DNS issues after Debian template update

[adoni...@gmail.com]

Hi guys,

I've updated my Debian 8 template, and for some reason it's messed up the DNS-related iptables rules.

I've narrowed the problem down to this script:

/usr/lib/qubes/qubes-setup-dnat-to-ns
-----------
#!/bin/sh
addrule()
{
if [ $FIRSTONE = yes ] ; then
FIRSTONE=no
RULE1="-A PR-QBS -d $NS1 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS1 -p tcp --dport 53 -j DNAT --to $1"
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
else
RULE2="-A PR-QBS -d $NS2 -p udp --dport 53 -j DNAT --to $1
-A PR-QBS -d $NS2 -p tcp --dport 53 -j DNAT --to $1"
NS=$NS2
fi
}
export PATH=$PATH:/sbin:/bin
. /var/run/qubes/qubes-ns
if [ "X"$NS1 = "X" ] ; then exit ; fi
iptables -t nat -F PR-QBS
FIRSTONE=yes
grep ^nameserver /etc/resolv.conf | grep -v ":.*:" | head -2 |
(
while read x y z ; do
addrule "$y"
done
(echo "*nat"; echo "$RULE1"; echo "$RULE2"; echo COMMIT) | iptables-restore -n
)
-----------

When I run it as it is, I get the following error:

user@debian-8:~$ sudo bash /usr/lib/qubes/qubes-setup-dnat-to-ns

/usr/lib/qubes/qubes-setup-dnat-to-ns: line 17: /var/run/qubes/qubes-ns: No such file or directory

I've commented the line that runs that script (which is not present in the system), and it doesn't do anything as this line exits the script ($NS1 is empty):

if [ "X"$NS1 = "X" ] ; then exit ; fi

So I've also commented out that line so the rules can get added, but, I get an error when the script adds the rules:

Bad argument `udp'
Error occurred at line: 2
Try `iptables-restore -h' or 'iptables-restore --help' for more information.

It complains about '[...] -p udp [...]'

I'm not sure why I'm running into all these errors, as everything worked just fine before! Any ideas or suggestions are appreciated

Cheers.

[Chris Laprise]

On 04/23/2017 01:33 PM, adoni...@gmail.com wrote:
> Hi guys,
>
> I've updated my Debian 8 template, and for some reason it's messed up the DNS-related iptables rules.

This still works on my Debian 8 proxyVM. Haven't tried appVM yet as I
normally use Debian 9.

>
> I've narrowed the problem down to this script:
>
> /usr/lib/qubes/qubes-setup-dnat-to-ns
> -----------

> When I run it as it is, I get the following error:
>
> user@debian-8:~$ sudo bash /usr/lib/qubes/qubes-setup-dnat-to-ns
>
> /usr/lib/qubes/qubes-setup-dnat-to-ns: line 17: /var/run/qubes/qubes-ns: No such file or directory

Two scripts that create /var/run/qubes/qubes-ns are:
setup-ip
network-proxy-setup.sh

If you have a snapshot of your Debian 8 template, you could diff those
files to see if they changed (acquired a bug).

--

Chris Laprise, tas...@openmailbox.org
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

[Unman]

On Sun, Apr 23, 2017 at 02:40:12PM -0400, Chris Laprise wrote:
> On 04/23/2017 01:33 PM, adoni...@gmail.com wrote:
> >Hi guys,
> >
> >I've updated my Debian 8 template, and for some reason it's messed up the DNS-related iptables rules.
>
> This still works on my Debian 8 proxyVM. Haven't tried appVM yet as I
> normally use Debian 9.
>
> >
> >I've narrowed the problem down to this script:
> >
> >/usr/lib/qubes/qubes-setup-dnat-to-ns
> >-----------
>
> >When I run it as it is, I get the following error:
> >
> >user@debian-8:~$ sudo bash /usr/lib/qubes/qubes-setup-dnat-to-ns
> >
> >/usr/lib/qubes/qubes-setup-dnat-to-ns: line 17: /var/run/qubes/qubes-ns: No such file or directory
>
> Two scripts that create /var/run/qubes/qubes-ns are:
> setup-ip
> network-proxy-setup.sh
>
> If you have a snapshot of your Debian 8 template, you could diff those files
> to see if they changed (acquired a bug).
>

Like Chris, I dont see this problem with my Debian qubes - 8 or 9
based.
/var/run/qubes/qubes-ns isn't a script, as OP suggested -it's a file
containing the NS1 and NS2 variables. In a qube it's written from
setup-ip

You haven't somehow enabled networkManager in that appVM have you?

[adoni...@gmail.com]

Hi guys,

Than for your response.

As I said before, qubes-ns does not get created, and after running setup-ip manually, I get a couple of errors:

----------
$ sudo bash /usr/lib/qubes/setup-ip
Cannot get device feature names: No such device
Cannot get device feature names: No such device
SIOCSIFNETMASK: No such device
up: error fetching interface information: Device not found
Usage: inet_route [-vF] del {-host|-net} Target[/prefix] [gw Gw] [metric M] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [gw Gw] [metric M]
[netmask N] [mss Mss] [window W] [irtt I]
[mod] [dyn] [reinstate] [[dev] If]
inet_route [-vF] add {-host|-net} Target[/prefix] [metric M] reject
inet_route [-FC] flush NOT supported
SIOCADDRT: File exists
----------

Would you mind to share these files with me from your Debian 8 template to see if I can fin what the problem is?!

Unman, no I haven't enabled anything. I got a Debian 8 template, almost clean, and then a bunch of AppVMs using it as a template.

Cheers.

[Chris Laprise]

On 04/23/2017 05:50 PM, adoni...@gmail.com wrote:
> Would you mind to share these files with me from your Debian 8 template to see if I can fin what the problem is?!
>
> Unman, no I haven't enabled anything. I got a Debian 8 template, almost clean, and then a bunch of AppVMs using it as a template.
>
> Cheers.
>

It turns out those two scripts I mentioned were not changed in the
latest update (although qubes-setup-dnat-to-ns was changed slightly in a
way that should have no bearing here).

It appears that qubes-ns is not normally created in an appVM, anyway.
Running 'setup-ip' and 'qubes-setup-dnat-to-ns' from a shell gives me
the same errors you posted.

Perhaps the cause is simpler: You may have inadvertently set the netVM
for that appVM to 'none' or enabled blocking in the firewall settings.

[adoni...@gmail.com]

On Sunday, April 23, 2017 at 6:20:33 PM UTC-4, Chris Laprise wrote:

Hi,

The thing is that when I set up the DNS servers manually by modifying the /etc/hosts file to let's say 8.8.8.8, everything works properly! I think the problem is that for some reason the iptables rules are not being created, so the appVM can't connect.

Cheers.

[Unman]

It's still not entirely clear to me what's going on.
I assume that you are changing /etc/resolv.conf rather than hosts - if
the latter , what entry are you putting in there?
And you are doing this in the appVM.

But the iptables rules arent being created in the netvm to which the
appVM is connected.
Are you able to use DNS from the netVM? What is in resolv.conf there and
what is in iptables upstream?

[adoni...@gmail.com]

On Monday, April 24, 2017 at 4:06:11 PM UTC-4, Unman wrote:

Hi,

Sorry I replied from my phone in a rush, you are right what I'm modifying is the resolv.conf file. When I add there let's say 8.8.8.8, it resolves, so the problem seems to be that the template or appVMs cannot connect to sys-fw to resolve DNS names, and this seems to be due to the lack of those iptables rules that are not created for some reason.

The issues applies to both, the template VM and the app VM

[Unman]

At this stage I would start again with a clean template, make sure it's
working and then run the update again. (You can always reinstall the
original template from your install medium, if you didnt clone it, which
I hope you did.)