Last update: March 17, 2019. This website uses cookies. By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. More information


Secondary DNS Resolver

Secondary DNS Resolver[edit]


By Whonix ™ default, Tor is used for DNS resolution. If you suspect a Tor exit relay to tamper with DNS, you can get a second opinion from another non-Tor DNS server. This may also be useful, in special cases if you want to resolve types of DNS over Tor, which are unsupported by Tor itself, such as MX (required for some Mixmaster servers over Tor) or DNSSEC.

It is recommended against to use non-Tor DNS resolvers for an extended amount of time. Although it is technically possible to completely replace DNS resolution (not using Tor for DNS resolution anymore), it is recommended against. That would add too much power to a single DNS server. Using a permanent DNS server is recommended against just as using a permanent Tor exit relay is recommended against.

Note, that even if you correctly set up all settings, it might happen that this won't work. Sometimes Tor or the DNS server causes a timeout. This gets even worse, when you additionally tunnel the DNS request through an additional proxy (for example: Tor → JonDonym → DNS server).

Read first: Stream Isolation.

In the chapters below are examples how to use authenticated DNS (DNSSEC) or encrypted DNS (DNSCrypt or httpsdnsd). seems to support both, authentication (DNSSEC) and encryption (DNSCrypt).

Required knowledge:

  • Difference between encryption and authentication.
  • All traffic from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4] (<-- read the footnotes)

Related FAQ entries:

Authenticated DNS over Tor[edit]

DNSSEC over Tor[edit]

Example with CZ.NIC Labs DNS resolver[edit]

source for this chapter: CZ NIC LABS

The CZ.NIC Labs DNS resolver has been chosen as an example. Feel free to use and other DNS resolver at your own choice.


Everything inside your Whonix-Workstation ™.

Install unbound and socat.

sudo apt-get install unbound socat

Open /etc/unbound/unbound.conf.

sudo nano /etc/unbound/unbound.conf

Add the following lines.

#tcp-upstream goes under "server:" section
    tcp-upstream: yes

#put forward-zone somewhere at the end of file
    name: "."


Open a terminal and start socat.

socat TCP4-LISTEN:5353,bind=localhost,reuseaddr,fork SOCKS4A:,socksport=9150

Open another terminal tab and restart unbound.

sudo service unbound restart


Test with dig.

dig +dnssec @localhost

Please refer to upstream documentation on how to interpret the DNSSEC test results.

Encrypted DNS over Tor[edit]


This is different from DNSSEC.


Might not work anymore. More info:

Everything inside your Whonix-Workstation ™.

As the official DNSCrypt website states, DNSCrypt is available for many platforms, including Linux.

DNSCrypt has nothing to do with DNSSEC, although it works well together.

These instructions completely replace Tor's DNS resolver with a dnscrypt-enabled resolver for all users and the whole system. Not recommended for a longer amount of time, see warning above. Some hints are included how to do it only for a specific user account.

(1). Download the dnscrypt source code and unpack. You have to install libsodium before compiling it. Then, get into the dnscrypt directory cd dnscrypt-proxy-.... Configure ./configure, make "make, and install make install.

(2). Start dnscrypt-proxy. [5] [6] [7] [8] [9] [10]

sudo dnscrypt-proxy --tcp-only

(3). Edit your /etc/resolv.conf nano /etc/resolv.conf, comment out everything and add nameserver

(4). Check if it is working. See test pages. Try sudo pkill -STOP dnscrypt-proxy and check that DNS resolution doesn't work any more. To resume, type sudo pkill -CONT dnscrypt-proxy.

(5). To shut it down you can use sudo pkill dnscrypt-proxy and don't forget to revert the changes in /etc/resolv.conf.

httpsdnsd by JonDos[edit]


Source: and also use it as a more verbose tutorial, but keep in mind that their tutorial is JonDonym specific, while this tutorial is Tor specific.


Everything inside your Whonix-Workstation ™.

Install dependencies.

sudo apt-get install libnet-ssleay-perl libnet-server-perl libnet-dns-perl libxml-simple-perl liblog-log4perl-perl

Download httpsdnsd. (See source above in case download link changed.)

scurl --remote-name

Or manually run curl with these parameters. [11]

curl --tlsv1.2 --proto =https --remote-name



Go into the httpsdnsd folder.

cd httpsdnsd

Install httpsdnsd. [12]


Add a new user for httpsdnsd.

sudo adduser --system --disabled-password --group httpsdns_daemon

Editing /etc/resolv.conf is not required. (You still could out comment everything against DNS leaks.)

Create a firewall script.


Insert these firewall rules.

# Flush old rules
iptables -F
iptables -t nat -F
iptables -X

# Redirect DNS traffic to httpdnsd.
iptables -t nat -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 53 -j REDIRECT --to-ports 4053

# Accept connections to the httpdnsd.
iptables -t filter -A OUTPUT -p udp -m owner --uid-owner anonuser --dport 4053 -j ACCEPT

# Reject all other traffic for anonuser.
iptables -t filter -A OUTPUT ! -o lo -m owner --uid-owner anonuser -j REJECT

Install Privoxy. [13]

sudo apt-get install privoxy

Open the privoxy configuration file.

nano /etc/privoxy/config

Add the following to your privoxy configuration file.

# Theoretically you can tunnel through any
# http or socks proxy. Local or remote proxy.
# Inside Whonix-Workstation ™, due to design,
# everything will be tunneled through Tor first.

# Using Tor's socks5 proxy, running on Whonix-Gateway ™. 
# Change the port, see above...
forward-socks5 / .

# Another example using a http proxy.
# (In this case, JonDo running on localhost.)
# forward /

Restart privoxy to enable the changes.

sudo /etc/init.d/privoxy restart

Privoxy is now listening on [14]


Run httpsdnsd. [15] [16] [17] [18]

sudo httpsdnsd --https_proxy_port=8118 --runasdaemon

Activate the firewall. Shouldn't show any errors.

sudo ./


Open a console and switch to anonuser.

su anonuser

Resolve DNS.



  1. Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
  2. To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
  3. For reader interest: If DNS settings on Whonix-Gateway ™ are changed in /etc/resolv.conf, this only affects Whonix-Gateway ™s's own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, timesync) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation ™ default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation ™ (via /etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™ /etc/resolv.conf does not affect Whonix-Workstation ™ DNS requests.
  5. --tcp-only is required since Tor does not support UDP. The UDP DNS request will immediately get truncated reply and a RFC-compliant resolver should repeat same query via TCP in this case. This is the case for Ubuntu's default DNS resolver. You can get some more information on UDP/TCP/DNS on the unrelated redsocks website.
  6. To start it later in background (after debugging) add --daemonize.
  7. --help to see all options.
  8. Start up takes a few seconds "INFO Generating a new key pair", this is normal, wait. Until it is done, DNS will not work.
  9. --user=username can and should be used to start the dnscrypt-proxy under a specific user account.
  10. Since this instructions completely replace Tor's DNS resolver with opendns's dnscrypt for all users and the whole system, you could add --local-port=5800 to let dnscrypt-proxy listen on port 5800. You would be able to add iptables rules to redirect only the DNS requests of a specific user account to the dnscrypt resolver, you can get some hints how to do that in the httpsdnsd by JonDos chapter below, which would be a very similar setup.
  11. This has the same effect as the scurl command above.
  12. It contains also a, if you want to uninstall it later.
  13. Wiki Version 95 of this site contains a working example using Polipo. Changed later to Privoxy, because Privoxy can be useful for other tasks as well. (Incoming: TransPort, http proxy; forwarding: http and socks.)
  14. For debugging you can enter this IP/port into Tor Browser as http proxy and try if you can still reach Deactivate after testing.
  15. For debugging, kill httpsdnsd and drop the --runasdaemon.
  16. Run httpsdnsd --help or man httpsdnsd for help.
  17. Httpsdnsd will by default listen on localhost port 4053 for DNS queries.
  18. --https_proxy_port=8118 will redirect traffic to port 8118, where Privoxy is listening. This is necessary because Tor offers a socks proxy and httpsdnsd requires a http proxy. Privoxy translates from http to socks.

No user support in comments. See Support.

Comments will be deleted after some time. Specifically after comments have been addressed in form of wiki enhancements. See Wiki Comments Policy.

Add your comment
Whonix welcomes all comments. If you do not want to be anonymous, register or log in. It is free.

Random News:

Please consider a recurring donation!

https | (forcing) onion

Share: Twitter | Facebook

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee of the Open Invention Network. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian. Debian is a registered trademark owned by Software in the Public Interest, Inc.

Whonix ™ is produced independently from the Tor® anonymity software and carries no guarantee from The Tor Project about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.