From c8213ea55ab1ef656c365c070668b9ddedb639bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Tue, 1 Nov 2016 00:14:46 +0100
Subject: [PATCH] network: properly handle DNS addresses in vif-qubes-nat.sh

Core3 no longer reuse netvm own IP for primary DNS. At the same time,
disable dropping traffic to netvm itself because it breaks DNS (as one
of blocked things). This allows VM to learn real netvm IP, but:
 - this mechanism is not intended to avoid detection from already
 compromised VM, only about unintentional leaks
 - this can be prevented using vif-qubes-nat.sh on the netvm itself (so
 it will also have hidden its own IP)

QubesOS/qubes-issues#1143
---
 network/vif-qubes-nat.sh | 8 +++++++-
 network/vif-route-qubes  | 1 +
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/network/vif-qubes-nat.sh b/network/vif-qubes-nat.sh
index d422d8e..2fea819 100755
--- a/network/vif-qubes-nat.sh
+++ b/network/vif-qubes-nat.sh
@@ -2,7 +2,7 @@
 #set -x
 
 netvm_subnet=/24
-undetectable_netvm_ips=1
+undetectable_netvm_ips=
 
 netns="${vif}-nat"
 netvm_if="${vif}"
@@ -65,6 +65,7 @@ if test "$command" == online; then
 
         # same for the gateway/DNS IPs
         netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_gw_ip" -j DROP
+        netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns1_ip" -j DROP
         netns iptables -t raw -I PREROUTING -i "$netns_appvm_if" -d "$netvm_dns2_ip" -j DROP
     fi
 
@@ -74,6 +75,11 @@ if test "$command" == online; then
     netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_gw_ip" -j DNAT --to-destination "$netvm_gw_ip"
     netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_gw_ip" -j SNAT --to-source "$appvm_gw_ip"
 
+    if test -n "$appvm_dns1_ip"; then
+        netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns1_ip" -j DNAT --to-destination "$netvm_dns1_ip"
+        netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns1_ip" -j SNAT --to-source "$appvm_dns1_ip"
+    fi
+
     if test -n "$appvm_dns2_ip"; then
         netns iptables -t nat -I PREROUTING -i "$netns_appvm_if" -d "$appvm_dns2_ip" -j DNAT --to-destination "$netvm_dns2_ip"
         netns iptables -t nat -I POSTROUTING -o "$netns_appvm_if" -s "$netvm_dns2_ip" -j SNAT --to-source "$appvm_dns2_ip"
diff --git a/network/vif-route-qubes b/network/vif-route-qubes
index 85da9f9..64ad86a 100755
--- a/network/vif-route-qubes
+++ b/network/vif-route-qubes
@@ -30,6 +30,7 @@ if [ "${ip}" ]; then
     # IPs as seen by this VM
     netvm_ip="$ip"
     netvm_gw_ip=`qubesdb-read /qubes-netvm-gateway`
+    netvm_dns1_ip=`qubesdb-read /qubes-netvm-primary-dns`
     netvm_dns2_ip=`qubesdb-read /qubes-netvm-secondary-dns`
 
     back_ip="$netvm_gw_ip"