Add support for IPv6 Virtual DNS #462
Conversation
|
Unfortunately this may not be as simple as this. All is fine if you really have IPv6 DNS in your network. But if you have IPv4 one (but otherwise have IPv6 connectivity), then queries sent to the "virtual DNS" address won't be redirected anywhere, most likely will be silently discarded somewhere along the way (either in sys-net, but more likely on some next router). This is bad, because from application point of view, this is no response and the application will wait for a timeout instead of immediately falling back to IPv4 DNS. And it is especially bad with infamous DNS fallback handling in Linux... Some solution to this issue might be forwarding between IPv6 and IPv4 appropriately, for example using socat ( Or maybe there is some way to avoid long timeouts, like reject with some specific ICMP packet if no IPv6 DNS is present? |
|
What if we add a reject rule for IPv6 DNS queries if it's a qube with:
Then IPv6 DNS queries will be rejected and there shouldn't be any timeouts or queries to Virtual DNS sent outside? I'll try it out. |
|
The second condition may not be needed in fact. Either qube has some IPv6 DNS it can forward traffic to (either "real" one outside, or virtual one, or via some VPN or such) or not. Specifically, if you have a VPN that is supposed to encapsulate all your traffic, it should adjust local DNS servers in that qube too - at which point the 3rd condition will handle this case. |
|
But yes, something like this might work. Try it out and let me know :) |
…s nowhere to forward them to avoid DNS query timeouts. There are hardcoded Qubes OS Virtual DNS addresses which is bad but I couldn't think of an easy way out.
…r code that only add Virtual DNS servers to qubes that have netvm set and don't add DNS to every qube that provides network (sys-net/sys-usb/etc).
Codecov Report
@@ Coverage Diff @@
## main #462 +/- ##
=======================================
Coverage 69.89% 69.89%
=======================================
Files 3 3
Lines 475 475
=======================================
Hits 332 332
Misses 143 143 |
|
I've tested the reject rules and it works fine. I had to change the way Qubes OS set DNS servers to qubes with these commits: Also I had to hardcode Qubes OS Virtual DNS addresses here:
|
See my comment in the other PR. Anyway, I think the general shape is getting there. But due to release stage of R4.2, it's too late to be included there, at least before final release. So, I'll merge it only after final R4.2 release. |
OpenQA test summaryComplete test suite and dependencies: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.2&build=2023102812-4.2&flavor=pull-requests New failures, excluding unstableCompared to: https://openqa.qubes-os.org/tests/overview?distri=qubesos&version=4.2&build=2023071104-4.2&flavor=update
Failed tests127 failures
Fixed failuresCompared to: https://openqa.qubes-os.org/tests/77326#dependencies 23 fixed
Unstable tests
|
This looks broken (click the link for full traceback) |
Fixed and tested with systemd-resolved. |
There was a problem hiding this comment.
Thanks @1cho1ce for working on this PR. I was trying to do something similar and came across this and your other PR.
Are you still working on this? I was going through the code and noticed some minor issues, so commenting below.
| if [ -n "$primary_dns6" ]; then | ||
| cat > /var/run/qubes/qubes-ns<< EOF | ||
| NS1=$primary_dns6 | ||
| NS1=$secondary_dns6 |
There was a problem hiding this comment.
| NS1=$secondary_dns6 | |
| NS2=$secondary_dns6 |
| else | ||
| cat > /var/run/qubes/qubes-ns<< EOF | ||
| NS1=$primary_dns | ||
| NS1=$secondary_dns |
There was a problem hiding this comment.
| NS1=$secondary_dns | |
| NS2=$secondary_dns |
| if [ -n "$primary_dns6" ]; then | ||
| cat > /var/run/qubes/qubes-ns<< EOF | ||
| NS1=$primary_dns6 | ||
| NS1=$secondary_dns6 |
There was a problem hiding this comment.
| NS1=$secondary_dns6 | |
| NS2=$secondary_dns6 |
| else | ||
| cat > /var/run/qubes/qubes-ns<< EOF | ||
| NS1=$primary_dns | ||
| NS1=$secondary_dns |
There was a problem hiding this comment.
| NS1=$secondary_dns | |
| NS2=$secondary_dns |
| break | ||
| dns_ = str(dest) | ||
| if dest is None or (vm_nameserver == dest and | ||
| qdb.read('/qubes-ip') is None): |
There was a problem hiding this comment.
| qdb.read('/qubes-ip') is None): | |
| qdb.read('/qubes-primary-dns') is None): |
for consistency?
Add support for IPv6 DNS together with this pull request:
QubesOS/qubes-core-admin#558