How do vif-route-qubes and DNS forwarding work?

[tetra...@danwin1210.me]

(originally sent to qubes-devel, but I guess failed moderation)

I can't quite tell from the source code -- when / where / how does it
run? Is it used to change routing on sys-net, or is it used to set
routing in other VMs so they work with sys-net?

How does DNS forwarding work? (the Qubes networking docs page mentions
DNS forwarding, but does not explain it)

[David Hobach]

You'll find the explanations in the respective iptables and/or nftables
rules of the next hop networking VM.

[tetra...@danwin1210.me]

On Tue, Jan 14, 2020 at 04:46:16PM +0100, David Hobach wrote:
>You'll find the explanations in the respective iptables and/or
>nftables rules of the next hop networking VM.

What do you mean by "next hop networking VM"?

[David Hobach]

Most users have a setup such as
VM --> sys-fw --> sys-net

The next hop from VM is then sys-fw, i.e. you'd have to look there.

There you'll see in nft list ruleset that port 53 forwarding traffic
only has a non-effective DNAT rule (DNAT to the same IP it had before).
Otherwise it's forwarded as by your routing table to sys-net. In
/etc/resolv.conf you'll see that the imaginary IPs 10.139.1.1/2 are used
as DNS servers for traffic originating from sys-fw (same as in VM).

Then in sys-net the imaginary IPs are DNATted to your DNS server
(usually your router).

This all assumes that you allowed DNS with qvm-firewall. If you don't or
do other changes, iptables/nft changes will happen inside sys-fw / the
next hop networking VM.

Watch out that both nft and iptables are used.