How to set some DNS entries in /etc/hosts for some hosts?

43 views
Skip to first unread message

Marcus Linsner

unread,
Feb 7, 2019, 7:57:39 AM2/7/19
to qubes-users
Sometimes github.com resolves to 192.30.253.112 and .113 and today(at least) they don't allow port 22 ssh, so `git push` fails like
ssh: connect to host github.com port 22: No route to host

I noticed however that when it resolves to something like 140.82.112.40 (unsure exactly the IP) then ssh works and `git push` succeeds!

Valid github IPs can be seen here: https://api.github.com/meta

https://www.githubstatus.com/ currently reports all systems operational.

So, what ami2do? :)

I would need some global way to make sure github.com resolves to the working IP, but unsure how to make this work.

Ideally this would be in sys-net's /etc/hosts
but this of course doesn't have any effect: github.com still resolves to either of those .112 and .113 IPs. It only works if I put it in the current AppVM's /etc/hosts, of course.

How can this be done globally?

(Ideally, I would like to even bypass DNS completely, eventually, and only use /etc/hosts (kept up to date manually) but not in this post/thread.)

Marcus Linsner

unread,
Feb 7, 2019, 8:04:07 AM2/7/19
to qubes-users
On Thursday, February 7, 2019 at 12:57:39 PM UTC, Marcus Linsner wrote:
> Sometimes github.com resolves to 192.30.253.112 and .113 and today(at least) they don't allow port 22 ssh, so `git push` fails like
> ssh: connect to host github.com port 22: No route to host
>
> I noticed however that when it resolves to something like 140.82.112.40 (unsure exactly the IP) then ssh works and `git push` succeeds!

the working IP is 140.82.118.3

Marcus Linsner

unread,
Feb 7, 2019, 8:44:00 AM2/7/19
to qubes-users

grreat, now not even that IP works anymore:


ssh: connect to host github.com port 22: No route to host

i'm guessing some epic sshd bug is being exploited? :D silly speculation(s)

Marcus Linsner

unread,
Feb 7, 2019, 9:17:19 AM2/7/19
to qubes-users

ok, it's because of Qubes because having a rule in Firewall like "github.com" "ssh" "tcp" which apparently adds an iptables(?) rule based on resolved IP at the time(of AppVM start?), and github having changing IPs ("We do not recommend whitelisting by IP address," from: https://help.github.com/articles/about-github-s-ip-addresses/ )

so basically, it was my fault :)

But still, I'd like to know an answer to my OP question: but I'm gonna guess I'll have to use dnsmasq instead of any kind of /etc/hosts, that is, for global effect.

Marcus Linsner

unread,
Feb 7, 2019, 9:31:06 AM2/7/19
to qubes-users
On Thursday, February 7, 2019 at 2:17:19 PM UTC, Marcus Linsner wrote:
> On Thursday, February 7, 2019 at 1:44:00 PM UTC, Marcus Linsner wrote:
> > On Thursday, February 7, 2019 at 1:04:07 PM UTC, Marcus Linsner wrote:
> > > On Thursday, February 7, 2019 at 12:57:39 PM UTC, Marcus Linsner wrote:
> > > > Sometimes github.com resolves to 192.30.253.112 and .113 and today(at least) they don't allow port 22 ssh, so `git push` fails like
> > > > ssh: connect to host github.com port 22: No route to host
> > > >
> > > > I noticed however that when it resolves to something like 140.82.112.40 (unsure exactly the IP) then ssh works and `git push` succeeds!
> > >
> > > the working IP is 140.82.118.3
> >
> > grreat, now not even that IP works anymore:
> > ssh: connect to host github.com port 22: No route to host
> >
> > i'm guessing some epic sshd bug is being exploited? :D silly speculation(s)
>
> ok, it's because of Qubes because having a rule in Firewall like "github.com" "ssh" "tcp" which apparently adds an iptables(?) rule based on resolved IP at the time(of AppVM start?), and github having changing IPs ("We do not recommend whitelisting by IP address," from: https://help.github.com/articles/about-github-s-ip-addresses/ )
>
> so basically, it was my fault :)


oh and I forgot to mention that because ping always works even if everything else is denied(in AppVM's Firewall tab), it threw me off :) it's a Qubes feature, I know.

awokd

unread,
Feb 7, 2019, 3:23:18 PM2/7/19
to qubes...@googlegroups.com
Marcus Linsner wrote on 2/7/19 2:31 PM:
You probably figured out already that if you determine and add all
ofGithub's IPs to your SSH firewall rules, you can have what you're
looking for.

Dupéron Georges

unread,
Feb 10, 2019, 1:38:06 PM2/10/19
to qubes...@googlegroups.com
>>>>> Sometimes github.com resolves to 192.30.253.112 and .113 and today(at least) they don't allow port 22 ssh, so `git push` fails like
>>>>> ssh: connect to host github.com port 22: No route to host

You can also run qvm-firewal --reload your-github-vm.

I assigned a shortcut in the task bar to reload the firewall of all VMs for sites with many IP addresses, you could go one step further and do it constantly:

while sleep 60; do for vm in your-github-vm some-other-vm blah blah; qvm-firewal --reload "$vm"; done; done

If the VM is currently halted, it does not attempt to start it, and does not trigger any error :) .


> ok, it's because of Qubes because having a rule in Firewall like "github.com" "ssh" "tcp" which apparently adds an iptables(?) rule based on resolved IP at the time(of AppVM start?), and github having changing IPs ("We do not recommend whitelisting by IP address," from: https://help.github.com/articles/about-github-s-ip-addresses/ )

From experience, the IP is resolved on VM start.

Cheers,
Georges Dupéron
Reply all
Reply to author
Forward
0 new messages