-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, Nov 26, 2015 at 09:15:50PM -0500, shawn wilson wrote:
> Ok, so is there a design decision stuff like this should come from
> within the script and not a config file?
> self.__secondary_dns = self.netprefix + "254"
> from core-modules/005QubesNetVm.py:
Yes. The idea is to have "some" address there and then DNAT it to the
real DNS. So VM doesn't need to know the real DNS address (and be
updated on each change). Actually every VM could use the same "virtual"
address for DNS servers - as the traffic will be DNATed a moment later
anyway. But currently this virtual DNS address depends on VM directly
providing network to particular (App)VM.
> I think it would be better to generate a config file on for each vm
> that gets written to qubesdb.
>
> Also, would it be better to have /qubes/<domain>/<resource> so that
> work or untrusted might use the same firewall but maybe different dns
> (or my real reason is that I'd eventually like to pass a cert to
> certain VMs to temporarily add and use a transparent squid w/ sslbump
> - but wouldn't want to keep/update that info in each /rw). I'm
> thinking /qubes/work/gateway would override /qubes-gateway - so an
> enhancement.
Note that each VM have it's own Qubes DB, this isn't anything global
(like xenstore). So /qubes-gateway in one VM theoretically could be
totally different than in another. If you want different to use
different DNS servers in different VMs, I see few ways to do that:
1. Override in /rw/config/rc.local - not the most reliable (will not
work after online netvm switch), but the simplest
2. Have different DNAT rules in firewallvm (or wherever your VMs are
connected to), using source address in iptables rules (can be done using
/rw/config/qubes-firewall-user-script)
3. Have different actual content of /etc/resolv.conf in different VMs,
based on /qubes-dns from Qubes DB set by dom0 (not existing yet -
/qubes-gateway is used now). This would require much more changes - both
adding this property in dom0 code, and modifying VM code to actually use
it.
iQEcBAEBCAAGBQJWWEj0AAoJENuP0xzK19csjFwH/AgnrrD9G2Bt+KU57gPW/jrM
+FYdoKXTerdMOl4bpxQg6AZf1ZoYBa0dvfjalZH6w10R7qMorpA5i5SjTvDL7Tx5
3dsaINwsyHtWf3EBREJK4bzWIuecrf8wREp+Pd999NLp+2C6wcBYFlmlWsKa4ZNX
MJbARYK0w8Euz72jfX5dLo8wLk9JZh1xpfcQQ8CKcsF8IGaugGFMkkrqxGXnFMGl
MVSsL60XlaYVqa//ZJYKHOCX1vYCATB38xOLgYUIeuLvThmrnF2QvuyX5UvoNT6I
a5qaPbzvcfd9ccpfRH60Ba4uutHgBhhvk1up9vPGstr5mNtMKfh3PMwicEtVt20=
=MldK
-----END PGP SIGNATURE-----