Configuring OpenDNS in Qubes

250 views
Skip to first unread message

ma...@lamarciana.com

unread,
Jul 31, 2016, 11:01:52 AM7/31/16
to qubes-users
Hi,

I'm trying to figure out how I can change my DNS settings for an AppVM. I'm relatively new to Qubes, so other related issues in this forum have clarified me some ideas but I am still quite puzzled.

This is what I have done so far:

1 - I have created a ProxyVM, which in turns connect to sys-firewall as NetVM. This ProxyVM uses debian-8 as template, because I'm following some tutorials in Internet about networking stuff using kali linux (configuring OpenDNS is one part). This ProxyVM is a StandaloneVM in order to keep changes in /.

2 - I have added to it network-manager service

3 - I have edited /etc/dhcp/dhclient.conf in my ProxyVM and I have added the following line with OpenDNS IPs:

prepend domain-name-servers 208.67.222.222, 208.67.220.220;

4 - I have connected my AppVM to this ProxyVM as NetVM.

5 - I have restarted my ProxyVM and my AppVM.

Now, I thought /etc/resolv.conf in my AppVM and ProxyVM should have changed. But no, they still have:

nameserver 10.137.5.1
nameserver 10.137.5.254

I see that my AppVM takes its /etc/dhcp/dhclient.conf from the ProxyVM, because that line is also added there.

Going to https://dnsleaktest.com confirms that I'm still using my ISP DNS server.

I guess that there is a way to do that without having to create a StandaloneVM for my ProxyVM, but I tried to do everything manual to learn how everything is tied. But anyway it doesn't work...

Thanks!


Qubed One

unread,
Jul 31, 2016, 6:09:16 PM7/31/16
to qubes...@googlegroups.com
ma...@lamarciana.com:
If I understand correctly, permanently changing /etc/resolv.conf in the
ProxyVM to show:

nameserver 208.67.222.222
nameserver 208.67.220.220

should achieve that in a standalone ProxyVM.

Were it a TemplateBasedVM, you could have /rw/config/rc.local copy a
file containing the above two lines to /etc/resolv.conf on boot
(replacing /etc/resolv.conf), then call
/usr/lib/qubes/qubes-setup-dnat-to-ns.

I haven't tested this myself on a standalone ProxyVM.

ma...@lamarciana.com

unread,
Aug 1, 2016, 5:24:23 AM8/1/16
to qubes-users, qube...@riseup.net
> If I understand correctly, permanently changing /etc/resolv.conf in the
> ProxyVM to show:
>
> nameserver 208.67.222.222
> nameserver 208.67.220.220
>
> should achieve that in a standalone ProxyVM.

Thanks for your answer. I thought that changing /etc/resolv.conf by hand was not recommended because some other programs can overwrite it. Anyway, I tried it and changes in /etc/resolv.conf in my standalone ProxyVM are lost once I reboot...

Qubed One

unread,
Aug 2, 2016, 5:59:45 PM8/2/16
to qubes...@googlegroups.com
ma...@lamarciana.com:
Are you using NetworkManager in that ProxyVM?

ma...@lamarciana.com

unread,
Aug 3, 2016, 9:50:21 AM8/3/16
to qubes-users, qube...@riseup.net
> Are you using NetworkManager in that ProxyVM?

I assigned "network-manager" service through "Qubes VM Manager" to my debian standalone ProxyVM, but I see this disappears once I start and shutdown the machine... I tried again to be sure and I can reproduce the issue. I will inspect it further and open a Qubes issue if needed.

But, anyway, I changed my ProxyVM to use fedora template (still standalone): Then, "network-manager" survives after reboot, but not the content in "/etc/resolv.conf"... But, in fedora template this file has an interesting hint:

# Generated by NetworkManager

I think this confirms my fears that /etc/resolv.conf should not be edited by hand...

I tried then to edit file /etc/NetworkManager/system-connections/qubes-uplink-eth0 and added OpenDNS IP's in "[ipv4]" section but changes are lost after reboot (I'm not using ethernet cable but wifi, but there is no other file. Furthermore, "ifconfig" only shows loop and eth0, but I suppose there is some kind of delegation to sys-net for that).

Marek Marczykowski-Górecki

unread,
Aug 3, 2016, 9:56:31 AM8/3/16
to ma...@lamarciana.com, qubes-users, qube...@riseup.net
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
eth0 is an uplink to sys-net. And /etc/resolv.conf there indeed is
generated, so manual changes will be lost. There is a way to avoid this
using /etc/qubes/protected-files.d/, but I think it isn't the way to go.
Better adjust NetworkManager settings in sys-net, using standard
connection editor GUI. The DNS servers in any other VM are in the end
pointing to what you have in sys-net(*) (using DNAT redirections).

(*) unless you use Tor/Whonix - in which case those are redirected to
tor process.

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJXofgJAAoJENuP0xzK19csN7cH/A1gNpFZfoV1Ta7KolWAVCjF
wJuEpj1reXjD/+fc5aO7jvlJCUDWgMIuGPbqCdE0QFEOjbUS/KdyJIONh2+AGnjf
6CrIflZI4ii0lOHglslVaRpK0WqbfonlPoTb6Swo0FmDJh6yI26tc6xdn0zjRU6Y
B0ZVfUCDVow55Ta8Nm+XLtB1HInS0yx3WKOXff5uVvPJVbDVzsq/SncOmNiQjdU3
SmEwJoHNFel3LpUR0l3CHvSm3Bls4NDiWnmOSTn7X6wSXnqOEGWaeB8psy9VI+8W
jVDLlX9+7Jca5zSexQTYAjwDy9x73SfzsXQQnRkAV/iNO1ZAK+pj3p5qdqZsPYg=
=VOop
-----END PGP SIGNATURE-----

ma...@lamarciana.com

unread,
Aug 3, 2016, 11:32:45 AM8/3/16
to qubes-users, ma...@lamarciana.com, qube...@riseup.net
> eth0 is an uplink to sys-net. And /etc/resolv.conf there indeed is
> generated, so manual changes will be lost. There is a way to avoid this
> using /etc/qubes/protected-files.d/, but I think it isn't the way to go.
> Better adjust NetworkManager settings in sys-net, using standard
> connection editor GUI. The DNS servers in any other VM are in the end
> pointing to what you have in sys-net(*) (using DNAT redirections).
>
> (*) unless you use Tor/Whonix - in which case those are redirected to
> tor process.

Thanks for your answer.

Does it mean that all VM have to share the same DNS settings (except Tor/Whonix)? What I was trying to do is routing only one of them through OpenDNS, while keeping the rest with my ISP DNS server (and I would like to avoid an HVM just for that).

I see I can create a new "NetVM" but I'm not sure if it is full supported. If I create a new one, is the GUI adapted so that I can configure both (sys-net and my custom one)? I prefer to ask before trying it and risking leaving something in an inconsistent state.

Qubed One

unread,
Aug 4, 2016, 6:04:38 PM8/4/16
to qubes...@googlegroups.com
ma...@lamarciana.com:
I would suggest trying to completely disable or get rid of
NetworkManager in that ProxyVM (you shouldn't need it, especially just
to redirect DNS), then see if /etc/resolv.conf changes become
persistent. If not, you could still use /rw/config/rc.local to replace
/etc/resolv.conf on boot.

Marc Busqué

unread,
Aug 5, 2016, 1:11:55 AM8/5/16
to Qubed One, qubes...@googlegroups.com

Ok, thanks a lot for your help. I'll try it.


--
You received this message because you are subscribed to a topic in the Google Groups "qubes-users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/qubes-users/Q0kLzqD1ir4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to qubes-users+unsubscribe@googlegroups.com.
To post to this group, send email to qubes...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/a038a41c-61c1-da76-225e-68600908de45%40riseup.net.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages