Actions

Whonix-Gateway System DNS

From Whonix


DNS on Whonix-Gateway ™[edit]

Introduction[edit]

All traffic from Whonix-Workstation ™ and Whonix-Gateway ™ is routed over Tor. [1] [2] [3] [4]

Whonix-Workstation ™ is configured to use various SocksPorts, DnsPort and TransPort, see also Stream Isolation.

Whonix-Gateway ™ is only configured to use various SocksPorts. A global system DNS resolver is not required for Whonix-Gateway ™ for any common use case to justify enabling it by default. Use cases where this could be useful include:

  • resolving the hostname of a proxy used in /usr/local/etc/torrc.d/50_user.conf through Tor would be useful (technical explanation [archive])
  • resolving the hostname of a VPN. But then using a VPN configuration using IPs only would be better.
  • Perhaps we could use /etc/hosts for such use cases rather than enabling system DNS?

How[edit]

Advanced users only!
Usually recommended against and unnecessary.

Working. Using Whonix-Gateway ™ user clearnet.

Whonix ™ first time users warning Using the clearnet user, traffic will be sent over normal internet! Not over Tor! Will not be anonymous!

Disable /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate by making it no longer executable so DHCP will write to /etc/resolv.conf. The following command only applies to older versions of Whonix or those who have package anon-gw-dhcp-conf installed.

sudo chmod -x /etc/dhcp/dhclient-enter-hooks.d/nodnsupdate

Make /etc/resov.conf mutable. Don't worry if the next command causes an error. It's not required anymore in recent Whonix ™ versions.

sudo chattr -i /etc/resolv.conf

Delete /etc/resolv.conf so we can regenerate it.

sudo rm /etc/resolv.conf

Restart networking.

sudo service networking restart

Login as user clearnet.

sudo su clearnet

Test it, for example using ping.

ping google.com

See Also[edit]

Footnotes[edit]

  1. Since Whonix 0.2.1, Whonix-Gateway ™ traffic is also routed over Tor. In this way, use of Whonix is hidden from persons or systems observing the network.
  2. To preserve the anonymity of a user's Whonix-Workstation ™ activities, it is not necessary to torify Whonix-Gateway ™ own traffic.
  3. For reader interest: If DNS settings on Whonix-Gateway ™ are changed in /etc/resolv.conf, this only affects Whonix-Gateway ™ own DNS requests issued by applications using the system's default DNS resolver. By default, no applications issuing network traffic on Whonix-Gateway ™ use the system's default DNS resolver. All applications installed by default on Whonix-Gateway ™ that issue network traffic (apt-get, whonixcheck, sdwdate) are explicitly configured, or forced by uwt wrappers, to use their own Tor SocksPort (see Stream Isolation).
  4. Whonix-Workstation ™ default applications are configured to use separate Tor SocksPorts (see Stream Isolation), thereby not using the system's default DNS resolver. Any applications in Whonix-Workstation ™ that are not configured for stream isolation - for example nslookup - will use the default DNS server configured in Whonix-Workstation ™ (via /etc/network/interfaces), which is the Whonix-Gateway ™. Those DNS requests are redirected to Tor's DnsPort by Whonix-Gateway ™ firewall. Whonix-Gateway ™ /etc/resolv.conf does not affect Whonix-Workstation ™ DNS requests.


Follow: Twitter.png Facebook.png 1280px-Gab text logo.svg.png Rss.png Matrix logo.svg.png 1024px-Telegram 2019 Logo.svg.png Discourse logo.svg

Donate: Donate Bank Wire Paypal Bitcoin accepted here Monero accepted here Contriute

Whonix donate bitcoin.png Monero donate whonix.png

Share: Twitter | Facebook

Join us in testing our new AppArmor profiles [archive] for improved security! (forum discussion [archive])

https [archive] | (forcing) onion [archive]

This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! Read, understand and agree to Conditions for Contributions to Whonix ™, then Edit! Edits are held for moderation.

Copyright (C) 2012 - 2019 ENCRYPTED SUPPORT LP. Whonix ™ is a trademark. Whonix ™ is a licensee [archive] of the Open Invention Network [archive]. Unless otherwise noted, the content of this page is copyrighted and licensed under the same Freedom Software license as Whonix ™ itself. (Why?)

Whonix ™ is a derivative of and not affiliated with Debian [archive]. Debian is a registered trademark [archive] owned by Software in the Public Interest, Inc [archive].

Whonix ™ is produced independently from the Tor® [archive] anonymity software and carries no guarantee from The Tor Project [archive] about quality, suitability or anything else.

By using our website, you acknowledge that you have read, understood and agreed to our Privacy Policy, Cookie Policy, Terms of Service, and E-Sign Consent. Whonix ™ is provided by ENCRYPTED SUPPORT LP. See Imprint.