qubes AppVM nameservers
23 views
Skip to first unread message
Olaf Klinke
Apr 26, 2020, 3:17:17 PM4/26/20
to qubes...@googlegroups.com
Dear Qubes users,
today DNS lookup temporarily failed in my Debian AppVMs attached to
sys-firewall. I took a look at /etc/resolv.conf and it lists the
nameservers
10.139.1.1
10.139.1.2
Qubes Manager shows no VMs with that address, sys-firewall has
10.137.0.6 and sys-net has 10.137.0.5.
Editing /etc/resolv.conf to use external nameservers restored DNS
lookup, but that is certainly not how it is supposed to be.
After a fedora-30 update and re-start of the physical machine, DNS
lookup works again, even with the seemingly non-existent nameserver.
sys-net lists my DSL router as nameserver. Name resolution worked on
other devices attached to the router.
What is going on here? (I already looked at the networking
documentation at qubes-os.org.) Reading
/usr/lib/qubes/qubes-setup-dnat-to-ns
it seems that some iptables rules are set on VM boot that redirect port
53 requests, but I can't get iptables inside the AppVM to divulge these
rules. Hence I wonder how to debug this if the issue should happen
again.
Thanks,
Olaf
today DNS lookup temporarily failed in my Debian AppVMs attached to
sys-firewall. I took a look at /etc/resolv.conf and it lists the
nameservers
10.139.1.1
10.139.1.2
Qubes Manager shows no VMs with that address, sys-firewall has
10.137.0.6 and sys-net has 10.137.0.5.
Editing /etc/resolv.conf to use external nameservers restored DNS
lookup, but that is certainly not how it is supposed to be.
After a fedora-30 update and re-start of the physical machine, DNS
lookup works again, even with the seemingly non-existent nameserver.
sys-net lists my DSL router as nameserver. Name resolution worked on
other devices attached to the router.
What is going on here? (I already looked at the networking
documentation at qubes-os.org.) Reading
/usr/lib/qubes/qubes-setup-dnat-to-ns
it seems that some iptables rules are set on VM boot that redirect port
53 requests, but I can't get iptables inside the AppVM to divulge these
rules. Hence I wonder how to debug this if the issue should happen
again.
Thanks,
Olaf
dhorf-hfre...@hashmail.org
Apr 26, 2020, 4:16:02 PM4/26/20
to Olaf Klinke, qubes...@googlegroups.com
On Sun, Apr 26, 2020 at 09:17:10PM +0200, Olaf Klinke wrote:
> it seems that some iptables rules are set on VM boot that redirect port
> 53 requests, but I can't get iptables inside the AppVM to divulge these
those rules should exist in your external netvm (sys-net), and point to
> it seems that some iptables rules are set on VM boot that redirect port
> 53 requests, but I can't get iptables inside the AppVM to divulge these
the "real" nameservers as received by dhcp (or configured via netmanager).
that way the individual appvms do not need to know about that part
of external configuration.
i have seen the rules get "lost" (actualy: point to useless IPs) on
some kinds of external reconfiguration events.
(like hard restarting the netvm of a vpn-vm)
Olaf Klinke
Apr 26, 2020, 4:28:27 PM4/26/20
to dhorf-hfre...@hashmail.org, qubes...@googlegroups.com
On Sun, 2020-04-26 at 22:15 +0200, dhorf-hfre...@hashmail.org
wrote:
Indeed.
root@sys-net# /sbin/iptables -t nat -S PR-QBS
Lists re-directions from 10.139.1.{1,2} to $MYROUTER
In sys-firewall the translation is trivial from 10.139.1.1 to
10.139.1.1 and likewise for the other nameserver.
So the reason for the absence of any rules in the AppVM presumably is
that all traffic is handled by sys-firewall? That would mean if DNS
lookup is wonky again, I'd start looking at sys-firewall rules.
Thanks for clarification.
Olaf
wrote:
root@sys-net# /sbin/iptables -t nat -S PR-QBS
Lists re-directions from 10.139.1.{1,2} to $MYROUTER
In sys-firewall the translation is trivial from 10.139.1.1 to
10.139.1.1 and likewise for the other nameserver.
So the reason for the absence of any rules in the AppVM presumably is
that all traffic is handled by sys-firewall? That would mean if DNS
lookup is wonky again, I'd start looking at sys-firewall rules.
Thanks for clarification.
Olaf
Reply all
Reply to author
Forward
0 new messages