From 66481353041dc1f03038d72c2f556a1a3b0f8d4f Mon Sep 17 00:00:00 2001 From: deathrow Date: Fri, 27 Jan 2023 13:49:03 -0500 Subject: [PATCH] Qubes kicksecure-sys-dns Guide --- _information/Collections.md | 4 +- _information/Qubes/kicksecure-sys-dns.md | 75 ++++++++++++++++++++++++ 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 _information/Qubes/kicksecure-sys-dns.md diff --git a/_information/Collections.md b/_information/Collections.md index eff3e06..f3da7fb 100644 --- a/_information/Collections.md +++ b/_information/Collections.md @@ -26,4 +26,6 @@ A collection of QubesOS related content.
-[dvm-zulucrypt](./qubes/dvm-zulucrypt) - Notes on how to setup a disposable zulucrypt instance for USB devices. \ No newline at end of file +[dvm-zulucrypt](./qubes/dvm-zulucrypt) - Notes on how to setup a disposable zulucrypt instance for USB devices. + +[kicksecure-sys-dns](./qubes/kicksecure-sys-dns) - Notes on how to setup a hardened dnscrypt proxy \ No newline at end of file diff --git a/_information/Qubes/kicksecure-sys-dns.md b/_information/Qubes/kicksecure-sys-dns.md new file mode 100644 index 0000000..ac3ac5a --- /dev/null +++ b/_information/Qubes/kicksecure-sys-dns.md @@ -0,0 +1,75 @@ +--- +layout: default1 +description: Notes reguarding kicksecure DNS +title: kicksecure-sys-dns +permalink: /qubes/kicksecure-sys-dns +--- + +Setting up a hardened `sys-dns` to proxy DNS traffic through `dnscrypt` + +
+ +### Prerequisites: + +Create a Debian minimal templated and setup [kicksecure](./#debian-security). + +Install the required packages: + +``sudo apt install dnscrypt-proxy qubes-core-agent-networking`` + +The `dnscrypt` settings are located at `/etc/dnscrypt-proxy/` + +Edit ``/rw/config/rc.local`` to: + +
+ +``` +#!/bin/sh + +# This script will be executed at every VM startup, you can place your own +# custom commands here. This includes overriding some configuration in /etc, +# starting services etc. + +# Example for overriding the whole CUPS configuration: +# rm -rf /etc/cups +# ln -s /rw/config/cups /etc/cups +# systemctl --no-block restart cups + +# allow redirects to localhost +/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1 +/usr/sbin/iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT +/usr/sbin/iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT + +# redirect dns-requests to localhost +/usr/sbin/iptables -t nat -F PR-QBS +/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1 +/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 +/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1 +/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1 + +# set /etc/resolv.conf and start dnscrypt-proxy +echo "nameserver 127.0.0.1" > /etc/resolv.conf +/usr/bin/systemctl enable dnscrypt-proxy.service --now +``` +
+ + +### Setup: + +Create an AppVM `dvm-dnscrypt` based on the template created above with: + +- NetVM: `sys-net` +- Autostart: `true` +- Provides Network: `true` + +
+ +Clone `dvm-dnscrypt`and create a `sys-dns` as a DispVM, ensuring the same settings as above are set. + +Set your `sys-fireall` to connect to `sys-dns` + +
+ +### Sources + +- [[guide] how-to setup a sys-dns qube](https://forum.qubes-os.org/t/guide-how-to-setup-a-sys-dns-qube/13749) \ No newline at end of file