Install DNSSEC on ProxyVM type (debian) ?
50 views
Skip to first unread message
ThierryIT
Feb 13, 2017, 2:18:40 AM2/13/17
to qubes-users
Hi,
I think that I have missed something concerning Qubes.
When I installed, let's say "Unbound" packages, after a reboot of the VM it disappear ... Normal ?
Thx
Andrew David Wong
Feb 13, 2017, 2:40:42 AM2/13/17
to ThierryIT, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
You have to install it in the TemplateVM (or, for more advanced users,
pick a persistent dir and/or use bind-dirs):
https://www.qubes-os.org/doc/templates/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYoWLcAAoJENtN07w5UDAwAoQQAM+eiQ77VRPjYIf/0pKepUh0
eMpVANLYuKUC1yOnkyQR4p+eZBY1aRxLenC1y5pZXfk0ZFySKATa+lw2gZR0A6dn
oMzZVtMxqDpVs3SQOImFvGEJCrhmaro1NmyL7+xNTgbEIO7Q35Az+AMLT3nNUa5N
qclPsdCi48MWki4YhCMOaNLxxeFYlJoN1JMdqVg9wWKfPWWL7t15koO0gB2hWAj0
izroJeb9jDOW73PCo13zIs3nBrgmUnP/1VTg7emipVTfeQabHbpads61dNNSCgfv
TEQfXI8+b4TX1ajN5mT90sX5N11OOY0rePRHhhSlRlGMNM+2P6rxjMPvXTrxkF1q
6TX12i2f2MxKg0uY7wJj2bCqG20Mo9sIsbxybvtFXKphnHZYOGaRmasdw4QciW/m
1Ojy9dFUdLlqRSsbJRsk91CE6MwhmCqGQAsJsFd1WKdY6+EyH1cSuNpr+PEt01xl
hY91+ljOpI2/wYAQ+cumRV7JAydeCVv59Qs3k5yeFnpeqPMbPe9hKOnTj6eLyDbb
WCCHJzmJJ0NIqzEvdsaiJnfOy9gTSKVdX4YIOoC5b2wjW4+vqJwqPUssSC511zpa
OxEmKTSN7raMuuNLG370oplr5pRnrA/iolg/W/tDM2TbyfGQuEOHZXh91C6vyKKv
mFM7z+UCGxMljbNCEuDN
=laqs
-----END PGP SIGNATURE-----
Hash: SHA512
pick a persistent dir and/or use bind-dirs):
https://www.qubes-os.org/doc/templates/
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJYoWLcAAoJENtN07w5UDAwAoQQAM+eiQ77VRPjYIf/0pKepUh0
eMpVANLYuKUC1yOnkyQR4p+eZBY1aRxLenC1y5pZXfk0ZFySKATa+lw2gZR0A6dn
oMzZVtMxqDpVs3SQOImFvGEJCrhmaro1NmyL7+xNTgbEIO7Q35Az+AMLT3nNUa5N
qclPsdCi48MWki4YhCMOaNLxxeFYlJoN1JMdqVg9wWKfPWWL7t15koO0gB2hWAj0
izroJeb9jDOW73PCo13zIs3nBrgmUnP/1VTg7emipVTfeQabHbpads61dNNSCgfv
TEQfXI8+b4TX1ajN5mT90sX5N11OOY0rePRHhhSlRlGMNM+2P6rxjMPvXTrxkF1q
6TX12i2f2MxKg0uY7wJj2bCqG20Mo9sIsbxybvtFXKphnHZYOGaRmasdw4QciW/m
1Ojy9dFUdLlqRSsbJRsk91CE6MwhmCqGQAsJsFd1WKdY6+EyH1cSuNpr+PEt01xl
hY91+ljOpI2/wYAQ+cumRV7JAydeCVv59Qs3k5yeFnpeqPMbPe9hKOnTj6eLyDbb
WCCHJzmJJ0NIqzEvdsaiJnfOy9gTSKVdX4YIOoC5b2wjW4+vqJwqPUssSC511zpa
OxEmKTSN7raMuuNLG370oplr5pRnrA/iolg/W/tDM2TbyfGQuEOHZXh91C6vyKKv
mFM7z+UCGxMljbNCEuDN
=laqs
-----END PGP SIGNATURE-----
ThierryIT
Feb 13, 2017, 8:10:28 AM2/13/17
to qubes-users, vmwa...@gmail.com
Hi,
Thx a lot for these information.
I have installed dnssec-trigger on a newly created VM from a debian template as ProxyVM type. This is working, I have checked for the DNSSEC and all are ok.
In the same way, I do have a VM to browse on internet, and I want all DNS request forwarded to this ProxyVM freshly installed ... How to do this ??
Thx
Thx a lot for these information.
I have installed dnssec-trigger on a newly created VM from a debian template as ProxyVM type. This is working, I have checked for the DNSSEC and all are ok.
In the same way, I do have a VM to browse on internet, and I want all DNS request forwarded to this ProxyVM freshly installed ... How to do this ??
Thx
Unman
Feb 13, 2017, 7:57:28 PM2/13/17
to ThierryIT, qubes-users
If the new proxyVM is upstream from the browsing machine then you will
need to adjust iptables in the nat table to redirect dns requests to the
dnssec-trigger listener.
If the new proxy is not upstream, but connected to the same upstream
proxy then you can set the ip address in /etc/resolv.conf in the
browsing qube, and allow traffic between the qubes as shown in this
page:
www.qubes-os.org/doc/firewall in the section "Enabling networking
between two qubes"
You could set the dns record from /rw/config/rc.local.
ThierryIT
Feb 14, 2017, 2:14:28 AM2/14/17
to qubes-users, vmwa...@gmail.com, un...@thirdeyesecurity.org
So to do it right, I will need to:
In the Browsing VM (10.137.4.16):
- DNS resolver to the IP of the ProxyVM
- VM settings: NetVM to ProxyVM
In the ProxyVM (10.137.2.13):
- VM settings: NetVM to sys-firewall
- DNS resolver to 127.0.0.1 (already done)
- New iptables NAT rules to forward all DNS request from the BrowsingVM to the local DNS listener
Is it right ?
Thx
Reply all
Reply to author
Forward
0 new messages