffic, I wouldn't be surprised if
that explained my issue. I haven't yet tried to install
dnssec-trigger into a Fedora VM, so I can't be sure whether this is a
weird Windows-specific issue or a firewall issue.
- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWNqkMAAoJEAHN/EbZ1y067iQQALZm9O8O2UmKz8462Hc3iwIb
rlIDuzfpnYfEBiHBR37TVwrGLvzaSIhvU7A0adD85vKJ6iGD6X2bvMq/kOixkfMt
wyrKlBeQqoy1gcFxYa0ld1wRR+Z3XPlCemo/Pu171+NDIcG8G1EhycWYqYM4IjUE
uk2W7aRXEaXVoD+wlSsgqFMj3sRyS9rd34irXbrxG0dtmOxXL8wtCWlk26jQSLCA
Ctr3gdPdJ+PRZ3ktkEqWUvc6KuyRpu7f9Rs/icyxIUWMZvhLJFHMsN/PODfAwDVZ
oU16iMv4hiRopXZNvpXF2ub/ecKSypMkioCCrnE6IYVzb0dptHqvvr06S9ECgtNQ
vavbyIp2pmoHeI3yCSBIFY1bqdt/lwZ8f/VXSqD1UABPcG7OpUe4XKcaWuIsrdlD
DFRtUTETCGLjYoCu4F5gYOx/EjE5mjt3Kh5QItJ8ul/Y/cLtl6gjkcxGAw5pvN3g
ScNKp8UvNs/YEug5cflV+lKDzSYSWBXkFILFeyIA5krG1mtDqBdPxgqQPxp9an5a
eGySFp3F8GbXCqLx+cqTsQrUNXCvJ8Y2z3uq6/ZNDbbK5aF4RI3Z/Y4gctOCyG14
Mqyc30HglZ17eYmH48Mi0/UjJziyUovJniULv/F7mMM9DyOaaWqplkUnS/xojdBl
2y9sE7VUkHy40s/ToQuP
=tLX4
-----END PGP SIGNATURE-----
Hash: SHA256
On 11/01/2015 05:26 PM, Anonymous wrote:
>
>
> On Sunday, November 1, 2015 at 2:59:57 PM UTC-8, Pete Howell
> wrote:
>
> I'm running R3.0 and DNS over TCP is not blocked in my default
> firewall settings.
>
> On Thursday, July 4, 2013 at 11:41:55 PM UTC-6, Andrew Sorensen
> wrote:
>
> I just stumbled across this while figuring out why websites were
> inaccessible on my Qubes installation:
>
> The firewall currently allows UDP traffic on port 53 for the
> purpose of DNS queries, but does not allow TCP traffic on port 53
> (commonly used for DNS Zone transfers, but also for queries with a
> response over 512 bytes that would otherwise be truncated.
>
> Is there a reason why the Qubes firewall defaults to only UDP, or
> can I safely make this adjustment?
>
>
>
>
> Are other people have DNS issues too? I am frequently forced to
> edit /etc/resolve.conf and throw in an OpenNIC DNS server in order
> to get the VM to connect. Which gets reset on reboot. Sometimes
> correctly, sometimes incorrectly. I cannot figure out if this has
> something to do with changing the NetVMs around (I have a lot of
> Proxy and VPN VMs, so the NetVMs are always getting swapped around.
> So I assumed this was what was breaking my DNS settings).
ago, and dnssec-trigger/unbound seemed to be unable to talk to any DNS
servers. I never figured out what the issue was. If the firewall is
actually blocking TCP-based DNS traffic, I wouldn't be surprised if
that explained my issue. I haven't yet tried to install
dnssec-trigger into a Fedora VM, so I can't be sure whether this is a
weird Windows-specific issue or a firewall issue.
- -Jeremy Rand
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWNqkMAAoJEAHN/EbZ1y067iQQALZm9O8O2UmKz8462Hc3iwIb
rlIDuzfpnYfEBiHBR37TVwrGLvzaSIhvU7A0adD85vKJ6iGD6X2bvMq/kOixkfMt
wyrKlBeQqoy1gcFxYa0ld1wRR+Z3XPlCemo/Pu171+NDIcG8G1EhycWYqYM4IjUE
uk2W7aRXEaXVoD+wlSsgqFMj3sRyS9rd34irXbrxG0dtmOxXL8wtCWlk26jQSLCA
Ctr3gdPdJ+PRZ3ktkEqWUvc6KuyRpu7f9Rs/icyxIUWMZvhLJFHMsN/PODfAwDVZ
oU16iMv4hiRopXZNvpXF2ub/ecKSypMkioCCrnE6IYVzb0dptHqvvr06S9ECgtNQ
vavbyIp2pmoHeI3yCSBIFY1bqdt/lwZ8f/VXSqD1UABPcG7OpUe4XKcaWuIsrdlD
DFRtUTETCGLjYoCu4F5gYOx/EjE5mjt3Kh5QItJ8ul/Y/cLtl6gjkcxGAw5pvN3g
ScNKp8UvNs/YEug5cflV+lKDzSYSWBXkFILFeyIA5krG1mtDqBdPxgqQPxp9an5a
eGySFp3F8GbXCqLx+cqTsQrUNXCvJ8Y2z3uq6/ZNDbbK5aF4RI3Z/Y4gctOCyG14
Mqyc30HglZ17eYmH48Mi0/UjJziyUovJniULv/F7mMM9DyOaaWqplkUnS/xojdBl
2y9sE7VUkHy40s/ToQuP
=tLX4
-----END PGP SIGNATURE-----
Marek Marczykowski-Górecki
Nov 1, 2015, 7:08:47 PM11/1/15
to Jeremy Rand, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hash: SHA256
https://github.com/QubesOS/qubes-issues/issues/1325
Now we have notifications there when the updates are uploaded.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJWNqmJAAoJENuP0xzK19csgIAH/0EyiD/CtSa5lbe6hK6XvPRS
zHzQothqY+G/UHM6qcSowz8GId3GRkQyftC6fpEajIFHZF1HEC9MhpY6MYXk+kN/
BAsKlYJrAHEcFKeR9Jk/0cLd2XKiZ3L8pxh+1KvNyGBCRE72dBkmgns+00i4gmUx
KoLh9ShOjKHnIxy+VYF42mFJLSGAZ1z5p5OYloTnUUVFplt4CH7s2E8S8GFVp22U
D9VNDUkEdjOVVTp1sC1uiU7oA3aEvLpAl4zVIN2iA8ulcVAbmTL6gwbx1Xu7oiL8
Rimltvir1GxbS8wlz1dFVBpdYviWqFcua+wPDLui2x3TDphwLmnBzmvWyhEAAyE=
=9KUW
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages