From 4ea600c8d31ed1cc80976e685a4dea7f614d2a37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 21 Jan 2014 04:45:41 +0100
Subject: [PATCH] core/proxyvm: allow TCP traffic to DNS servers

Some DNS queries requires TCP - namely those with response not fitting
in 512 bytes.
---
 core-modules/006QubesProxyVm.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/core-modules/006QubesProxyVm.py b/core-modules/006QubesProxyVm.py
index 1637c788..041272d4 100644
--- a/core-modules/006QubesProxyVm.py
+++ b/core-modules/006QubesProxyVm.py
@@ -178,9 +178,16 @@ class QubesProxyVm(QubesNetVm):
                 iptables += " -j {0}\n".format(rules_action)
 
             if conf["allowDns"] and self.netvm is not None:
-                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm. properties
-                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.gateway)
-                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j ACCEPT\n".format(ip,self.netvm.secondary_dns)
+                # PREROUTING does DNAT to NetVM DNSes, so we need self.netvm.
+                # properties
+                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.gateway)
+                iptables += "-A FORWARD -s {0} -p udp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.secondary_dns)
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.gateway)
+                iptables += "-A FORWARD -s {0} -p tcp -d {1} --dport 53 -j " \
+                            "ACCEPT\n".format(ip,self.netvm.secondary_dns)
             if conf["allowIcmp"]:
                 iptables += "-A FORWARD -s {0} -p icmp -j ACCEPT\n".format(ip)
             if conf["allowYumProxy"]: