Git-Mirrors/anonymousland
1
0
Fork 0
mirror of https://git.anonymousland.org/anonymousland/anonymousland.git synced 2024-10-01 11:49:49 -04:00
Code Issues Packages Projects Releases Wiki Activity
b0dfdf6234
anonymousland/_information/Qubes/kicksecure-sys-dns.md
deathrow 6648135304
Qubes kicksecure-sys-dns Guide
2023-01-27 13:49:03 -05:00

2.2 KiB
Raw Blame History

layout description title permalink
default1 Notes reguarding kicksecure DNS kicksecure-sys-dns /qubes/kicksecure-sys-dns

Setting up a hardened sys-dns to proxy DNS traffic through dnscrypt


Prerequisites:

Create a Debian minimal templated and setup kicksecure.

Install the required packages:

sudo apt install dnscrypt-proxy qubes-core-agent-networking

The dnscrypt settings are located at /etc/dnscrypt-proxy/

Edit /rw/config/rc.local to:


#!/bin/sh

# This script will be executed at every VM startup, you can place your own
# custom commands here. This includes overriding some configuration in /etc,
# starting services etc.

# Example for overriding the whole CUPS configuration:
#  rm -rf /etc/cups
#  ln -s /rw/config/cups /etc/cups
#  systemctl --no-block restart cups

# allow redirects to localhost
/usr/sbin/sysctl -w net.ipv4.conf.all.route_localnet=1
/usr/sbin/iptables -I INPUT -i vif+ -p tcp --dport 53 -d 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT

# redirect dns-requests to localhost
/usr/sbin/iptables -t nat -F PR-QBS
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.1/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.1
/usr/sbin/iptables -t nat -A PR-QBS -d 10.139.1.2/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.1

# set /etc/resolv.conf and start dnscrypt-proxy
echo "nameserver 127.0.0.1" > /etc/resolv.conf
/usr/bin/systemctl enable dnscrypt-proxy.service --now

Setup:

Create an AppVM dvm-dnscrypt based on the template created above with:

  • NetVM: sys-net
  • Autostart: true
  • Provides Network: true

Clone dvm-dnscryptand create a sys-dns as a DispVM, ensuring the same settings as above are set.

Set your sys-fireall to connect to sys-dns


Sources