How to make sys-firewall broadcast a local qube as the system-wide DNS server?

[Leo28C]

I managed to set up a pi-hole qube and make it my network's DNS filtering/caching server. Ironically, it works flawlessly across my network EXCEPT it completely breaks DNS for all other qubes in the same system. On Debian-based qubes I figured out I can simply edit /etc/resolv.conf, while making sure sys-firewall lets the two qubes talk to each other, as a workaround. However this is a hacky per-qube solution and doesn't persist across qube restarts. It would be nice to simply have sys-firewall relay the information to all of its client qubes automatically. Any idea how to do this?

Thanks in advance!

[unman]

You dont need to change the settings per qube at all.
You haven't said *where* the pi-hole qube is located in your qubes
network, or what the nature of the breakage is.
I assume from what you say it is attached to sys-firewall.

You can do this by editing the PR-QBS chain in nat table in
sys-firewall.
By default, this forwards all DNS traffic to 10.139.1.1 and 10.139.1.2
using dnat. Flush that chain and replace it with dnat rules to the IP
address of your Pi-hole qube.
You could do this in /rw/config/qubes-firewall-user-script or by script
in /rw/config/qubes-firewall.d

[Leo28C]

Did I use the right command?

`sudo iptables -t nat -A PR-QBS -p tcp --dport 53 -j DNAT --to-destination 10.137.0.50` (repeat for udp)

Apparently DNS requests reach the DNS qube, but the response gets stuck somewhere midway...